diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-08-05 08:03:11 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-08-05 08:03:11 +0000 |
| commit | 72bcf614b2a5e5f281ca4372fa7dfccf1e6a3c43 (patch) | |
| tree | ee1821fdda266c77a0f4ae403fe4358e7c45a47d | |
| parent | ea9255e046169e5d5b19370c9ae6292be5aacde0 (diff) | |
| download | pam-72bcf614b2a5e5f281ca4372fa7dfccf1e6a3c43.tar.gz pam-72bcf614b2a5e5f281ca4372fa7dfccf1e6a3c43.tar.bz2 pam-72bcf614b2a5e5f281ca4372fa7dfccf1e6a3c43.zip | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
Add xtests to allow checks for PAM functions only doable in installed
system.
2006-08-05 Thorsten Kukuk <kukuk@thkukuk.de>
* configure.in: Generate xtests/Makefile.
* Makefile.am (SUBDIRS): Add xtests.
* README: Document make check and make xtests.
* xtests/Makefile.am: New.
* xtests/tst-pam_dispatch1.pamd: New.
* xtests/tst-pam_dispatch2.pamd: New.
* xtests/tst-pam_dispatch3.pamd: New.
* xtests/tst-pam_dispatch1.c: New.
* xtests/tst-pam_dispatch2.c: New.
* xtests/tst-pam_dispatch3.c: New.
| -rw-r--r-- | ChangeLog | 19 | ||||
| -rw-r--r-- | Makefile.am | 9 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | README | 12 | ||||
| -rw-r--r-- | configure.in | 3 | ||||
| -rw-r--r-- | modules/pam_succeed_if/README | 18 | ||||
| -rw-r--r-- | modules/pam_succeed_if/pam_succeed_if.8 | 21 | ||||
| -rw-r--r-- | xtests/.cvsignore | 7 | ||||
| -rw-r--r-- | xtests/Makefile.am | 45 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch1.c | 62 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch1.pamd | 3 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch2.c | 61 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch2.pamd | 3 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch3.c | 50 | ||||
| -rw-r--r-- | xtests/tst-pam_dispatch3.pamd | 6 |
15 files changed, 309 insertions, 11 deletions
@@ -1,15 +1,28 @@ -2006-08-04 Ray Strode <rstrode@redhat.com> +2006-08-05 Thorsten Kukuk <kukuk@thkukuk.de> + + * configure.in: Generate xtests/Makefile. + * Makefile.am (SUBDIRS): Add xtests. + * README: Document make check and make xtests. + * xtests/Makefile.am: New. + * xtests/tst-pam_dispatch1.pamd: New. + * xtests/tst-pam_dispatch2.pamd: New. + * xtests/tst-pam_dispatch3.pamd: New. + * xtests/tst-pam_dispatch1.c: New. + * xtests/tst-pam_dispatch2.c: New. + * xtests/tst-pam_dispatch3.c: New. + +2006-08-04 Ray Strode <rstrode@redhat.com> * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Return PAM_USER_UNKNOWN instead of PAM_SERVICE_ERR where appropriate. -2006-08-03 David Howells <dhowells@redhat.com> +2006-08-03 David Howells <dhowells@redhat.com> * modules/pam_keyinit/pam_keyinit.c: Debug should be off by default. (init_keyrings): Properly handle multiple invocations of the module. (kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise. -2006-08-03 Tomas Mraz <t8m@centrum.cz> +2006-08-03 Tomas Mraz <t8m@centrum.cz> * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): New function for list matching. diff --git a/Makefile.am b/Makefile.am index 57250565..729589f4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,9 +5,9 @@ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news if STATIC_MODULES -SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples +SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests else -SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples +SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests endif CLEANFILES = *~ @@ -32,3 +32,8 @@ releasedocs: tar jfc Linux-PAM-$(VERSION)-docs.tar.bz2 \ Linux-PAM-$(VERSION)/doc rm -rf Linux-PAM-$(VERSION) + +xtests: + make -C xtests xtests + +.PHONY: xtests @@ -1,6 +1,7 @@ Linux-PAM NEWS -- history of user-visible changes. +* Add xtests (to run after installation). * Documentation: Convert sgml guides to XML, unify documentation for PAM functions and modules. @@ -11,6 +11,12 @@ How to use it is as follows: ./configure <your-options> make +To make sure everything was compiled correct, run: + + make check + +If a test failes, you should not continue to install this build. + Note, if you are worried - don't even think about doing the next line (most Linux distributions already support PAM out of the box, so if something goes wrong with installing the code from this version your @@ -21,6 +27,12 @@ box may stop working..) That said, please report problems to the bug reporting database on sourceforge.net. +You can run additional checks after installing by executing + + make xtests + +as root. + If you do not wish to make the modules dynamically loadable, but build a static libpam including all PAM modules, you have to call: diff --git a/configure.in b/configure.in index 6fad4e11..1a358144 100644 --- a/configure.in +++ b/configure.in @@ -494,4 +494,5 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \ modules/pam_warn/Makefile modules/pam_wheel/Makefile \ modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \ doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \ - doc/mwg/Makefile examples/Makefile tests/Makefile) + doc/mwg/Makefile examples/Makefile tests/Makefile \ + xtests/Makefile) diff --git a/modules/pam_succeed_if/README b/modules/pam_succeed_if/README index c8d2ceff..4516a9d1 100644 --- a/modules/pam_succeed_if/README +++ b/modules/pam_succeed_if/README @@ -38,7 +38,7 @@ quiet_success Conditions are three words: a field, a test, and a value to test for. -Available fields are user, uid, gid, shell and home: +Available fields are user, uid, gid, shell, home and service: field < number @@ -80,6 +80,14 @@ field !~ glob Field does not match the given glob. +field in item:item:... + + Field is contained in the list of items separated by colons. + +field notin item:item:... + + Field is not contained in the list of items separated by colons. + user ingroup group User is in given group. @@ -88,6 +96,14 @@ user notingroup group User is not in given group. +user innetgr netgroup + + (user,host) is in given netgroup. + +user notinnetgr group + + (user,host) is not in given netgroup. + EXAMPLES To emulate the behaviour of pam_wheel, except there is no fallback to group 0: diff --git a/modules/pam_succeed_if/pam_succeed_if.8 b/modules/pam_succeed_if/pam_succeed_if.8 index 4603eba1..c94c5f43 100644 --- a/modules/pam_succeed_if/pam_succeed_if.8 +++ b/modules/pam_succeed_if/pam_succeed_if.8 @@ -1,11 +1,11 @@ .\" Title: pam_succeed_if .\" Author: .\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/22/2006 +.\" Date: 08/05/2006 .\" Manual: Linux\-PAM .\" Source: Linux\-PAM .\" -.TH "PAM_SUCCEED_IF" "8" "06/22/2006" "Linux\-PAM" "Linux\-PAM" +.TH "PAM_SUCCEED_IF" "8" "08/05/2006" "Linux\-PAM" "Linux\-PAM" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -47,9 +47,10 @@ Available fields are \fIuser\fR, \fIuid\fR, \fIgid\fR, -\fIshell\fR +\fIshell\fR, +\fIhome\fR and -\fIhome\fR: +\fIservice\fR: .TP 3n \fBfield < number\fR Field has a value numerically less than number. @@ -81,11 +82,23 @@ Field matches the given glob. \fBfield !~ glob\fR Field does not match the given glob. .TP 3n +\fBfield in item:item:...\fR +Field is contained in the list of items separated by colons. +.TP 3n +\fBfield notin item:item:...\fR +Field is not contained in the list of items separated by colons. +.TP 3n \fBuser ingroup group\fR User is in given group. .TP 3n \fBuser notingroup group\fR User is not in given group. +.TP 3n +\fBuser innetgr netgroup\fR +(user,host) is in given netgroup. +.TP 3n +\fBuser notinnetgr group\fR +(user,host) is not in given netgroup. .SH "MODULE SERVICES PROVIDED" .PP The diff --git a/xtests/.cvsignore b/xtests/.cvsignore new file mode 100644 index 00000000..1a2b5211 --- /dev/null +++ b/xtests/.cvsignore @@ -0,0 +1,7 @@ +Makefile +Makefile.in +.deps +.libs +tst-pam_dispatch1 +tst-pam_dispatch2 +tst-pam_dispatch3 diff --git a/xtests/Makefile.am b/xtests/Makefile.am new file mode 100644 index 00000000..622e3e59 --- /dev/null +++ b/xtests/Makefile.am @@ -0,0 +1,45 @@ +# +# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> +# + +AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_srcdir)/libpam/include +AM_LDFLAGS = -L$(top_builddir)/libpam -lpam + +CLEANFILES = *~ + +EXTRA_DIST = tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ + tst-pam_dispatch3.pamd + +XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 + +noinst_PROGRAMS = $(XTESTS) + +tst_pam_dispatch1_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc +tst_pam_dispatch2_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc +tst_pam_dispatch3_LDADD = -L$(top_builddir)/libpam -lpam -ldl -L$(top_builddir)/libpam_misc -lpam_misc + +xtests: $(XTESTS) + @failed=0; pass=0; all=0; \ + for testname in $(XTESTS) ; do \ + install -m 644 $$testname.pamd /etc/pam.d/$$testname ; \ + ./$$testname > /dev/null ; \ + if test $$? -ne 0 ; then \ + echo "FAIL: $$testname" ; \ + failed=`expr $$failed + 1`; \ + else \ + echo "PASS: $$testname" ; \ + pass=`expr $$pass + 1`; \ + fi ; \ + all=`expr $$all + 1` ; \ + rm -f /etc/pam.d/$$testname ; \ + done ; \ + if test "$$failed" -ne 0; then \ + echo "===================" ; \ + echo "$$failed of $$all tests failed" ; \ + echo "===================" ; \ + exit 1 ; \ + else \ + echo "==================" ; \ + echo "All $$all tests passed" ; \ + echo "==================" ; \ + fi diff --git a/xtests/tst-pam_dispatch1.c b/xtests/tst-pam_dispatch1.c new file mode 100644 index 00000000..0fb5bdef --- /dev/null +++ b/xtests/tst-pam_dispatch1.c @@ -0,0 +1,62 @@ + +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +static int debug = 0; + +/* + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859 + + This stack should not return PAM_IGNORE to the application: + auth [default=bad] pam_debug.so auth=ignore +*/ +static int +test1 (void) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + int retval; + + retval = pam_start("tst-pam_dispatch1", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test1: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate(pamh, 0); + if (retval != PAM_PERM_DENIED) + { + if (debug) + fprintf (stderr, "test1: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end(pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test1: pam_end returned %d\n", retval); + return 1; + } + return 0; +} + + +int main(int argc, char *argv[]) +{ + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + if (test1 ()) + return 1; + + return 0; +} diff --git a/xtests/tst-pam_dispatch1.pamd b/xtests/tst-pam_dispatch1.pamd new file mode 100644 index 00000000..9bfc87c5 --- /dev/null +++ b/xtests/tst-pam_dispatch1.pamd @@ -0,0 +1,3 @@ +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859 +# This stack should not return PAM_IGNORE to the application: +auth [default=bad] pam_debug.so auth=ignore diff --git a/xtests/tst-pam_dispatch2.c b/xtests/tst-pam_dispatch2.c new file mode 100644 index 00000000..181484f9 --- /dev/null +++ b/xtests/tst-pam_dispatch2.c @@ -0,0 +1,61 @@ + +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +static int debug = 0; + +/* + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859 + + This stack should not return PAM_IGNORE to the application: + auth [default=die] pam_debug.so auth=ignore +*/ +static int +test2 (void) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + int retval; + + retval = pam_start("tst-pam_dispatch2", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test2: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate(pamh, 0); + if (retval != PAM_PERM_DENIED) + { + if (debug) + fprintf (stderr, "test2: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end(pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test2: pam_end returned %d\n", retval); + return 1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + if (test2 ()) + return 1; + + return 0; +} diff --git a/xtests/tst-pam_dispatch2.pamd b/xtests/tst-pam_dispatch2.pamd new file mode 100644 index 00000000..79f52609 --- /dev/null +++ b/xtests/tst-pam_dispatch2.pamd @@ -0,0 +1,3 @@ +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196859 +# This stack should not return PAM_IGNORE to the application: +auth [default=die] pam_debug.so auth=ignore diff --git a/xtests/tst-pam_dispatch3.c b/xtests/tst-pam_dispatch3.c new file mode 100644 index 00000000..76f3a940 --- /dev/null +++ b/xtests/tst-pam_dispatch3.c @@ -0,0 +1,50 @@ + +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> + +static struct pam_conv conv = { + misc_conv, + NULL +}; + + +/* Check that errors of optional modules are ignored and that + required modules after a sufficient one are not executed. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="nobody"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_dispatch3", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_authenticate(pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end(pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "test3: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/xtests/tst-pam_dispatch3.pamd b/xtests/tst-pam_dispatch3.pamd new file mode 100644 index 00000000..8172c5f2 --- /dev/null +++ b/xtests/tst-pam_dispatch3.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth optional pam_debug.so auth=auth_err +auth sufficient pam_debug.so auth=success +auth required pam_debug.so auth=perm_denied +account required pam_debug.so acct=acct_expired + |