Steve Langasek [Mon, 28 Jul 2008 20:51:56 +0000 (20:51 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix (thread safety)
Commit summary:
---------------
2008-07-28 Steve Langasek <vorlon@debian.org>
* modules/pam_unix/passverify.c: make save_old_password()
thread-safe by using pam_modutil_getpwnam() instead of getpwnam()
* modules/pam_unix/passverify.c, modules/pam_unix/passverify.h,
modules/pam_unix/pam_unix_passwd.c: add pamh argument to
save_old_password()
Steve Langasek [Sun, 27 Jul 2008 04:47:54 +0000 (04:47 +0000)]
Relevant BUGIDs: Debian bug #439984
Purpose of commit: bugfix
Commit summary:
---------------
2008-07-26 Steve Langasek <vorlon@debian.org>
* modules/pam_env/pam_env.c: Fix module to skip over
non-alphanumeric variable names, and to handle the case when
asked to delete a non-existent variable.
Tomas Mraz [Fri, 11 Jul 2008 15:37:28 +0000 (15:37 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-07-11 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c (config_context): Do not
ask for the level if use_current_range is set.
(context_from_env): New function to obtain the context from
PAM environment variables.
(pam_sm_open_session): Call context_from_env() if env_params option
is present. use_current_range now modifies behavior of the
context_from_env and config_context options.
* modules/pam_selinux/pam_selinux.8.xml: Describe the env_params
option. Adjust description of use_current_range option.
Commit summary:
---------------
2008-07-11 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do
not close the pipe descriptor in borderline case (#2009766)
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_unix/support.h: Define upper limit of fds we will
attempt to close.
* modules/pam_tally/pam_tally.c: Add support for silent and
no_log_info options.
* modules/pam_tally/pam_tally.8.xml: Document silent and
no_log_info options.
Tomas Mraz [Wed, 14 May 2008 13:03:39 +0000 (13:03 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-05-14 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/pam_unix_passwd.c(pam_sm_chauthtok): Unset authtok
item when password is not approved.
* modules/pam_unix/support.c(_unix_read_password): UNIX_USE_FIRST_PASS
is always set when UNIX_AUTHTOK is set, change order of conditions.
Tomas Mraz [Fri, 2 May 2008 12:41:32 +0000 (12:41 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
2008-05-02 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c(query_response): Add handling
for NULL response.
(manual_context): Handle failed query_response() properly. Rename
variable responses to response which is more correct name.
(config_context): Likewise.
(pam_sm_open_session): Do not base decision on whether there is a tty.
Tomas Mraz [Tue, 22 Apr 2008 19:21:37 +0000 (19:21 +0000)]
Relevant BUGIDs: rhbz#443667
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-22 Tomas Mraz <t8m@centrum.cz>
* modules/pam_selinux/pam_selinux.c(pam_sm_close_sesion): Fix
regression from the change from 2008-03-20. setexeccon() must be
called also with NULL prev_context.
* modules/pam_access/access.conf.5.xml: Document changed behavior
of LOCAL keyword.
* modules/pam_access/pam_access.c: Add from_remote_host to
struct login_info to change behavior of LOCAL keyword: if
PAM_RHOST is not set, LOCAL will be true.
Tomas Mraz [Fri, 18 Apr 2008 12:53:38 +0000 (12:53 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-04-18 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/pam_namespace.c: New functions
unprotect_dirs(), cleanup_protect_data(), protect_mount(),
protect_dir() to protect directory by bind mount.
(cleanup_data): Renamed to cleanup_polydir_data().
(parse_create_params): Allow missing specification of mode
or owner.
(check_inst_parent): Call protect_dir() on the instance parent
directory. The directory is created when it doesn't exist.
(create_polydir): Protect and make the polydir by protect_dir(),
remove potential races.
(create_dirs): Renamed to create_instance(), remove call to
inst_init().
(ns_setup): Call protect_dir() on the polydir if it already exists.
Call inst_init() after the polydir is mounted.
(setup_namespace): Set the namespace protect data to be cleaned up
on pam_close_session()/pam_end().
(pam_sm_open_session): Initialize the protect_dirs.
(pam_sm_close_session): Cleanup namespace protect data.
* modules/pam_namespace/pam_namespace.h: Define struct for the
stack of protected dirs.
* modules/pam_namespace/pam_namespace.8.xml: Document when the
instance init script is called.
* modules/pam_namespace/namespace.conf.5.xml: Likewise.
Tomas Mraz [Thu, 17 Apr 2008 12:52:25 +0000 (12:52 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-17 Tomas Mraz <t8m@centrum.cz>
* modules/pam_access/pam_access.c(myhostname): Removed function.
(user_match): Supply hostname of the machine to the netgroup_match().
Use hostname from the loginfo instead of calling myhostname().
(pam_sm_authenticate): Call gethostname() to fill hostname in the
loginfo.
Tomas Mraz [Wed, 16 Apr 2008 08:21:05 +0000 (08:21 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-04-16 Tomas Mraz <t8m@centrum.cz>
* modules/pam_cracklib/pam_cracklib.c(_pam_parse): Recognize also
try_first_pass and use_first_pass options.
(pam_sm_chauthtok): Implement the new options.
Tomas Mraz [Tue, 8 Apr 2008 08:56:32 +0000 (08:56 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-04-08 Tomas Mraz <t8m@centrum.cz>
* libpam/pam_item.c (TRY_SET): Do not set when destination
is identical to source.
(pam_set_item): Do not overwrite destination when it
is identical to source.
* configure.in: Set version number to 1.0.0.
* libpam/Makefile.am: Bump patchlevel of libpam.
* doc/adg/Linux-PAM_ADG.xml: Update version/date.
* doc/mwg/Linux-PAM_MWG.xml: Likewise.
* doc/sag/Linux-PAM_SAG.xml: Likewise.
Tomas Mraz [Thu, 20 Mar 2008 17:06:32 +0000 (17:06 +0000)]
Relevant BUGIDs: rhbz#438338, rhbz#438264
Purpose of commit: bugfix
Commit summary:
---------------
2008-03-20 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER
method only when appropriate.
(setup_namespace): Do not umount when not mounted with RUSER.
* modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call
freecontext() after the context is logged not before.
Tomas Mraz [Wed, 5 Mar 2008 20:21:38 +0000 (20:21 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
2008-03-05 Tomas Mraz <t8m@centrum.cz>
* modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Avoid
unnecessary x_strdup() of resp.
* modules/pam_ftp/pam_ftp(pam_sm_authenticate): Call _pam_overwrite()
before dropping password resp.
Tomas Mraz [Mon, 3 Mar 2008 13:23:45 +0000 (13:23 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-03-03 Tomas Mraz <t8m@centrum.cz>
* libpam/pam_item.c(RESET): Rename to TRY_SET, handle strdup failure.
(pam_set_item): Use TRY_SET() also for PAM_AUTHTOK and PAM_OLDAUTHTOK.
Handle allocation failure for PAM_XAUTHDATA.
(pam_get_user): Return error when conversation returns NULL user.
Call pam_set_item() instead of RESET().
Tomas Mraz [Fri, 29 Feb 2008 15:22:03 +0000 (15:22 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
2008-02-26 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/Makefile.am: Do not link to cracklib.
* modules/pam_unix/pam_unix_passwd.c(_pam_unix_approve_pass):
Do not call FascistCheck() from cracklib.
Tomas Mraz [Thu, 21 Feb 2008 21:12:30 +0000 (21:12 +0000)]
Relevant BUGIDs: rhbz#433459
Purpose of commit: bugfix
Commit summary:
---------------
2008-02-21 Tomas Mraz <t8m@centrum.cz>
* libpam/pam_audit.c (_pam_audit_writelog): Silence syslog
message on non-error return.
* modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged
user when checking password of another user.
* modules/pam_unix/unix_update.c: Fix comment.
Dmitry V. Levin [Mon, 18 Feb 2008 13:37:46 +0000 (13:37 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-02-18 Dmitry V. Levin <ldv@altlinux.org>
* libpam/pam_handlers.c (_pam_assemble_line): Fix potential
buffer overflow.
* xtests/tst-pam_assemble_line.pamd: New test for
_pam_assemble_line.
* xtests/tst-pam_assemble_line.sh: New script for
tst-pam_assemble_line.
* xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.
Tomas Mraz [Wed, 13 Feb 2008 12:49:43 +0000 (12:49 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix, new feature
Commit summary:
---------------
2008-02-13 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d
dir.
* modules/pam_namespace/argv_parse.c: New file.
* modules/pam_namespace/argv_parse.h: New file.
* modules/pam_namespace/namespace.conf.5.xml: Document new features.
* modules/pam_namespace/pam_namespace.8.xml: Likewise.
* modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define.
Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags
and polydir flags.
(polydir_s): Add rdir, replace exclusive with flags, add init_script,
owner, group, and mode.
(instance_data): Add ruser, gid, and ruid.
* modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent().
(add_polydir_entry): Add the entry directly, no copy.
(del_polydir): New function.
(del_polydir_list): Call del_polydir().
(expand_variables, parse_create_params, parse_iscript_params,
parse_method): New functions.
(process_line): Call expand_variables() on polydir and instance prefix.
Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap.
(parse_config_file): Parse .conf files from namespace.d dir after
namespace.conf.
(form_context): Call getcon() or get_default_context_with_level() when
appropriate flags are set.
(poly_name): Handle shared polydir flag.
(inst_init): Execute non-default init script when specified.
(create_polydir): New function.
(create_dirs): Remove the code which checks the polydir. Do not call
inst_init() when noinit flag is set.
(ns_setup): Check the polydir and eventually create it if the create flag
is set.
(setup_namespace): Use ruser uid from idata. Set the namespace polydir
pam data only when namespace was set up correctly. Unmount polydir
based on ruser.
(get_user_data): New function.
(pam_sm_open_session): Check for use_current_context and
use_default_context options. Call get_user_data().
(pam_sm_close_session): Call get_user_data().
Thorsten Kukuk [Mon, 4 Feb 2008 15:27:31 +0000 (15:27 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-02-04 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_exec/pam_exec.c: Set PAM environment variables and
add 'quiet' option.
* modules/pam_exec/pam_exec.8.xml: Document new behavior.
Patch from Julien Lecomte <julien@lecomte.at>.
Tomas Mraz [Fri, 1 Feb 2008 16:22:23 +0000 (16:22 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2008-02-01 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/namespace.conf.5.xml: Add documentation for
tmpfs and tmpdir polyinst and for ~ user list modifier.
* modules/pam_namespace/namespace.init: Add documentation for the
new init parameter. Add home directory initialization script.
* modules/pam_namespace/pam_namespace.8.xml: Document the new
init parameter of the namespace.init script.
* modules/pam_namespace/pam_namespace.c(copy_ent): Copy exclusive flag.
(cleanup_data): New function.
(process_line): Set exclusive flag. Add tmpfs and tmpdir methods.
(ns_override): Change behavior on the exclusive flag.
(poly_name): Process tmpfs and tmpdir methods.
(inst_init): Add flag for new directory initialization.
(create_dirs): Process the tmpdir method, add the new directory
flag.
(ns_setup): Remove unused code. Process the tmpfs method.
(cleanup_tmpdirs): New function.
(setup_namespace): Set data for proper cleanup. Cleanup the tmpdirs
on failures.
(pam_sm_close_session): Instead of parsing the config file again use
the previously set data for cleanup.
* modules/pam_namespace/pam_namespace.h: Add TMPFS and TMPDIR methods
and exclusive flag.
* modules/pam_tty_audit/README.xml: Add notes section.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns
support and open_only option. Add notes.
* modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add
support for pattern matching and the open_only option.
Commit summary:
---------------
2008-01-24 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when
available.
* modules/pam_unix/passverify.c (strip_hpux_aging): New function
to strip HP/UX aging info from password hash.
(verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when
available.
Tomas Mraz [Wed, 23 Jan 2008 15:35:12 +0000 (15:35 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup, new feature
Commit summary:
---------------
Merging the the refactorization pam_unix_ref branch into the trunk.
Added support for sha256 and sha512 password hashes to pam_unix
when the libcrypt supports them.
Tomas Mraz [Wed, 5 Dec 2007 10:03:29 +0000 (10:03 +0000)]
Relevant BUGIDs:
Purpose of commit: cleanup
Commit summary:
---------------
2007-12-05 Tomas Mraz <t8m@centrum.cz>
* modules/pam_unix/Makefile.am: Add passverify.h and passverify.c
as first part of pam_unix refactorization.
* modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/passverify.c: New file with common functions.
* modules/pam_unix/passverify.h: Prototypes for the common functions.
* modules/pam_unix/support.c: Include passverify.h, move
_unix_shadowed() to passverify.c.
(_unix_verify_password): Refactor out verify_pwd_hash() function.
* modules/pam_unix/support.h: Move _unix_shadowed() prototype to
passverify.h
* modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and
verify_pwd_hash() from passverify.c.
Don't link pam_tally application against libpam, if linked static,
libpam is not yet available.
2007-11-20 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_tally/pam_tally.c (tally_log): Map
pam_modutil_getpwnam to getpwnam if we don't compile
as module.
* modules/pam_tally/Makefile.am: Don't link pam_tally_app
against libpam (#1822779).
* libpam/pam_static_modules.h: Fix name of pam_namespace variable.
2007-10-30 Peter Breitenlohner <peb@mppmu.mpg.de>
* tests/tst-dlopen.c: Return 77 in case of static modules, such that
all modules/pam_*/tst-pam_* tests yield SKIP instead of FAIL.
* libpam/Makefile.am (libpam_la_LIBADD): Use "$(shell ls ...)" instead
of "`ls ...`", to allow for static modules.
* libpam/pam_static_modules.h: Make pam_keyinit module depend on
HAVE_KEY_MANAGEMENT; correct name of pam_faildelay pam_module struct.
* modules/pam_faildelay/pam_faildelay.c: Correct name of pam_module
struct.
Steve Langasek [Thu, 25 Oct 2007 21:32:48 +0000 (21:32 +0000)]
Relevant BUGIDs: Debian bug #446327
Purpose of commit: bugfix
Commit summary:
---------------
2007-10-25 Steve Langasek <vorlon@debian.org>
* modules/pam_tally/pam_tally.c: fix the definition of OPT_AUDIT
to be octal instead of decimal, so that it works properly in a
bit field instead of forcing the "even_deny_root_account" and
"no_reset" options to on.
Patch from Corey Wright <undefined@pobox.com>.
Tomas Mraz [Fri, 19 Oct 2007 17:06:29 +0000 (17:06 +0000)]
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2007-10-19 Tomas Mraz <t8m@centrum.cz>
* xtests/tst-pam_access1.c: Use different name for user and group.
* xtests/tst-pam_access1.sh: Likewise.
* xtests/tst-pam_access2.c: Likewise.
* xtests/tst-pam_access2.sh: Likewise.
* xtests/tst-pam_access4.c: Likewise.
* xtests/tst-pam_access4.sh: Likewise.
* xtests/group.conf: Likewise.
* xtests/tst-pam_group1.c: Likewise.
* xtests/tst-pam_group1.sh: Likewise.
* libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks,
record substack level, skip over virtual substack modules, implement
evaluation of done, die, reset and jumps in substacks. Also fixes
too far jumps in substacks.
* libpam/pam_end.c (pam_end): Drop substack evaluation states.
* libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level
parameter, instead of must_fail use handler_type needed for virtual
substack modules.
(_pam_load_conf_file): Add substack level parameter.
(_pam_init_handlers): Substack level parameter added to
_pam_parse_conf_file() calls.
(_pam_load_module): New function.
(_pam_add_handler): Refactor code into the _pam_load_module(). Add
support for virtual substack modules.
* libpam/pam_private.h: Rename must_fail to handler_type, add stack_level
to struct handler. Define handler type constants. Add struct
for substack evaluation states. Define constant for maximum
substack level. Add substack states pointer to former state struct.
* libpam/pam_start.c (pam_start): Initialize pointer to substack states.
* doc/man/pam.conf-syntax.xml: Document substack control.
* xtests/Makefile.am: Add new tests for substack evaluation.
* xtests/run_xtests.sh: Support multiple .pamd files in a test.
* xtests/tst-pam_authfail.pamd: New tests for substack evaluation.
* xtests/tst-pam_authsucceed.pamd: Likewise.
* xtests/tst-pam_substack1.pamd: Likewise.
* xtests/tst-pam_substack1a.pamd: Likewise.
* xtests/tst-pam_substack1.sh: Likewise.
* xtests/tst-pam_substack2.pamd: Likewise.
* xtests/tst-pam_substack2a.pamd: Likewise.
* xtests/tst-pam_substack2.sh: Likewise.
* xtests/tst-pam_substack3.pamd: Likewise.
* xtests/tst-pam_substack3a.pamd: Likewise.
* xtests/tst-pam_substack3.sh: Likewise.
* xtests/tst-pam_substack4.pamd: Likewise.
* xtests/tst-pam_substack4a.pamd: Likewise.
* xtests/tst-pam_substack4.sh: Likewise.
* xtests/tst-pam_substack5.pamd: Likewise.
* xtests/tst-pam_substack5a.pamd: Likewise.
* xtests/tst-pam_substack5.sh: Likewise.
Tomas Mraz [Thu, 18 Oct 2007 11:02:57 +0000 (11:02 +0000)]
Relevant BUGIDs:
Purpose of commit: testcase
Commit summary:
---------------
2007-10-18 Tomas Mraz <t8m@centrum.cz>
* xtests/tst-pam_dispatch4.c: Fix comment about the test.
* xtests/tst-pam_dispatch4.pamd: Improve the testcase.
Thorsten Kukuk [Fri, 12 Oct 2007 10:46:25 +0000 (10:46 +0000)]
Relevant BUGIDs:
Purpose of commit: new testcase
Commit summary:
---------------
2007-10-12 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/Makefile.am: Add tst-pam_dispatch5 sources
* xtests/tst-pam_dispatch5.c: New test for jump too far.
* xtests/tst-pam_dispatch5.pamd: New test configuration.
Thorsten Kukuk [Mon, 1 Oct 2007 09:41:32 +0000 (09:41 +0000)]
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2007-10-01 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/tst-pam_group1.c: New test case for user compare in pam_group.
* xtests/tst-pam_group1.sh: Script to run test case.
* xtests/tst-pam_group1.pamd: Config for test case.
* xtests/Makefile.am: Add tst-pam_group1 test case.
* xtests/run-xtests.sh: Save/restore group.conf.
* xtests/group.conf: New.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Don't
free arguments used for putenv().
* doc/man/pam_putenv.3.xml: Document that application has to free
the memory.
Tomas Mraz [Thu, 27 Sep 2007 11:54:43 +0000 (11:54 +0000)]
Relevant BUGIDs: rhbz #306901, rhbz #295151
Purpose of commit: bugfix
Commit summary:
---------------
2007-09-27 Tomas Mraz <t8m@centrum.cz>
* modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): Fix in
operator rhbz #295151.
* modules/pam_namespace/pam_namespace.c (poly_name): Do not try to
get context when SELinux is disabled rhbz #306901.
* xtests/tst-pam_succeed_if1.c: New test case for
https://bugzilla.redhat.com/show_bug.cgi?id=295151
* xtests/tst-pam_succeed_if1.sh: Script to run test case.
* xtests/tst-pam_succeed_if1.pamd: Config for test case.
* xtests/Makefile.am: Add tst-pam_succeed_if1 test case.
projects / linux-pam / log