]> granicus.if.org Git - linux-pam/log
linux-pam
8 years agopam_env: Document the /etc/environment file.
Tomas Mraz [Wed, 17 Feb 2016 13:57:15 +0000 (14:57 +0100)]
pam_env: Document the /etc/environment file.

* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
Add a paragraph about /etc/environment. Add environ(7) reference.

8 years agopam_unix: Add no_pass_expiry option to ignore password expiration.
Tomas Mraz [Wed, 17 Feb 2016 13:21:41 +0000 (14:21 +0100)]
pam_unix: Add no_pass_expiry option to ignore password expiration.

* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.

8 years agopam_unix: Change the salt length for new hashes to 16 characters
Tomas Mraz [Mon, 25 Jan 2016 15:50:00 +0000 (16:50 +0100)]
pam_unix: Change the salt length for new hashes to 16 characters

* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.

8 years agoRelax the conditions for fatal failure on auditing.
Tomas Mraz [Thu, 17 Dec 2015 16:43:27 +0000 (17:43 +0100)]
Relax the conditions for fatal failure on auditing.

The PAM library calls will not fail anymore for any uid if the return
value from the libaudit call is -EPERM.

* libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.

8 years agopam_tally2: Optionally log the tally count when checking.
Tomas Mraz [Wed, 16 Dec 2015 08:33:47 +0000 (09:33 +0100)]
pam_tally2: Optionally log the tally count when checking.

* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.

9 years agoDocfix: pam handle is const in pam_syslog() and pam_vsyslog()
Jakub Hrozek [Fri, 2 Oct 2015 08:12:22 +0000 (10:12 +0200)]
Docfix: pam handle is const in pam_syslog() and pam_vsyslog()

* doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().

9 years agopam_loginuid: Add syslog message if required auditd is not detected.
Tomas Mraz [Thu, 24 Sep 2015 11:21:40 +0000 (13:21 +0200)]
pam_loginuid: Add syslog message if required auditd is not detected.

* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
if required auditd is not detected.

9 years agoAllow links to be used instead of w3m for documentation regeneration.
Tomas Mraz [Fri, 4 Sep 2015 08:35:45 +0000 (10:35 +0200)]
Allow links to be used instead of w3m for documentation regeneration.

* configure.ac: If w3m is not found check for links.

9 years agoAdd missing space in pam_misc_setenv man page.
Tomas Mraz [Fri, 4 Sep 2015 07:58:59 +0000 (09:58 +0200)]
Add missing space in pam_misc_setenv man page.

* doc/man/pam_misc_setenv.3.xml: Add a missing space.

9 years agopam_rootok: use rootok permission instead of passwd permission in SELinux check.
Tomas Mraz [Wed, 12 Aug 2015 15:04:00 +0000 (17:04 +0200)]
pam_rootok: use rootok permission instead of passwd permission in SELinux check.

* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
passwd permission.

9 years agopam_timestamp: Avoid leaking file descriptor.
Amarnath Valluri [Wed, 5 Aug 2015 13:16:51 +0000 (15:16 +0200)]
pam_timestamp: Avoid leaking file descriptor.

* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
    close 'keyfd' when failed to own it.

Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
9 years agoRelease version 1.2.1 Linux-PAM-1_2_1
Thorsten Kukuk [Mon, 22 Jun 2015 12:53:01 +0000 (14:53 +0200)]
Release version 1.2.1

Security fix: CVE-2015-3238

If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.

* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise

9 years agoUpdate NEWS file Linux-PAM-1_2_0
Thorsten Kukuk [Mon, 27 Apr 2015 14:57:39 +0000 (16:57 +0200)]
Update NEWS file

9 years agoRelease version 1.2.0
Thorsten Kukuk [Mon, 27 Apr 2015 14:50:32 +0000 (16:50 +0200)]
Release version 1.2.0

* NEWS: Update
* configure.ac: Bump version
* libpam/Makefile.am: Bump version of libpam
* libpam_misc/Makefile.am: Bump version of libpam_misc
* po/*: Regenerate po files

9 years agoFix some grammatical errors in documentation.
Thorsten Kukuk [Mon, 27 Apr 2015 14:39:24 +0000 (16:39 +0200)]
Fix some grammatical errors in documentation.
Patch by Louis Sautier

* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
* doc/man/pam.3.xml: Likewise.
* doc/man/pam_acct_mgmt.3.xml: Likewise.
* doc/man/pam_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* modules/pam_limits/limits.conf.5.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.

9 years agoAdd "quiet" option to pam_unix to suppress informential info
Thorsten Kukuk [Thu, 23 Apr 2015 14:04:32 +0000 (16:04 +0200)]
Add "quiet" option to pam_unix to suppress informential info
messages from session.

* modules/pam_unix/pam_unix.8.xml: Document new option.
* modules/pam_unix/support.h: Add quiet option.
* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
 'quiet' option is set.

9 years agoUse crypt_r if available in pam_userdb and in pam_unix.
Tomas Mraz [Tue, 7 Apr 2015 08:52:16 +0000 (10:52 +0200)]
Use crypt_r if available in pam_userdb and in pam_unix.

* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
instead of crypt() if available.
* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
instead of crypt() if available.

9 years agoSupport alternative "vendor configuration" files as fallback to /etc
Thorsten Kukuk [Wed, 25 Mar 2015 14:00:38 +0000 (15:00 +0100)]
Support alternative "vendor configuration" files as fallback to /etc
(Ticket#34, patch from ay Sievers <kay@vrfy.org>)

* doc/man/pam.8.xml: document additonal config directory
* libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
* libpam/pam_private.h: adjust defines

9 years agopam_env: expand @{HOME} and @{SHELL} and enhance documentation
Thorsten Kukuk [Wed, 25 Mar 2015 13:49:46 +0000 (14:49 +0100)]
pam_env: expand @{HOME} and @{SHELL} and enhance documentation
(Ticket#24 and #29)

* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
* modules/pam_env/pam_env.8.xml: Enhance documentation

9 years agoClarify pam_access docs re PAM service names and X $DISPLAY value testing.
Thorsten Kukuk [Tue, 24 Mar 2015 15:57:14 +0000 (16:57 +0100)]
Clarify pam_access docs re PAM service names and X $DISPLAY value testing.
(Ticket #39)

* modules/pam_access/access.conf.5.xml
* modules/pam_access/pam_access.8.xml

Signed-off-by: Karl O. Pinc <kop at meme.com>
9 years agoDon't use sudo directory, the timestamp format is different (Ticket#32)
Thorsten Kukuk [Tue, 24 Mar 2015 13:39:41 +0000 (14:39 +0100)]
Don't use sudo directory, the timestamp format is different (Ticket#32)

* modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.

9 years agoEnhance group.conf examples (Ticket#35)
Thorsten Kukuk [Tue, 24 Mar 2015 13:34:58 +0000 (14:34 +0100)]
Enhance group.conf examples (Ticket#35)

* modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.

9 years agoDocument timestampdir option (Ticket#33)
Thorsten Kukuk [Tue, 24 Mar 2015 13:22:02 +0000 (14:22 +0100)]
Document timestampdir option (Ticket#33)

* modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.

9 years agoAdjust documentation (Ticket#36)
Thorsten Kukuk [Tue, 24 Mar 2015 12:03:06 +0000 (13:03 +0100)]
Adjust documentation (Ticket#36)

* libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
* doc/man/pam_fail_delay.3.xml: Change 25% to 50%

9 years agoUpdated translations from Transifex.
Tomas Mraz [Wed, 18 Feb 2015 15:18:24 +0000 (16:18 +0100)]
Updated translations from Transifex.

* po/*.po: Updated translations from Transifex.

9 years agobuild: raise gettext version requirement
Dmitry V. Levin [Tue, 6 Jan 2015 22:29:11 +0000 (22:29 +0000)]
build: raise gettext version requirement

Raise gettext requirement to the latest oldstable version 0.18.3.
This fixes the following automake warning:

configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.

* configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
* po/Makevars: Update from gettext-0.18.3.

9 years agobuild: adjust automake warning flags
Ronny Chevalier [Thu, 11 Dec 2014 15:14:42 +0000 (16:14 +0100)]
build: adjust automake warning flags

Enable all automake warning flags except for the portability issues,
since non portable features are used among the makefiles.

* configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.

9 years agobuild: rename configure.in to configure.ac
Dmitry V. Levin [Tue, 6 Jan 2015 21:13:54 +0000 (21:13 +0000)]
build: rename configure.in to configure.ac

This fixes the following automake warning:
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'

* configure.in: Rename to configure.ac.

9 years agoRemove unmodified GNU gettext files installed by autopoint
Dmitry V. Levin [Tue, 6 Jan 2015 22:58:27 +0000 (22:58 +0000)]
Remove unmodified GNU gettext files installed by autopoint

These files are part of GNU gettext; we have not modified them, they are
installed by autopoint which is called by autoreconf, so they had to be
removed from this repository along with ABOUT-NLS, config.rpath, and
mkinstalldirs files that were removed by commit
Linux-PAM-1_1_5-7-g542ec8b.

* po/Makefile.in.in: Remove.
* po/Rules-quot: Likewise.
* po/boldquot.sed: Likewise.
* po/en@boldquot.header: Likewise.
* po/en@quot.header: Likewise.
* po/insert-header.sin: Likewise.
* po/quot.sed: Likewise.
* po/remove-potcdate.sin: Likewise.
* po/.gitignore: Ignore these files.

9 years agoUpdate .gitignore
Ronny Chevalier [Thu, 11 Dec 2014 15:14:43 +0000 (16:14 +0100)]
Update .gitignore

* .gitignore: Ignore *.log and *.trs files.

9 years agolibpam: Only print "Password change aborted" when it's true.
Luke Shumaker [Mon, 22 Dec 2014 20:46:43 +0000 (15:46 -0500)]
libpam: Only print "Password change aborted" when it's true.

pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.

This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead.  As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().

libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.

9 years agobuild: extend cross compiling check to cover CPPFLAGS (ticket #21)
Dmitry V. Levin [Tue, 9 Dec 2014 21:47:40 +0000 (21:47 +0000)]
build: extend cross compiling check to cover CPPFLAGS (ticket #21)

Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
and BUILD_LDFLAGS variables introduced earlier to override CC,
CFLAGS, and LDFLAGS, respectively.

* configure.in (BUILD_CPPFLAGS): Define.
* doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.

9 years agoDo not use yywrap (ticket #42)
Dmitry V. Levin [Tue, 9 Dec 2014 01:21:48 +0000 (01:21 +0000)]
Do not use yywrap (ticket #42)

Our scanners do not really use yywrap.  Explicitly disable yywrap
so that no references to yywrap will be generated and no LEXLIB
would be needed.

* conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove.
* conf/pam_conv1/pam_conv_l.l: Enable noyywrap option.
* doc/specs/Makefile.am (padout_LDADD): Remove.
* doc/specs/parse_l.l: Enable noyywrap option.

9 years agodoc: fix a trivial typo in pam_authenticate return values (ticket #38)
Kyle Manna [Fri, 26 Sep 2014 04:37:49 +0000 (21:37 -0700)]
doc: fix a trivial typo in pam_authenticate return values (ticket #38)

* doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.

9 years agodoc: fix typo in pam_authenticate.3.xml
Ronny Chevalier [Mon, 11 Aug 2014 14:36:21 +0000 (16:36 +0200)]
doc: fix typo in pam_authenticate.3.xml

* doc/man/pam_authenticate.3.xml: Fix typo.

10 years agopam_succeed_if: Fix copy&paste error in rhost and tty values.
Tomas Mraz [Fri, 17 Oct 2014 06:39:58 +0000 (08:39 +0200)]
pam_succeed_if: Fix copy&paste error in rhost and tty values.

modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
and PAM_TTY properly for the rhost and tty values.

10 years agopam_succeed_if: Use long long type for numeric values
Tomas Mraz [Fri, 17 Oct 2014 06:34:24 +0000 (08:34 +0200)]
pam_succeed_if: Use long long type for numeric values

The currently used long with additional conversion to int is
too small for uids and gids.

modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
strtol() with strtoll() and int with long long in the parameters
of comparison functions.

10 years agoAdd grantor field to audit records of libpam.
Tomas Mraz [Fri, 5 Sep 2014 07:09:37 +0000 (09:09 +0200)]
Add grantor field to audit records of libpam.

The grantor field gives audit trail of PAM modules which granted access
for successful return from libpam calls. In case of failed return
the grantor field is set to '?'.
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
libpam/pam_password.c (pam_chauthtok): Likewise.
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
add grantor= field to the message if grantors is set.
(_pam_list_grantors): New function creating the string with grantors list.
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
to list the grantors from the handler list.
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
(_pam_clear_grantors): New function to clear grantor field of handler.
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
Call _pam_auditlog() when appropriate.
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
or just "?" to avoid confusing audit trail.
(_pam_add_handler): Test for NULL return from extract_modulename().
Clear grantor field of handler.
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
parameter to _pam_auditlog().

10 years agopam_mkhomedir: Drop superfluous stat() call.
Tomas Mraz [Tue, 26 Aug 2014 12:08:28 +0000 (14:08 +0200)]
pam_mkhomedir: Drop superfluous stat() call.

modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous
stat() call.

10 years agopam_exec: Do not depend on open() returning STDOUT_FILENO.
Tomas Mraz [Tue, 26 Aug 2014 12:04:02 +0000 (14:04 +0200)]
pam_exec: Do not depend on open() returning STDOUT_FILENO.

modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to
STDOUT_FILENO if needed.

10 years agopam_keyinit: Check return value of setregid.
Robin Hack [Mon, 25 Aug 2014 15:33:21 +0000 (17:33 +0200)]
pam_keyinit: Check return value of setregid.

modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.

10 years agopam_filter: Avoid leaking descriptors when fork() fails.
Robin Hack [Mon, 25 Aug 2014 15:30:01 +0000 (17:30 +0200)]
pam_filter: Avoid leaking descriptors when fork() fails.

modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.

10 years agopam_echo: Avoid leaking file descriptor.
Robin Hack [Thu, 14 Aug 2014 11:33:56 +0000 (13:33 +0200)]
pam_echo: Avoid leaking file descriptor.

modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.

10 years agopam_tty_audit: Silence Coverity reporting uninitialized use.
Robin Hack [Wed, 13 Aug 2014 13:12:13 +0000 (15:12 +0200)]
pam_tty_audit: Silence Coverity reporting uninitialized use.

modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also
msg_flags.

10 years agopam_tally2: Avoid uninitialized use of fileinfo.
Tomas Mraz [Wed, 13 Aug 2014 13:01:32 +0000 (15:01 +0200)]
pam_tally2: Avoid uninitialized use of fileinfo.

Problem found by Robin Hack <rhack@redhat.com>.
modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size
just try to read it.

10 years agopam_access: Avoid uninitialized access of line.
Tomas Mraz [Wed, 13 Aug 2014 12:45:05 +0000 (14:45 +0200)]
pam_access: Avoid uninitialized access of line.

* modules/pam_access/pam_access.c (login_access): Reorder condition
so line is not accessed when uninitialized.

10 years agopam_lastlog: Properly clean up last_login structure before use.
Tomas Mraz [Tue, 5 Aug 2014 14:26:01 +0000 (16:26 +0200)]
pam_lastlog: Properly clean up last_login structure before use.

modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login
structure before use.

10 years agoMake pam_pwhistory and pam_unix tolerant of corrupted opasswd file.
Tomas Mraz [Mon, 21 Jul 2014 14:31:38 +0000 (16:31 +0200)]
Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.

* modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
in opasswd entry and return error.
* modules/pam_unix/passverify.c (save_old_password): Test for missing fields
in opasswd entry and skip it.

10 years agodoc: add missing build dependencies for soelim stubs
Dmitry V. Levin [Mon, 30 Jun 2014 21:53:26 +0000 (21:53 +0000)]
doc: add missing build dependencies for soelim stubs

* doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for
pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs.

10 years agodoc: fix install in case of out of tree build (ticket #31)
Dmitry V. Levin [Thu, 8 May 2014 23:36:58 +0000 (23:36 +0000)]
doc: fix install in case of out of tree build (ticket #31)

* doc/adg/Makefile.am (install-data-local, releasedocs): Fall back
to srcdir if documentation files haven't been found in builddir.
(releasedocs): Treat missing documentation files as an error.
* doc/mwg/Makefile.am: Likewise.
* doc/sag/Makefile.am: Likewise.

10 years agodoc: fix installation of adg-*.html and mwg-*.html files (ticket #31)
Dmitry V. Levin [Thu, 8 May 2014 23:36:58 +0000 (23:36 +0000)]
doc: fix installation of adg-*.html and mwg-*.html files (ticket #31)

Fix a typo due to which sag-*.html files might be installed instead of
adg-*.html and mwg-*.html files.

* doc/adg/Makefile.am (install-data-local): Install adg-*.html instead
of sag-*.html.
* doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead
of sag-*.html.

Patch-by: Mike Frysinger <vapier@gentoo.org>
10 years agopam_limits: nofile refers to file descriptors not files
Tomas Mraz [Thu, 19 Jun 2014 13:32:08 +0000 (15:32 +0200)]
pam_limits: nofile refers to file descriptors not files

modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit.
modules/pam_limits/limits.conf: Likewise.

10 years agopam_limits: clarify documentation of maxlogins and maxsyslogins limits.
Tomas Mraz [Thu, 19 Jun 2014 12:41:50 +0000 (14:41 +0200)]
pam_limits: clarify documentation of maxlogins and maxsyslogins limits.

modules/pam_limits/limits.conf.5.xml: clarify documentation of
maxlogins and maxsyslogins limits.

10 years agopam_unix: Check for NULL return from Goodcrypt_md5().
Tomas Mraz [Thu, 19 Jun 2014 11:51:20 +0000 (13:51 +0200)]
pam_unix: Check for NULL return from Goodcrypt_md5().

modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
NULL return from Goodcrypt_md5().

10 years agopam_unix: check for NULL return from malloc()
Tomas Mraz [Thu, 19 Jun 2014 11:43:26 +0000 (13:43 +0200)]
pam_unix: check for NULL return from malloc()

* modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().

10 years agopam_loginuid: Document one more possible case of PAM_IGNORE return.
Tomas Mraz [Thu, 22 May 2014 09:33:21 +0000 (11:33 +0200)]
pam_loginuid: Document one more possible case of PAM_IGNORE return.

modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case
of PAM_IGNORE return value.

10 years agopam_loginuid: Document other possible return values.
Tomas Mraz [Thu, 22 May 2014 09:25:13 +0000 (11:25 +0200)]
pam_loginuid: Document other possible return values.

modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return
values.

10 years agopam_timestamp: fix potential directory traversal issue (ticket #27)
Dmitry V. Levin [Wed, 26 Mar 2014 22:17:23 +0000 (22:17 +0000)]
pam_timestamp: fix potential directory traversal issue (ticket #27)

pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.

* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.

Fixes CVE-2014-2583.

Reported-by: Sebastian Krahmer <krahmer@suse.de>
10 years agopam_userdb: document that .db suffix should not be used
Tomas Mraz [Thu, 20 Mar 2014 09:46:13 +0000 (10:46 +0100)]
pam_userdb: document that .db suffix should not be used

modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix
should not be used and correct the example.

10 years agopam_selinux: canonicalize user name
Tomas Mraz [Tue, 11 Mar 2014 08:59:12 +0000 (09:59 +0100)]
pam_selinux: canonicalize user name

SELinux expects canonical user name for example without domain component.

* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().

10 years agoChange tarball name back to "Linux-PAM"
Dmitry V. Levin [Tue, 28 Jan 2014 15:01:24 +0000 (15:01 +0000)]
Change tarball name back to "Linux-PAM"

As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name
changed accidentally from "Linux-PAM" to "linux-pam".
This change brings it back to "Linux-PAM".

* configure.in (AC_INIT): Explicitly specify TARNAME argument.

10 years agoIntroduce pam_modutil_sanitize_helper_fds
Dmitry V. Levin [Fri, 24 Jan 2014 15:32:08 +0000 (15:32 +0000)]
Introduce pam_modutil_sanitize_helper_fds

This change introduces pam_modutil_sanitize_helper_fds - a new function
that redirects standard descriptors and closes all other descriptors.

pam_modutil_sanitize_helper_fds supports three types of input and output
redirection:
- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
- PAM_MODUTIL_PIPE_FD: redirect to a pipe.  For stdin, it is implemented
  by creating a pipe, closing its write end, and redirecting stdin to
  its read end.  Likewise, for stdout/stderr it is implemented by
  creating a pipe, closing its read end, and redirecting to its write
  end.  Unlike stdin redirection, stdout/stderr redirection to a pipe
  has a side effect that a process writing to such descriptor should be
  prepared to handle SIGPIPE appropriately.
- PAM_MODUTIL_NULL_FD: redirect to /dev/null.  For stdin, it is
  implemented via PAM_MODUTIL_PIPE_FD because there is no functional
  difference.  For stdout/stderr, it is classic redirection to
  /dev/null.

PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
security restrictions, but when the helper process might be writing to
the corresponding descriptor and termination of the helper process by
SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.

* libpam/pam_modutil_sanitize.c: New file.
* libpam/Makefile.am (libpam_la_SOURCES): Add it.
* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
pam_modutil_sanitize_helper_fds): New declarations.
* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
* modules/pam_exec/pam_exec.c (call_exec): Use
pam_modutil_sanitize_helper_fds.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
* modules/pam_unix/support.h (MAX_FD_NO): Remove.

10 years agopam_xauth: avoid potential SIGPIPE when writing to xauth process
Dmitry V. Levin [Fri, 24 Jan 2014 13:38:38 +0000 (13:38 +0000)]
pam_xauth: avoid potential SIGPIPE when writing to xauth process

Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.

* modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
close the read end of input pipe after writing to its write end.

10 years agopam_loginuid: log significant loginuid write errors
Dmitry V. Levin [Sun, 19 Jan 2014 14:12:59 +0000 (14:12 +0000)]
pam_loginuid: log significant loginuid write errors

* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
during /proc/self/loginuid update that are not ignored.

10 years agoFix gratuitous use of strdup and x_strdup
Dmitry V. Levin [Fri, 24 Jan 2014 23:53:09 +0000 (23:53 +0000)]
Fix gratuitous use of strdup and x_strdup

There is no need to copy strings passed as arguments to execve,
the only potentially noticeable effect of using strdup/x_strdup
would be a malformed argument list in case of memory allocation error.

Also, x_strdup, being a thin wrapper around strdup, is of no benefit
when its argument is known to be non-NULL, and should not be used in
such cases.

* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
instead of x_strdup, the latter is of no benefit in this case.
* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
x_strdup for strings passed as arguments to execve.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
(_unix_verify_password): Use strdup instead of x_strdup, the latter
is of no benefit in this case.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
strings passed as arguments to execv.

10 years agopam_userdb: fix password hash comparison
Dmitry V. Levin [Fri, 24 Jan 2014 22:18:32 +0000 (22:18 +0000)]
pam_userdb: fix password hash comparison

Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.

Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.

* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.

Bug-Debian: http://bugs.debian.org/731368

10 years agopam_xauth: log fatal errors preventing xauth process execution
Dmitry V. Levin [Fri, 24 Jan 2014 15:30:01 +0000 (15:30 +0000)]
pam_xauth: log fatal errors preventing xauth process execution

* modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
and fork() calls.

10 years agopam_loginuid: cleanup loginuid buffer initialization
Dmitry V. Levin [Sun, 19 Jan 2014 14:02:53 +0000 (14:02 +0000)]
pam_loginuid: cleanup loginuid buffer initialization

* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
buffer initialization closer to its first use.

10 years agolibpam_misc: fix an inconsistency in handling memory allocation errors
Dmitry V. Levin [Wed, 22 Jan 2014 02:34:03 +0000 (02:34 +0000)]
libpam_misc: fix an inconsistency in handling memory allocation errors

When misc_conv fails to allocate memory for pam_response array, it
returns PAM_CONV_ERR.  However, when read_string fails to allocate
memory for a response string, it loses the response string and silently
ignores the error, with net result as if EOF has been read.

* libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup,
the latter is of no benefit in this case.
Do not ignore potential memory allocation errors returned by strdup,
forward them to misc_conv.

10 years agopam_limits: fix utmp->ut_user handling
Dmitry V. Levin [Mon, 20 Jan 2014 16:24:18 +0000 (16:24 +0000)]
pam_limits: fix utmp->ut_user handling

ut_user member of struct utmp is a string that is not necessarily
null-terminated, so extra care should be taken when using it.

* modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
a null-terminated string and consistently use it where a null-terminated
string is expected.

10 years agopam_mkhomedir: check and create home directory for the same user (ticket #22)
Dmitry V. Levin [Mon, 20 Jan 2014 02:29:41 +0000 (02:29 +0000)]
pam_mkhomedir: check and create home directory for the same user (ticket #22)

Before pam_mkhomedir helper was introduced in commit
7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
existance and creating the same directory - the home directory of the
user NAME returned by pam_get_item(PAM_USER).

The change in behaviour accidentally introduced along with
mkhomedir_helper is not consistent: while the module still checks for
getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
the same as the directory being checked.

This change brings check and creation back in sync, both handling
getpwnam(NAME)->pw_dir.

* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
"struct passwd *" argument with user's name and home directory.
Pass user's name to MKHOMEDIR_HELPER.
(pam_sm_open_session): Update create_homedir call.

10 years agopam_limits: detect and ignore stale utmp entries
Tomas Mraz [Mon, 20 Jan 2014 16:12:53 +0000 (17:12 +0100)]
pam_limits: detect and ignore stale utmp entries

Original idea by Christopher Hailey

* modules/pam_limits/pam_limits.c (check_logins): Use kill() to
detect if pid of the utmp entry is still running and ignore the entry
if it is not.

10 years agopam_loginuid: Always return PAM_IGNORE in userns
Stéphane Graber [Fri, 17 Jan 2014 23:24:16 +0000 (18:24 -0500)]
pam_loginuid: Always return PAM_IGNORE in userns

The previous patch to support user namespaces works fine with containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.

I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.

So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.

The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
10 years agopam_namespace: don't use bashisms in default namespace.init script
Steve Langasek [Wed, 15 Jan 2014 03:48:51 +0000 (19:48 -0800)]
pam_namespace: don't use bashisms in default namespace.init script

* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
namespace init script, so that scripts run with maximum privilege regardless
of the shell implementation.
* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
shebang line

This is not a POSIX standard option, it's a bashism.  The bash manpage says
that it's used to prevent the effective user id from being reset to the real
user id on startup, and to ignore certain unsafe variables from the
environment.

In the case of pam_namespace, the -p is not necessary for environment
sanitizing because the PAM module (properly) sanitizes the environment
before execing the script.

The stated reason given in CVS history for passing -p is to "preserve euid
when called from setuid apps (su, newrole)."  This should be done more
portably, by calling setuid() before spawning the shell.

Signed-off-by: Steve Langasek <vorlon@debian.org>
Bug-Debian: http://bugs.debian.org/624842
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323

10 years agopam_loginuid: Ignore failure in user namespaces
Stéphane Graber [Wed, 8 Jan 2014 00:12:03 +0000 (16:12 -0800)]
pam_loginuid: Ignore failure in user namespaces

When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.

This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.

Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.

The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).

I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.

There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).

Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
10 years agopam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist
Dmitry V. Levin [Wed, 8 Jan 2014 23:53:30 +0000 (15:53 -0800)]
pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist

When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
PAM_SUCCESS, so that we can distinguish between "loginuid set
successfully" and "loginuid not set, but this is expected".

Suggested by Steve Langasek.

* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
does not exist, PAM_SESSION_ERR in case of any other error.
(_pam_loginuid): Forward the PAM error code returned by set_loginuid.

10 years agopam_access: fix debug level logging (ticket #19)
Dmitry V. Levin [Wed, 20 Nov 2013 15:55:40 +0000 (15:55 +0000)]
pam_access: fix debug level logging (ticket #19)

* modules/pam_access/pam_access.c (group_match): Log the group token
passed to the function, not an uninitialized data on the stack.

10 years agopam_warn: log flags passed to the module (ticket #25)
Dmitry V. Levin [Tue, 19 Nov 2013 21:55:40 +0000 (21:55 +0000)]
pam_warn: log flags passed to the module (ticket #25)

* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
log it using pam_syslog.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
"flags" argument to log_items.

10 years agoModernize AM_INIT_AUTOMAKE invocation
Dmitry V. Levin [Tue, 19 Nov 2013 21:08:00 +0000 (21:08 +0000)]
Modernize AM_INIT_AUTOMAKE invocation

Before this change, automake complained that two- and three-arguments
forms of AM_INIT_AUTOMAKE are deprecated.

* configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead
of AM_INIT_AUTOMAKE.

10 years agoFix autoconf warnings
Dmitry V. Levin [Tue, 19 Nov 2013 20:49:47 +0000 (20:49 +0000)]
Fix autoconf warnings

Before this change, autoconf complained that AC_COMPILE_IFELSE
and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.

* configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.

10 years agopam_securetty: check return value of fgets
Dmitry V. Levin [Tue, 19 Nov 2013 14:18:44 +0000 (14:18 +0000)]
pam_securetty: check return value of fgets

Checking return value of fgets not only silences the warning from glibc
but also leads to a cleaner code.

* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Check return value of fgets.

10 years agopam_lastlog: fix format string
Dmitry V. Levin [Tue, 19 Nov 2013 14:05:09 +0000 (14:05 +0000)]
pam_lastlog: fix format string

gcc -Wformat justly complains:
format '%d' expects argument of type 'int', but argument 5 has type 'time_t'

* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
string.

10 years agoIf the correct loginuid is set already, skip writing it.
Darren Tucker [Wed, 20 Nov 2013 08:43:50 +0000 (09:43 +0100)]
If the correct loginuid is set already, skip writing it.

modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
and skip writing if already correctly set.

10 years ago Always ask for old password if changing NIS account
Thorsten Kukuk [Mon, 11 Nov 2013 13:14:31 +0000 (14:14 +0100)]
Always ask for old password if changing NIS account

* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
for old password if NIS account.

10 years agoAllow DES as compatibility option for /etc/login.defs
Thorsten Kukuk [Fri, 8 Nov 2013 14:35:41 +0000 (15:35 +0100)]
Allow DES as compatibility option for /etc/login.defs

* modules/pam_unix/support.h: Add UNIX_DES

11 years agoDocfix: pam_prompt() and pam_vprompt() return int.
Tomas Mraz [Mon, 14 Oct 2013 12:09:22 +0000 (14:09 +0200)]
Docfix: pam_prompt() and pam_vprompt() return int.

doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.

11 years agoMake pam_tty_audit work with old kernels not supporting log_passwd.
Tomas Mraz [Mon, 14 Oct 2013 12:04:23 +0000 (14:04 +0200)]
Make pam_tty_audit work with old kernels not supporting log_passwd.

modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
if message is short from older kernel.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
11 years agoFix pam_tty_audit log_passwd support and regression.
Tomas Mraz [Wed, 25 Sep 2013 10:40:05 +0000 (12:40 +0200)]
Fix pam_tty_audit log_passwd support and regression.

modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
(pam_sm_open_session): Always copy the old status as initialization of new.

11 years agoRelease version 1.1.8
Thorsten Kukuk [Thu, 19 Sep 2013 09:30:37 +0000 (11:30 +0200)]
Release version 1.1.8

11 years agoCheck return value of setuid to remove glibc warnings. Linux-PAM-1_1_8
Thorsten Kukuk [Mon, 16 Sep 2013 09:48:12 +0000 (11:48 +0200)]
Check return value of setuid to remove glibc warnings.

* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.

11 years agoWrite to *rounds only if non-NULL.
Tomas Mraz [Fri, 13 Sep 2013 13:20:01 +0000 (15:20 +0200)]
Write to *rounds only if non-NULL.

modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.

11 years agoAdd missing ')'
Tomas Mraz [Fri, 13 Sep 2013 12:04:08 +0000 (14:04 +0200)]
Add missing ')'

modules/pam_unix/pam_unix_passwd.c: Add missing ')'..

11 years agoRelease version 1.1.7 Linux-PAM-1_1_7
Thorsten Kukuk [Wed, 11 Sep 2013 14:49:07 +0000 (16:49 +0200)]
Release version 1.1.7

11 years agoUpdated translations from Transifex.
Tomas Mraz [Wed, 11 Sep 2013 11:55:22 +0000 (13:55 +0200)]
Updated translations from Transifex.

po/*.po: Updated translations from Transifex.

11 years agoExtend pam_exec by stdout and type= options (ticket #8):
Thorsten Kukuk [Wed, 4 Sep 2013 14:40:37 +0000 (16:40 +0200)]
Extend pam_exec by stdout and type= options (ticket #8):

* modules/pam_exec/pam_exec.c: Add stdout and type= option
* modules/pam_exec/pam_exec.8.xml: Document new options

11 years agoFix compile error
Thorsten Kukuk [Fri, 30 Aug 2013 12:46:47 +0000 (14:46 +0200)]
Fix compile error

* modules/pam_unix/pam_unix_acct.c: fix last change

11 years agoRestart waitpid if it returns with EINTR (ticket #17)
Thorsten Kukuk [Thu, 29 Aug 2013 12:09:39 +0000 (14:09 +0200)]
Restart waitpid if it returns with EINTR (ticket #17)

* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.

11 years agomisc_conv.3: Fix documentation of misc_conv
Thorsten Kukuk [Wed, 28 Aug 2013 09:00:49 +0000 (11:00 +0200)]
misc_conv.3: Fix documentation of misc_conv

doc/man/misc_conv.3.xml: Fix return value of misc_conv

11 years agoApply the exclusive check in pam_sepermit only when loginuid not set.
Tomas Mraz [Fri, 23 Aug 2013 12:43:36 +0000 (14:43 +0200)]
Apply the exclusive check in pam_sepermit only when loginuid not set.

* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.

11 years agoUpdated translations from Transifex.
Tomas Mraz [Thu, 22 Aug 2013 11:41:30 +0000 (13:41 +0200)]
Updated translations from Transifex.

* po/*.po: Updated translations from Transifex.