]> granicus.if.org Git - linux-pam/log
linux-pam
11 years agoAllow DES as compatibility option for /etc/login.defs
Thorsten Kukuk [Fri, 8 Nov 2013 14:35:41 +0000 (15:35 +0100)]
Allow DES as compatibility option for /etc/login.defs

* modules/pam_unix/support.h: Add UNIX_DES

11 years agoDocfix: pam_prompt() and pam_vprompt() return int.
Tomas Mraz [Mon, 14 Oct 2013 12:09:22 +0000 (14:09 +0200)]
Docfix: pam_prompt() and pam_vprompt() return int.

doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.

11 years agoMake pam_tty_audit work with old kernels not supporting log_passwd.
Tomas Mraz [Mon, 14 Oct 2013 12:04:23 +0000 (14:04 +0200)]
Make pam_tty_audit work with old kernels not supporting log_passwd.

modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
if message is short from older kernel.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
11 years agoFix pam_tty_audit log_passwd support and regression.
Tomas Mraz [Wed, 25 Sep 2013 10:40:05 +0000 (12:40 +0200)]
Fix pam_tty_audit log_passwd support and regression.

modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
(pam_sm_open_session): Always copy the old status as initialization of new.

11 years agoRelease version 1.1.8
Thorsten Kukuk [Thu, 19 Sep 2013 09:30:37 +0000 (11:30 +0200)]
Release version 1.1.8

11 years agoCheck return value of setuid to remove glibc warnings. Linux-PAM-1_1_8
Thorsten Kukuk [Mon, 16 Sep 2013 09:48:12 +0000 (11:48 +0200)]
Check return value of setuid to remove glibc warnings.

* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.

11 years agoWrite to *rounds only if non-NULL.
Tomas Mraz [Fri, 13 Sep 2013 13:20:01 +0000 (15:20 +0200)]
Write to *rounds only if non-NULL.

modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.

11 years agoAdd missing ')'
Tomas Mraz [Fri, 13 Sep 2013 12:04:08 +0000 (14:04 +0200)]
Add missing ')'

modules/pam_unix/pam_unix_passwd.c: Add missing ')'..

11 years agoRelease version 1.1.7 Linux-PAM-1_1_7
Thorsten Kukuk [Wed, 11 Sep 2013 14:49:07 +0000 (16:49 +0200)]
Release version 1.1.7

11 years agoUpdated translations from Transifex.
Tomas Mraz [Wed, 11 Sep 2013 11:55:22 +0000 (13:55 +0200)]
Updated translations from Transifex.

po/*.po: Updated translations from Transifex.

11 years agoExtend pam_exec by stdout and type= options (ticket #8):
Thorsten Kukuk [Wed, 4 Sep 2013 14:40:37 +0000 (16:40 +0200)]
Extend pam_exec by stdout and type= options (ticket #8):

* modules/pam_exec/pam_exec.c: Add stdout and type= option
* modules/pam_exec/pam_exec.8.xml: Document new options

11 years agoFix compile error
Thorsten Kukuk [Fri, 30 Aug 2013 12:46:47 +0000 (14:46 +0200)]
Fix compile error

* modules/pam_unix/pam_unix_acct.c: fix last change

11 years agoRestart waitpid if it returns with EINTR (ticket #17)
Thorsten Kukuk [Thu, 29 Aug 2013 12:09:39 +0000 (14:09 +0200)]
Restart waitpid if it returns with EINTR (ticket #17)

* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.

11 years agomisc_conv.3: Fix documentation of misc_conv
Thorsten Kukuk [Wed, 28 Aug 2013 09:00:49 +0000 (11:00 +0200)]
misc_conv.3: Fix documentation of misc_conv

doc/man/misc_conv.3.xml: Fix return value of misc_conv

11 years agoApply the exclusive check in pam_sepermit only when loginuid not set.
Tomas Mraz [Fri, 23 Aug 2013 12:43:36 +0000 (14:43 +0200)]
Apply the exclusive check in pam_sepermit only when loginuid not set.

* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.

11 years agoUpdated translations from Transifex.
Tomas Mraz [Thu, 22 Aug 2013 11:41:30 +0000 (13:41 +0200)]
Updated translations from Transifex.

* po/*.po: Updated translations from Transifex.

11 years agopam_rootok: fix linking in --enable-audit mode
Dmitry V. Levin [Mon, 1 Jul 2013 22:18:02 +0000 (22:18 +0000)]
pam_rootok: fix linking in --enable-audit mode

pam_rootok.c explicitly uses functions from libaudit, so the module has
to be linked with the library.

* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.

11 years agopam_tty_audit: fix a typo that crept in during patch review
Richard Guy Briggs [Thu, 27 Jun 2013 19:31:16 +0000 (15:31 -0400)]
pam_tty_audit: fix a typo that crept in during patch review

* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
11 years agopam_tty_audit: add an option to control logging of passwords: log_passwd ldv/master
Richard Guy Briggs [Fri, 21 Jun 2013 12:29:00 +0000 (08:29 -0400)]
pam_tty_audit: add an option to control logging of passwords: log_passwd

Most commands are entered one line at a time and processed as complete lines
in non-canonical mode.  Commands that interactively require a password, enter
canonical mode with echo set to off to do this.  This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command.  Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.

* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
11 years agoMan page fix - unix_update runs in the permissive mode as well.
Tomas Mraz [Thu, 20 Jun 2013 08:11:43 +0000 (10:11 +0200)]
Man page fix - unix_update runs in the permissive mode as well.

modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.

11 years agoUse hash from /etc/login.defs as default if no
Thorsten Kukuk [Tue, 18 Jun 2013 14:27:15 +0000 (16:27 +0200)]
Use hash from /etc/login.defs as default if no
other one is specified as argument.

* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check

11 years agopam_access: better not change the default function used to get domain name.
Tomas Mraz [Fri, 12 Apr 2013 10:49:55 +0000 (12:49 +0200)]
pam_access: better not change the default function used to get domain name.

modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.

11 years agoFix strict aliasing issue in MD5 implementations.
Tomas Mraz [Thu, 28 Mar 2013 14:30:19 +0000 (15:30 +0100)]
Fix strict aliasing issue in MD5 implementations.

modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.

11 years agopam_lastlog: Do not fail on short read if btmp is corrupted.
Tomas Mraz [Fri, 22 Mar 2013 12:50:54 +0000 (13:50 +0100)]
pam_lastlog: Do not fail on short read if btmp is corrupted.

modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.

11 years agopam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux
Tomas Mraz [Fri, 22 Mar 2013 08:42:22 +0000 (09:42 +0100)]
pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux

modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.

11 years agoAdd checks for crypt() returning NULL.
Tomas Mraz [Fri, 8 Feb 2013 14:04:26 +0000 (15:04 +0100)]
Add checks for crypt() returning NULL.

modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.

11 years agopam_userdb: Allow also modern password hashes supported by crypt().
Tomas Mraz [Thu, 7 Feb 2013 16:06:57 +0000 (17:06 +0100)]
pam_userdb: Allow also modern password hashes supported by crypt().

modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.

11 years agopam_access: fix typo in ifdef
Walter de Jong [Fri, 18 Jan 2013 13:51:40 +0000 (14:51 +0100)]
pam_access: fix typo in ifdef

modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.

12 years agopam_cracklib: Mention checks that are not run for root.
Tomas Mraz [Thu, 20 Dec 2012 15:22:47 +0000 (16:22 +0100)]
pam_cracklib: Mention checks that are not run for root.

modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
when run as root.

12 years agoUpdate also the POT file.
Tomas Mraz [Thu, 20 Dec 2012 15:21:52 +0000 (16:21 +0100)]
Update also the POT file.

po/Linux-PAM.pot: Update to reflect current sources.

12 years agoUpdated translations from Transifex, added new languages.
Tomas Mraz [Wed, 12 Dec 2012 17:38:48 +0000 (18:38 +0100)]
Updated translations from Transifex, added new languages.

po/LINGUAS: Added new languages.
po/*.po: Updated translations from Transifex including new languages.

12 years agopam_selinux: Drop obsolete and unsupported manual context selection.
Tomas Mraz [Fri, 30 Nov 2012 20:05:26 +0000 (21:05 +0100)]
pam_selinux: Drop obsolete and unsupported manual context selection.

modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
(compute_exec_context): Drop manual_context() call.

12 years agopam_limits: fix grammatical mistake.
Tomas Mraz [Fri, 23 Nov 2012 09:06:15 +0000 (10:06 +0100)]
pam_limits: fix grammatical mistake.

modules/pam_limits/limits.conf: Fix grammatical mistake.

12 years agoReflect the enforce_for_root semantics change in pam_pwhistory xtest.
Tomas Mraz [Tue, 13 Nov 2012 08:19:05 +0000 (09:19 +0100)]
Reflect the enforce_for_root semantics change in pam_pwhistory xtest.

xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
running with real uid == 0.

12 years agopam_unix: fix build in --enable-selinux mode
Dmitry V. Levin [Wed, 10 Oct 2012 18:13:07 +0000 (18:13 +0000)]
pam_unix: fix build in --enable-selinux mode

glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.

* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.

Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
12 years agopam_namespace: add mntopts flag for tmpfs mount options
Tomas Mraz [Wed, 10 Oct 2012 17:46:02 +0000 (19:46 +0200)]
pam_namespace: add mntopts flag for tmpfs mount options

modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.

12 years agopam_selinux, pam_tally2: Add tty and rhost to audit data.
Tomas Mraz [Thu, 6 Sep 2012 12:58:57 +0000 (14:58 +0200)]
pam_selinux, pam_tally2: Add tty and rhost to audit data.

modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.

12 years agoUpdate configure.in to use more recent interfaces.
Tomas Mraz [Thu, 6 Sep 2012 12:47:59 +0000 (14:47 +0200)]
Update configure.in to use more recent interfaces.

configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
of AC_HELP_STRING.

12 years agoAdd missing $(DESTDIR) when making directories on install.
Tomas Mraz [Fri, 17 Aug 2012 12:46:40 +0000 (14:46 +0200)]
Add missing $(DESTDIR) when making directories on install.

modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.

12 years agorelease version 1.1.6 v1.1.6
Thorsten Kukuk [Fri, 17 Aug 2012 09:48:15 +0000 (11:48 +0200)]
release version 1.1.6

configure.in: Bump version to 1.1.6
NEWS: Document changes
po/*.po: Regenerate *.po files

12 years agoSmall documentation and define fixes
Thorsten Kukuk [Thu, 16 Aug 2012 13:46:56 +0000 (15:46 +0200)]
Small documentation and define fixes

modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]

12 years agoRespect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().
Tomas Mraz [Mon, 13 Aug 2012 18:06:44 +0000 (20:06 +0200)]
Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().

libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
item when obtained from module options.
(pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.

12 years agoDocument limits.d also in the limits.conf manpage.
Tomas Mraz [Thu, 9 Aug 2012 09:55:23 +0000 (11:55 +0200)]
Document limits.d also in the limits.conf manpage.

modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.

12 years agoNew autotools do not create empty directories on install.
Tomas Mraz [Mon, 23 Jul 2012 16:32:16 +0000 (18:32 +0200)]
New autotools do not create empty directories on install.

modules/pam_namespace/Makefile.am: Add install-data-local target to create
namespaceddir.
modules/pam_sepermit/Makefile.am: Add install-data-local target to create
sepermitlockdir.

12 years agoRLIMIT_* variables are no longer defined unless you explicitly include
Stevan Bajić [Mon, 9 Jul 2012 07:43:11 +0000 (09:43 +0200)]
RLIMIT_* variables are no longer defined unless you explicitly include
sys/resource.h.

Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.

12 years agopam_umask: correct the documentation of GECOS field parsing
Tomas Mraz [Wed, 27 Jun 2012 16:21:13 +0000 (18:21 +0200)]
pam_umask: correct the documentation of GECOS field parsing

modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
parsing.

12 years agopam_cracklib: Add monotonic character sequence checking.
Tomas Mraz [Fri, 22 Jun 2012 11:36:45 +0000 (13:36 +0200)]
pam_cracklib: Add monotonic character sequence checking.

modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
(sequence): New function to check for too long monotonic sequence of characters.
(password_check): Call the sequence().
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.

12 years agopam_timestamp: Fix copy&paste error in manpage.
Tomas Mraz [Fri, 1 Jun 2012 09:12:21 +0000 (11:12 +0200)]
pam_timestamp: Fix copy&paste error in manpage.

modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.

12 years agoPulled new translations from Transifex.
Tomas Mraz [Mon, 28 May 2012 18:57:36 +0000 (20:57 +0200)]
Pulled new translations from Transifex.

po/*.po: Updated translations.

12 years agopam_pwhistory: Always record the old password even when root changes it.
Tomas Mraz [Mon, 28 May 2012 18:24:17 +0000 (20:24 +0200)]
pam_pwhistory: Always record the old password even when root changes it.

modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
the process instead of the target user UID (same as in pam_cracklib) to
check for root. Always record old password.

12 years agopam_cracklib: Add enforce_for_root option.
Tomas Mraz [Thu, 24 May 2012 11:40:24 +0000 (13:40 +0200)]
pam_cracklib: Add enforce_for_root option.

modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.

12 years agopam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.
Tomas Mraz [Mon, 30 Apr 2012 13:03:32 +0000 (15:03 +0200)]
pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.

modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
(simple): Add the check for the same class repetition.
(usercheck): Refactor into wordcheck().
(gecoscheck): New test for words from the GECOS field.
(password_check): Call the gecoscheck().
(pam_sm_chauthtok): Drop the diff_ignore from options struct.
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.

12 years agopam_lastlog: Never lock out the root account.
Tomas Mraz [Mon, 30 Apr 2012 12:46:48 +0000 (14:46 +0200)]
pam_lastlog: Never lock out the root account.

modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.

12 years agopam_lastlog: add possibility to lock out inactive users in auth or account
Tomas Mraz [Tue, 17 Apr 2012 12:05:24 +0000 (14:05 +0200)]
pam_lastlog: add possibility to lock out inactive users in auth or account

* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
option.
* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
(_pam_session_parse): Renamed from _pam_parse.
(_pam_auth_parse): New function to parse auth arguments.
(_last_login_open): Factor out opening of the lastlog file.
(_last_login_read): Factor out opening of the lastlog file.
(pam_sm_authenticate): Implement the lockout functionality.
(pam_sm_setcred): Just return PAM_SUCCESS.
(pam_sm_acct_mgmt): Call pam_sm_authenticate().

12 years agoCheck for crypt() failure returning NULL.
Paul Wouters [Wed, 11 Apr 2012 19:13:14 +0000 (21:13 +0200)]
Check for crypt() failure returning NULL.

* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
returning NULL.

12 years agopam_unix: make configuration consistent in --enable-static-modules mode
Dmitry V. Levin [Fri, 3 Feb 2012 00:13:44 +0000 (00:13 +0000)]
pam_unix: make configuration consistent in --enable-static-modules mode

In --enable-static-modules mode, it was not possible to use "pam_unix"
in PAM config files.  Instead, different names had to be used for each
management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
pam_unix_session.  This change makes pam_unix configuration consistent
with other PAM modules.

* README: Remove the paragraph describing pam_unix distinctions in
--enable-static-modules mode.
* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
_pam_unix_session_modstruct): Remove.
(_pam_unix_modstruct): New pam_module declaration.
* modules/pam_unix/pam_unix_static.h: New file.
* modules/pam_unix/pam_unix_static.c: Likewise.
* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_session_modstruct): Remove.

Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
12 years agoMake --disable-cracklib compatible with --enable-static-modules mode
Dmitry V. Levin [Thu, 26 Jan 2012 22:22:59 +0000 (22:22 +0000)]
Make --disable-cracklib compatible with --enable-static-modules mode

* configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
* libpam/pam_static_modules.h (static_modules): Guard the use of
_pam_cracklib_modstruct by HAVE_LIBCRACK macro.

12 years agoAdd missing includes for types used in the pam_modutil.h.
Tomas Mraz [Fri, 10 Feb 2012 08:10:10 +0000 (09:10 +0100)]
Add missing includes for types used in the pam_modutil.h.

* libpam/include/security/pam_modutil.h: Add missing includes for used types.

12 years agoFix compile time errors in --enable-static-modules mode
Matveychikov Ilya [Tue, 17 Jan 2012 07:16:49 +0000 (11:16 +0400)]
Fix compile time errors in --enable-static-modules mode

* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
obsolete declaration.
(static_modules): Remove undefined reference to
_pam_rhosts_auth_modstruct.
* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
{save,check}_old_pass in order to avoid conflicts with pam_unix.
* modules/pam_pwhistory/opasswd.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
_pam_tally2_modstruct.

Signed-off-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
12 years agoFix SUBDIRS for --enable-static-modules mode
Dmitry V. Levin [Thu, 26 Jan 2012 22:24:21 +0000 (22:24 +0000)]
Fix SUBDIRS for --enable-static-modules mode

There is no way to build "modules" subdirectory before "libpam" anyway.
In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
produce a usable libpam.a without undefined references to multiple
_pam_*_modstruct symbols.

* Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.

12 years agoconfigure: fix typo in --disable-nis help string
Matveychikov Ilya [Fri, 20 Jan 2012 11:05:23 +0000 (11:05 +0000)]
configure: fix typo in --disable-nis help string

* configure.in: Change '-disable-nis' to '--disable-nis'.

12 years agoDo not unmount anything by default in pam_namespace close session call.
Tomas Mraz [Thu, 26 Jan 2012 13:50:51 +0000 (14:50 +0100)]
Do not unmount anything by default in pam_namespace close session call.

* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
the unmount_on_close option and make the default to be to not unmount.
* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
PAMNS_UNMOUNT_ON_CLOSE.
* modules/pam_namespace/pam_namespace.8.xml: Document the change.

12 years agoMake / mount as rslave instead of bind mounting polydirs.
Tomas Mraz [Tue, 24 Jan 2012 19:03:28 +0000 (20:03 +0100)]
Make / mount as rslave instead of bind mounting polydirs.

* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
(check_inst_parent): Drop the always argument from protect_dir().
(create_polydir): Likewise.
(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.

12 years agoAdd possibility to match ruser, rhost, and tty in pam_succeed_if.
Tomas Mraz [Fri, 13 Jan 2012 17:33:27 +0000 (18:33 +0100)]
Add possibility to match ruser, rhost, and tty in pam_succeed_if.

* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
rhost, and tty as left operand.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
possible left operands.

12 years agoMerge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam
Tomas Mraz [Tue, 3 Jan 2012 11:34:12 +0000 (12:34 +0100)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam

12 years agoFix matching of usernames in the pam_unix remember feature.
Tomas Mraz [Tue, 3 Jan 2012 11:30:43 +0000 (12:30 +0100)]
Fix matching of usernames in the pam_unix remember feature.

* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
sure we match only the whole username in opasswd entry.
* modules/pam_unix/passverify.c (save_old_password): Likewise make
sure we match only the whole username in opasswd entry.

13 years agopam_start: fix memory leak on error path
Dmitry V. Levin [Mon, 26 Dec 2011 18:10:29 +0000 (18:10 +0000)]
pam_start: fix memory leak on error path

* libpam/pam_start.c (pam_start): If _pam_make_env() or
_pam_init_handlers() returned an error, release the memory allocated
for pam_conv structure.

Patch-by: cancel <suntsu@yandex.ru>.
13 years agopam_selinux.8.xml: update
Dmitry V. Levin [Tue, 19 Oct 2010 23:34:52 +0000 (23:34 +0000)]
pam_selinux.8.xml: update

* modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis):
Reorder options, add new "restore" option.
pam_selinux-description): Rewrite.
(pam_selinux-options): Reorder options, describe new "restore" option.
(pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR
and PAM_BUF_ERR.
(pam_selinux-see_also): Remove pam.conf(5).  Add execve(2), tty(4)
and selinux(8).

13 years agopam_selinux.c: add "restore" option
Dmitry V. Levin [Tue, 19 Oct 2010 23:34:52 +0000 (23:34 +0000)]
pam_selinux.c: add "restore" option

* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new
"restore" option.

13 years agopam_selinux.c: rewrite using pam_get_data/pam_set_data
Dmitry V. Levin [Tue, 19 Oct 2010 23:34:51 +0000 (23:34 +0000)]
pam_selinux.c: rewrite using pam_get_data/pam_set_data

* modules/pam_selinux/pam_selinux.c (security_restorelabel_tty,
security_label_tty): Remove old functions.
(module_data_t): New structure.
(free_module_data, cleanup, get_module_data, get_item,
set_exec_context, set_file_context, compute_exec_context,
compute_tty_context, restore_context, set_context,
create_context): New functions.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session,
pam_sm_close_session): Use them.

13 years agoUse libpam.la/libpam_misc.la to link with -lpam/-lpam_misc
Dmitry V. Levin [Fri, 28 Oct 2011 02:28:38 +0000 (02:28 +0000)]
Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc

GNU automake documentation recommends to avoid using -l options in
LDADD or LIBADD when referring to libraries built by the package.
Instead, it recommends to write the file name of the library explicitly,
and use -l option only to list third-party libraries.  As result, the
default value of *_DEPENDENCIES will list all local libraries and omit
the other ones.
* modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace
"-L$(top_builddir)/libpam -lpam" with
"$(top_builddir)/libpam/libpam.la", to follow GNU automake
recommendations.
* modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise.
* modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise.
* modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise.
* modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise.
* modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise.
* modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise.
* modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise.
* modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise.
* modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise.
* modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise.
* modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise.
* modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise.
* modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise.
* modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise.
* modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise.
* modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise.
* modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise.
* modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise.
* modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise.
* modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD,
mkhomedir_helper_LDADD): Likewise.
* modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise.
* modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise.
* modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise.
* modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise.
* modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise.
* modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise.
* modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise.
* modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise.
* modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise.
* modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise.
* modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD):
Likewise.
* modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise.
* modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD,
pam_tally2_LDADD): Likewise.
* modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise.
* modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD,
pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise.
* modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise.
* modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise.
* modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise.
* modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise.
* modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise.
* modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise.
* modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise.
* tests/Makefile.am (LDADD): Likewise.
* examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam"
with "$(top_builddir)/libpam/libpam.la", and
"-L$(top_builddir)/libpam_misc -lpam_misc" with
"$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake
recommendations.
* xtests/Makefile.am (LDADD): Likewise.
* modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise.

13 years agoFix usage of LIBADD, LDADD and LDFLAGS
Dmitry V. Levin [Fri, 28 Oct 2011 02:20:17 +0000 (02:20 +0000)]
Fix usage of LIBADD, LDADD and LDFLAGS

* modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to
pam_selinux_check_LDADD.
* modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from
AM_LDFLAGS.
* modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from
AM_LDFLAGS.
* modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from
AM_LDFLAGS.
* modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from
AM_LDFLAGS.
* xtests/Makefile.am: Rename AM_LDFLAGS to LDADD.

13 years agoUpdate .gitignore files
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Update .gitignore files

* .gitignore: Add common ignore patterns.
* m4/.gitignore: Unignore local m4 files.
* dynamic/.gitignore: Unignore Makefile.
* libpamc/test/modules/.gitignore: Likewise.
* libpamc/test/regress/.gitignore: Likewise.
* po/.gitignore: Add Makevars.template.
* conf/.gitignore: Remove common ignore patterns.
* conf/pam_conv1/.gitignore: Likewise.
* doc/.gitignore: Likewise.
* doc/specs/.gitignore: Likewise.
* doc/specs/formatter/.gitignore: Likewise.
* examples/.gitignore: Likewise.
* modules/pam_filter/upperLOWER/.gitignore: Likewise.
* modules/pam_mkhomedir/.gitignore: Likewise.
* modules/pam_selinux/.gitignore: Likewise.
* modules/pam_stress/.gitignore: Likewise.
* modules/pam_tally/.gitignore: Likewise.
* modules/pam_tally2/.gitignore: Likewise.
* modules/pam_timestamp/.gitignore: Likewise.
* modules/pam_unix/.gitignore: Likewise.
* tests/.gitignore: Likewise.
* xtests/.gitignore: Likewise.
* doc/adg/.gitignore: Remove.
* doc/man/.gitignore: Remove.
* doc/mwg/.gitignore: Remove.
* doc/sag/.gitignore: Remove.
* libpamc/.gitignore: Remove.
* libpamc/test/.gitignore: Remove.
* libpam/.gitignore: Remove.
* libpam_misc/.gitignore: Remove.
* modules/.gitignore: Remove.
* modules/pam_access/.gitignore: Remove.
* modules/pam_cracklib/.gitignore: Remove.
* modules/pam_debug/.gitignore: Remove.
* modules/pam_deny/.gitignore: Remove.
* modules/pam_echo/.gitignore: Remove.
* modules/pam_env/.gitignore: Remove.
* modules/pam_exec/.gitignore: Remove.
* modules/pam_faildelay/.gitignore: Remove.
* modules/pam_filter/.gitignore: Remove.
* modules/pam_ftp/.gitignore: Remove.
* modules/pam_group/.gitignore: Remove.
* modules/pam_issue/.gitignore: Remove.
* modules/pam_keyinit/.gitignore: Remove.
* modules/pam_lastlog/.gitignore: Remove.
* modules/pam_limits/.gitignore: Remove.
* modules/pam_listfile/.gitignore: Remove.
* modules/pam_localuser/.gitignore: Remove.
* modules/pam_loginuid/.gitignore: Remove.
* modules/pam_mail/.gitignore: Remove.
* modules/pam_motd/.gitignore: Remove.
* modules/pam_namespace/.gitignore: Remove.
* modules/pam_nologin/.gitignore: Remove.
* modules/pam_permit/.gitignore: Remove.
* modules/pam_pwhistory/.gitignore: Remove.
* modules/pam_rhosts/.gitignore: Remove.
* modules/pam_rootok/.gitignore: Remove.
* modules/pam_securetty/.gitignore: Remove.
* modules/pam_sepermit/.gitignore: Remove.
* modules/pam_shells/.gitignore: Remove.
* modules/pam_succeed_if/.gitignore: Remove.
* modules/pam_time/.gitignore: Remove.
* modules/pam_tty_audit/.gitignore: Remove.
* modules/pam_umask/.gitignore: Remove.
* modules/pam_userdb/.gitignore: Remove.
* modules/pam_warn/.gitignore: Remove.
* modules/pam_wheel/.gitignore: Remove.
* modules/pam_xauth/.gitignore: Remove.

13 years agoMove generated auxiliary files to build-aux directory
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Move generated auxiliary files to build-aux directory

* configure.in: Add AC_CONFIG_AUX_DIR([build-aux]).

13 years agoRemove generated files
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Remove generated files

* ABOUT-NLS: Remove.
* INSTALL: Remove.
* config.rpath: Remove.
* install-sh: Remove.
* mkinstalldirs: Remove.
* Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs.
* .gitignore: Add ABOUT-NLS and INSTALL.

13 years agoCreate release tarballs using safe ownership and permissions
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Create release tarballs using safe ownership and permissions

* Makefile.am: Define and export TAR_OPTIONS.

13 years agoGenerate ChangeLog from git log
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Generate ChangeLog from git log

* .gitignore: Add ChangeLog
* ChangeLog: Rename to ChangeLog-CVS.
* Makefile.am (gen-changelog): New rule.
(dist-hook, .PHONY): Depend on it.
(EXTRA_DIST): Add ChangeLog-CVS.
* README-hacking: New file.
* gitlog-to-changelog: Import from gnulib.
* autogen.sh: Create empty ChangeLog file to make automake strictness
check happy.  Use automated "autoreconf -fiv" instead of manual
invocations of various autotools.

13 years agoFix "make distcheck"
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Fix "make distcheck"

There is no use to distribute m4 files manually, because automake does
the right thing, while manual distribution is not only redundant but
also very fragile.
* Makefile.am (M4_FILES): Remove.
(EXTRA_DIST): Remove M4_FILES.

13 years agoRemove modules/pam_timestamp/hmacfile from distribution
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Remove modules/pam_timestamp/hmacfile from distribution

* modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp.
(nodist_TESTS): Add hmacfile.
(EXTRA_DIST): Replace TESTS with dist_TESTS.

13 years agoRename all .cvsignore files to .gitignore
Dmitry V. Levin [Thu, 27 Oct 2011 14:55:55 +0000 (14:55 +0000)]
Rename all .cvsignore files to .gitignore

13 years agoFix whitespace issues
Dmitry V. Levin [Wed, 26 Oct 2011 23:56:54 +0000 (23:56 +0000)]
Fix whitespace issues

Cleanup trailing whitespaces, indentation that uses spaces before tabs,
and blank lines at EOF.  Make the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD

13 years ago2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de> Linux-PAM-1_1_5
Thorsten Kukuk [Tue, 25 Oct 2011 12:24:50 +0000 (14:24 +0200)]
2011-10-25  Thorsten Kukuk  <kukuk@thkukuk.de>

        * release version 1.1.5

        * configure.in: Bump version number.

        * modules/pam_tally2/pam_tally2.8.xml: Remove never used option
        "no_lock_time".

13 years agopam_env: abort when encountering an overflowed environment variable expansion
Kees Cook [Fri, 14 Oct 2011 19:47:23 +0000 (19:47 +0000)]
pam_env: abort when encountering an overflowed environment variable expansion

* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
overflowed environment variable expansion.
Fixes CVE-2011-3149.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565

13 years agopam_env: correctly count leading whitespace when parsing environment file
Kees Cook [Fri, 14 Oct 2011 19:32:25 +0000 (19:32 +0000)]
pam_env: correctly count leading whitespace when parsing environment file

* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading
whitespace.
Fixes CVE-2011-3148.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469

13 years agoIf getdomainname() fails or domainname not set use NULL as domain in innetgr().
Tomas Mraz [Mon, 10 Oct 2011 12:05:03 +0000 (14:05 +0200)]
If getdomainname() fails or domainname not set use NULL as domain in innetgr().

13 years agoAdd hostname resolution cache.
Tomas Mraz [Mon, 10 Oct 2011 12:02:10 +0000 (14:02 +0200)]
Add hostname resolution cache.

13 years agoImprove documentation of the sufficient and requisite control values. (Red Hat Bug...
Tomas Mraz [Fri, 30 Sep 2011 07:43:54 +0000 (09:43 +0200)]
Improve documentation of the sufficient and requisite control values. (Red Hat Bug #742413)

13 years agoCorrect the FSF address.
Tomas Mraz [Thu, 25 Aug 2011 14:02:42 +0000 (16:02 +0200)]
Correct the FSF address.

13 years agoFix the split on @ in the user field. (Red Hat Bug #732081)
Tomas Mraz [Thu, 25 Aug 2011 13:48:51 +0000 (15:48 +0200)]
Fix the split on @ in the user field. (Red Hat Bug #732081)

13 years agoFix missing dereference.
Tomas Mraz [Tue, 23 Aug 2011 10:42:32 +0000 (12:42 +0200)]
Fix missing dereference.

13 years agoFix order of libraries Linux-PAM-1_1_4 v1.1.4
Thorsten Kukuk [Fri, 24 Jun 2011 10:45:27 +0000 (12:45 +0200)]
Fix order of libraries

13 years agoAdd release to ChangeLog
Thorsten Kukuk [Tue, 21 Jun 2011 12:03:22 +0000 (14:03 +0200)]
Add release to ChangeLog

13 years ago2011-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
Thorsten Kukuk [Tue, 21 Jun 2011 12:02:33 +0000 (14:02 +0200)]
2011-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>

* release version 1.1.4

        * configure.in: Bump version number.
        * NEWS: Document changes since 1.1.3
        * libpam/Makefile.am: Bump release number of shared library
        * po/de.po: Translate new string.

13 years agoMerge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam into new_version
Thorsten Kukuk [Tue, 21 Jun 2011 09:59:57 +0000 (11:59 +0200)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam into new_version

13 years agoBump version to 1.1.4
Thorsten Kukuk [Tue, 21 Jun 2011 09:51:55 +0000 (11:51 +0200)]
Bump version to 1.1.4

13 years ago2011-06-21 Thorsten Kukuk <kukuk@thkukuk.de>
Thorsten Kukuk [Tue, 21 Jun 2011 09:05:31 +0000 (11:05 +0200)]
2011-06-21  Thorsten Kukuk  <kukuk@thkukuk.de>

       * modules/pam_limits/pam_limits.c: Add set_all option,
       read limits from PID one if no limit is specified and set_all
       is set.
       * modules/pam_limits/pam_limits.8.xml: Document set_all option.
       Based on Patch by Kees Cook.

13 years agoInitialize the fake_item from item.
Tomas Mraz [Wed, 15 Jun 2011 18:59:53 +0000 (20:59 +0200)]
Initialize the fake_item from item.

13 years agoAvoid memleaks and fd leak in error paths.
Tomas Mraz [Wed, 15 Jun 2011 18:58:32 +0000 (20:58 +0200)]
Avoid memleaks and fd leak in error paths.

13 years agoDo not crash when remember, minlen, or rounds options are used with wrong module...
Tomas Mraz [Wed, 15 Jun 2011 18:55:30 +0000 (20:55 +0200)]
Do not crash when remember, minlen, or rounds options are used with wrong module type.

13 years agoCleanups of pam_pwhistory code. Make opasswd entry parsing more robust.
Tomas Mraz [Wed, 15 Jun 2011 18:48:59 +0000 (20:48 +0200)]
Cleanups of pam_pwhistory code. Make opasswd entry parsing more robust.

        * modules/pam_pwhistory/opasswd.c (check_old_password): Do not
        needlessly call strdupa().
        (save_old_password): Avoid memleaks in error paths. Avoid memleak of
        buf. Make the opasswd entry parsing more robust.
        * modules/pam_pwhistory/pam_pwhistory.8.xml: Document the
        special meaning of remember=0.