diff options
Diffstat (limited to 'libpam')
| -rw-r--r-- | libpam/Makefile.am | 16 | ||||
| -rw-r--r-- | libpam/Makefile.in | 235 | ||||
| -rw-r--r-- | libpam/include/pam_cc_compat.h | 66 | ||||
| -rw-r--r-- | libpam/include/pam_inline.h | 67 | ||||
| -rw-r--r-- | libpam/include/security/_pam_types.h | 4 | ||||
| -rw-r--r-- | libpam/include/security/pam_appl.h | 5 | ||||
| -rw-r--r-- | libpam/include/security/pam_modutil.h | 6 | ||||
| -rw-r--r-- | libpam/include/test_assert.h | 55 | ||||
| -rw-r--r-- | libpam/libpam.map | 10 | ||||
| -rw-r--r-- | libpam/pam_delay.c | 12 | ||||
| -rw-r--r-- | libpam/pam_get_authtok.c | 68 | ||||
| -rw-r--r-- | libpam/pam_handlers.c | 95 | ||||
| -rw-r--r-- | libpam/pam_item.c | 62 | ||||
| -rw-r--r-- | libpam/pam_misc.c | 2 | ||||
| -rw-r--r-- | libpam/pam_modutil_ingroup.c | 25 | ||||
| -rw-r--r-- | libpam/pam_modutil_sanitize.c | 103 | ||||
| -rw-r--r-- | libpam/pam_modutil_searchkey.c | 128 | ||||
| -rw-r--r-- | libpam/pam_private.h | 11 | ||||
| -rw-r--r-- | libpam/pam_start.c | 37 |
19 files changed, 787 insertions, 220 deletions
diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 638bb5c4..9252a837 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -3,10 +3,9 @@ # AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ - -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) -DPAM_VERSION=\"$(VERSION)\" -if HAVE_LIBSELINUX - AM_CFLAGS += -D"WITH_SELINUX" -endif + -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \ + -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\" \ + $(WARN_CFLAGS) CLEANFILES = *~ @@ -18,10 +17,11 @@ include_HEADERS = include/security/_pam_compat.h \ include/security/pam_ext.h include/security/pam_modutil.h noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - pam_modutil_private.h + pam_modutil_private.h include/pam_cc_compat.h \ + include/pam_inline.h include/test_assert.h -libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 -libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ +libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 +libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ if HAVE_VERSIONING libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map @@ -38,4 +38,4 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \ - pam_modutil_priv.c pam_modutil_sanitize.c + pam_modutil_priv.c pam_modutil_sanitize.c pam_modutil_searchkey.c diff --git a/libpam/Makefile.in b/libpam/Makefile.in index a448055c..a1939ccf 100644 --- a/libpam/Makefile.in +++ b/libpam/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -83,12 +93,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_LIBSELINUX_TRUE@am__append_1 = -D"WITH_SELINUX" -@HAVE_VERSIONING_TRUE@am__append_2 = -Wl,--version-script=$(srcdir)/libpam.map +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/libpam.map subdir = libpam -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(include_HEADERS) \ - $(noinst_HEADERS) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ @@ -104,6 +110,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(include_HEADERS) \ + $(noinst_HEADERS) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -138,7 +146,7 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = -libpam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +libpam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) am_libpam_la_OBJECTS = pam_account.lo pam_auth.lo pam_data.lo \ pam_delay.lo pam_dispatch.lo pam_end.lo pam_env.lo \ pam_get_authtok.lo pam_handlers.lo pam_item.lo pam_misc.lo \ @@ -149,7 +157,7 @@ am_libpam_la_OBJECTS = pam_account.lo pam_auth.lo pam_data.lo \ pam_modutil_getpwuid.lo pam_modutil_getgrnam.lo \ pam_modutil_getspnam.lo pam_modutil_getlogin.lo \ pam_modutil_ingroup.lo pam_modutil_priv.lo \ - pam_modutil_sanitize.lo + pam_modutil_sanitize.lo pam_modutil_searchkey.lo libpam_la_OBJECTS = $(am_libpam_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -172,7 +180,30 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/pam_account.Plo \ + ./$(DEPDIR)/pam_audit.Plo ./$(DEPDIR)/pam_auth.Plo \ + ./$(DEPDIR)/pam_data.Plo ./$(DEPDIR)/pam_delay.Plo \ + ./$(DEPDIR)/pam_dispatch.Plo ./$(DEPDIR)/pam_dynamic.Plo \ + ./$(DEPDIR)/pam_end.Plo ./$(DEPDIR)/pam_env.Plo \ + ./$(DEPDIR)/pam_get_authtok.Plo ./$(DEPDIR)/pam_handlers.Plo \ + ./$(DEPDIR)/pam_item.Plo ./$(DEPDIR)/pam_misc.Plo \ + ./$(DEPDIR)/pam_modutil_cleanup.Plo \ + ./$(DEPDIR)/pam_modutil_getgrgid.Plo \ + ./$(DEPDIR)/pam_modutil_getgrnam.Plo \ + ./$(DEPDIR)/pam_modutil_getlogin.Plo \ + ./$(DEPDIR)/pam_modutil_getpwnam.Plo \ + ./$(DEPDIR)/pam_modutil_getpwuid.Plo \ + ./$(DEPDIR)/pam_modutil_getspnam.Plo \ + ./$(DEPDIR)/pam_modutil_ingroup.Plo \ + ./$(DEPDIR)/pam_modutil_ioloop.Plo \ + ./$(DEPDIR)/pam_modutil_priv.Plo \ + ./$(DEPDIR)/pam_modutil_sanitize.Plo \ + ./$(DEPDIR)/pam_modutil_searchkey.Plo \ + ./$(DEPDIR)/pam_password.Plo ./$(DEPDIR)/pam_prelude.Plo \ + ./$(DEPDIR)/pam_session.Plo ./$(DEPDIR)/pam_start.Plo \ + ./$(DEPDIR)/pam_strerror.Plo ./$(DEPDIR)/pam_syslog.Plo \ + ./$(DEPDIR)/pam_vprompt.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -219,6 +250,8 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -247,6 +280,8 @@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ @@ -255,7 +290,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ -HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -291,6 +325,7 @@ LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ @@ -327,11 +362,13 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ @@ -399,8 +436,10 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ - -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) \ - -DPAM_VERSION=\"$(VERSION)\" $(am__append_1) + -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \ + -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\" \ + $(WARN_CFLAGS) + CLEANFILES = *~ EXTRA_DIST = libpam.map include_HEADERS = include/security/_pam_compat.h \ @@ -409,11 +448,12 @@ include_HEADERS = include/security/_pam_compat.h \ include/security/pam_ext.h include/security/pam_modutil.h noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ - pam_modutil_private.h + pam_modutil_private.h include/pam_cc_compat.h \ + include/pam_inline.h include/test_assert.h -libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 \ - $(am__append_2) -libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ +libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 \ + $(am__append_1) +libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ lib_LTLIBRARIES = libpam.la libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ @@ -424,7 +464,7 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \ - pam_modutil_priv.c pam_modutil_sanitize.c + pam_modutil_priv.c pam_modutil_sanitize.c pam_modutil_searchkey.c all: all-am @@ -442,14 +482,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu libpam/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu libpam/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -505,51 +544,58 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_account.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_audit.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_auth.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_data.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_delay.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dispatch.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dynamic.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_end.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_get_authtok.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_handlers.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_item.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_misc.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_cleanup.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrgid.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrnam.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getlogin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwnam.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwuid.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getspnam.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ingroup.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ioloop.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_priv.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_sanitize.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_password.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_prelude.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_session.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_start.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_strerror.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_syslog.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_vprompt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_account.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_audit.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_auth.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_data.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_delay.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dispatch.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dynamic.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_end.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_get_authtok.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_handlers.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_item.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_misc.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_cleanup.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrgid.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getgrnam.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getlogin.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwnam.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getpwuid.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getspnam.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ingroup.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ioloop.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_priv.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_sanitize.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_searchkey.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_password.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_prelude.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_session.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_start.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_strerror.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_syslog.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_vprompt.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -637,7 +683,10 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -711,7 +760,38 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_account.Plo + -rm -f ./$(DEPDIR)/pam_audit.Plo + -rm -f ./$(DEPDIR)/pam_auth.Plo + -rm -f ./$(DEPDIR)/pam_data.Plo + -rm -f ./$(DEPDIR)/pam_delay.Plo + -rm -f ./$(DEPDIR)/pam_dispatch.Plo + -rm -f ./$(DEPDIR)/pam_dynamic.Plo + -rm -f ./$(DEPDIR)/pam_end.Plo + -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/pam_get_authtok.Plo + -rm -f ./$(DEPDIR)/pam_handlers.Plo + -rm -f ./$(DEPDIR)/pam_item.Plo + -rm -f ./$(DEPDIR)/pam_misc.Plo + -rm -f ./$(DEPDIR)/pam_modutil_cleanup.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getgrgid.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getgrnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getlogin.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getpwnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getpwuid.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getspnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_ingroup.Plo + -rm -f ./$(DEPDIR)/pam_modutil_ioloop.Plo + -rm -f ./$(DEPDIR)/pam_modutil_priv.Plo + -rm -f ./$(DEPDIR)/pam_modutil_sanitize.Plo + -rm -f ./$(DEPDIR)/pam_modutil_searchkey.Plo + -rm -f ./$(DEPDIR)/pam_password.Plo + -rm -f ./$(DEPDIR)/pam_prelude.Plo + -rm -f ./$(DEPDIR)/pam_session.Plo + -rm -f ./$(DEPDIR)/pam_start.Plo + -rm -f ./$(DEPDIR)/pam_strerror.Plo + -rm -f ./$(DEPDIR)/pam_syslog.Plo + -rm -f ./$(DEPDIR)/pam_vprompt.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -757,7 +837,38 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/pam_account.Plo + -rm -f ./$(DEPDIR)/pam_audit.Plo + -rm -f ./$(DEPDIR)/pam_auth.Plo + -rm -f ./$(DEPDIR)/pam_data.Plo + -rm -f ./$(DEPDIR)/pam_delay.Plo + -rm -f ./$(DEPDIR)/pam_dispatch.Plo + -rm -f ./$(DEPDIR)/pam_dynamic.Plo + -rm -f ./$(DEPDIR)/pam_end.Plo + -rm -f ./$(DEPDIR)/pam_env.Plo + -rm -f ./$(DEPDIR)/pam_get_authtok.Plo + -rm -f ./$(DEPDIR)/pam_handlers.Plo + -rm -f ./$(DEPDIR)/pam_item.Plo + -rm -f ./$(DEPDIR)/pam_misc.Plo + -rm -f ./$(DEPDIR)/pam_modutil_cleanup.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getgrgid.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getgrnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getlogin.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getpwnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getpwuid.Plo + -rm -f ./$(DEPDIR)/pam_modutil_getspnam.Plo + -rm -f ./$(DEPDIR)/pam_modutil_ingroup.Plo + -rm -f ./$(DEPDIR)/pam_modutil_ioloop.Plo + -rm -f ./$(DEPDIR)/pam_modutil_priv.Plo + -rm -f ./$(DEPDIR)/pam_modutil_sanitize.Plo + -rm -f ./$(DEPDIR)/pam_modutil_searchkey.Plo + -rm -f ./$(DEPDIR)/pam_password.Plo + -rm -f ./$(DEPDIR)/pam_prelude.Plo + -rm -f ./$(DEPDIR)/pam_session.Plo + -rm -f ./$(DEPDIR)/pam_start.Plo + -rm -f ./$(DEPDIR)/pam_strerror.Plo + -rm -f ./$(DEPDIR)/pam_syslog.Plo + -rm -f ./$(DEPDIR)/pam_vprompt.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -778,9 +889,9 @@ uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool cscopelist-am ctags \ - ctags-am distclean distclean-compile distclean-generic \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -794,6 +905,8 @@ uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES tags tags-am uninstall uninstall-am uninstall-includeHEADERS \ uninstall-libLTLIBRARIES +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/libpam/include/pam_cc_compat.h b/libpam/include/pam_cc_compat.h new file mode 100644 index 00000000..69190368 --- /dev/null +++ b/libpam/include/pam_cc_compat.h @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#ifndef PAM_CC_COMPAT_H +#define PAM_CC_COMPAT_H + +#include "config.h" +#include <security/_pam_types.h> + +#if defined __clang__ && defined __clang_major__ && defined __clang_minor__ +# define PAM_CLANG_PREREQ(maj, min) \ + ((__clang_major__ << 16) + __clang_minor__ >= ((maj) << 16) + (min)) +#else +# define PAM_CLANG_PREREQ(maj, min) 0 +#endif + +#if PAM_GNUC_PREREQ(2, 7) +# define PAM_ATTRIBUTE_ALIGNED(arg) __attribute__((__aligned__(arg))) +#else +# define PAM_ATTRIBUTE_ALIGNED(arg) /* empty */ +#endif + +#if PAM_GNUC_PREREQ(4, 6) +# define DIAG_PUSH_IGNORE_CAST_QUAL \ + _Pragma("GCC diagnostic push"); \ + _Pragma("GCC diagnostic ignored \"-Wcast-qual\"") +# define DIAG_POP_IGNORE_CAST_QUAL \ + _Pragma("GCC diagnostic pop") +# define DIAG_PUSH_IGNORE_CAST_ALIGN \ + _Pragma("GCC diagnostic push"); \ + _Pragma("GCC diagnostic ignored \"-Wcast-align\"") +# define DIAG_POP_IGNORE_CAST_ALIGN \ + _Pragma("GCC diagnostic pop") +#elif PAM_CLANG_PREREQ(2, 6) +# define DIAG_PUSH_IGNORE_CAST_QUAL \ + _Pragma("clang diagnostic push"); \ + _Pragma("clang diagnostic ignored \"-Wcast-qual\"") +# define DIAG_POP_IGNORE_CAST_QUAL \ + _Pragma("clang diagnostic pop") +# define DIAG_PUSH_IGNORE_CAST_ALIGN \ + _Pragma("clang diagnostic push"); \ + _Pragma("clang diagnostic ignored \"-Wcast-align\"") +# define DIAG_POP_IGNORE_CAST_ALIGN \ + _Pragma("clang diagnostic pop") +#else +# define DIAG_PUSH_IGNORE_CAST_QUAL /* empty */ +# define DIAG_POP_IGNORE_CAST_QUAL /* empty */ +# define DIAG_PUSH_IGNORE_CAST_ALIGN /* empty */ +# define DIAG_POP_IGNORE_CAST_ALIGN /* empty */ +#endif + +/* + * Evaluates to + * 1, if the given two types are known to be the same + * 0, otherwise. + */ +#if PAM_GNUC_PREREQ(3, 0) +# define PAM_IS_SAME_TYPE(x_, y_) \ + __builtin_types_compatible_p(__typeof__(x_), __typeof__(y_)) +#else +/* Cannot tell whether these types are the same. */ +# define PAM_IS_SAME_TYPE(x_, y_) 0 +#endif + +#endif /* PAM_CC_COMPAT_H */ diff --git a/libpam/include/pam_inline.h b/libpam/include/pam_inline.h new file mode 100644 index 00000000..ec05fe43 --- /dev/null +++ b/libpam/include/pam_inline.h @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + * + * Handy inline functions and macros providing some convenient functionality + * to libpam and its modules. + */ + +#ifndef PAM_INLINE_H +#define PAM_INLINE_H + +#include "pam_cc_compat.h" +#include <string.h> + +/* + * Evaluates to + * - a syntax error if the argument is 0, + * 0, otherwise. + */ +#define PAM_FAIL_BUILD_ON_ZERO(e_) (sizeof(int[-1 + 2 * !!(e_)]) * 0) + +/* + * Evaluates to + * 1, if the given type is known to be a non-array type + * 0, otherwise. + */ +#define PAM_IS_NOT_ARRAY(a_) PAM_IS_SAME_TYPE((a_), &(a_)[0]) + +/* + * Evaluates to + * - a syntax error if the argument is not an array, + * 0, otherwise. + */ +#define PAM_MUST_BE_ARRAY(a_) PAM_FAIL_BUILD_ON_ZERO(!PAM_IS_NOT_ARRAY(a_)) + +/* Evaluates to the number of elements in the specified array. */ +#define PAM_ARRAY_SIZE(a_) (sizeof(a_) / sizeof((a_)[0]) + PAM_MUST_BE_ARRAY(a_)) + +/* + * Returns NULL if STR does not start with PREFIX, + * or a pointer to the first char in STR after PREFIX. + * The length of PREFIX is specified by PREFIX_LEN. + */ +static inline const char * +pam_str_skip_prefix_len(const char *str, const char *prefix, size_t prefix_len) +{ + return strncmp(str, prefix, prefix_len) ? NULL : str + prefix_len; +} + +#define pam_str_skip_prefix(str_, prefix_) \ + pam_str_skip_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_)) + +/* + * Returns NULL if STR does not start with PREFIX + * (ignoring the case of the characters), + * or a pointer to the first char in STR after PREFIX. + * The length of PREFIX is specified by PREFIX_LEN. + */ +static inline const char * +pam_str_skip_icase_prefix_len(const char *str, const char *prefix, size_t prefix_len) +{ + return strncasecmp(str, prefix, prefix_len) ? NULL : str + prefix_len; +} + +#define pam_str_skip_icase_prefix(str_, prefix_) \ + pam_str_skip_icase_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_)) + +#endif /* PAM_INLINE_H */ diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h index 2d684bce..2abb7ee5 100644 --- a/libpam/include/security/_pam_types.h +++ b/libpam/include/security/_pam_types.h @@ -41,7 +41,7 @@ typedef struct pam_handle pam_handle_t; /* can not retrieve authentication */ /* information */ #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ - /* authenticaiton module */ + /* authentication module */ #define PAM_MAXTRIES 11 /* An authentication service has */ /* maintained a retry count which has */ /* been reached. No further retries */ @@ -50,7 +50,7 @@ typedef struct pam_handle pam_handle_t; /* This is normally returned if the */ /* machine security policies require */ /* that the password should be changed */ - /* beccause the password is NULL or it */ + /* because the password is NULL or it */ /* has aged */ #define PAM_ACCT_EXPIRED 13 /* User account has expired */ #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */ diff --git a/libpam/include/security/pam_appl.h b/libpam/include/security/pam_appl.h index d4172c69..cf97a493 100644 --- a/libpam/include/security/pam_appl.h +++ b/libpam/include/security/pam_appl.h @@ -24,6 +24,11 @@ pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh); +extern int PAM_NONNULL((1,3,5)) +pam_start_confdir(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + const char *confdir, pam_handle_t **pamh); + extern int PAM_NONNULL((1)) pam_end(pam_handle_t *pamh, int pam_status); diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h index 4ce8c552..3a6aec6a 100644 --- a/libpam/include/security/pam_modutil.h +++ b/libpam/include/security/pam_modutil.h @@ -142,6 +142,12 @@ pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, enum pam_modutil_redirect_fd redirect_stdout, enum pam_modutil_redirect_fd redirect_stderr); +/* lookup a value for key in login.defs file or similar key value format */ +extern char * PAM_NONNULL((1,2,3)) +pam_modutil_search_key(pam_handle_t *pamh, + const char *file_name, + const char *key); + #ifdef __cplusplus } #endif diff --git a/libpam/include/test_assert.h b/libpam/include/test_assert.h new file mode 100644 index 00000000..9d30d62f --- /dev/null +++ b/libpam/include/test_assert.h @@ -0,0 +1,55 @@ +/* + * Assert definitions for tests. + * + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> + */ + +#ifndef TEST_ASSERT_H +# define TEST_ASSERT_H + +# ifdef HAVE_CONFIG_H +# include <config.h> +# endif + +# include <stdio.h> +# include <stdlib.h> + +# define ASSERT_(expected_, expected_str_, op_, seen_, seen_str_) \ + do { \ + __typeof__(expected_) e_ = (expected_); \ + __typeof__(seen_) s_ = (seen_); \ + if (e_ op_ s_) break; \ + fprintf(stderr, \ + "%s:%d: Assertion failed: %s (%#lx) %s %s (%#lx)\n", \ + __FILE__, __LINE__, \ + (expected_str_), (unsigned long) e_, #op_, \ + (seen_str_), (unsigned long) s_); \ + abort(); \ + } while (0) \ +/* End of ASSERT_ definition. */ + +# define ASSERT_EQ(expected_, seen_) \ + ASSERT_((expected_), #expected_, ==, (seen_), #seen_) \ +/* End of ASSERT_EQ definition. */ + +# define ASSERT_NE(expected_, seen_) \ + ASSERT_((expected_), #expected_, !=, (seen_), #seen_) \ +/* End of ASSERT_NE definition. */ + +# define ASSERT_LT(expected_, seen_) \ + ASSERT_((expected_), #expected_, <, (seen_), #seen_) \ +/* End of ASSERT_LT definition. */ + +# define ASSERT_LE(expected_, seen_) \ + ASSERT_((expected_), #expected_, <=, (seen_), #seen_) \ +/* End of ASSERT_LT definition. */ + +# define ASSERT_GT(expected_, seen_) \ + ASSERT_((expected_), #expected_, >, (seen_), #seen_) \ +/* End of ASSERT_LT definition. */ + +# define ASSERT_GE(expected_, seen_) \ + ASSERT_((expected_), #expected_, >=, (seen_), #seen_) \ +/* End of ASSERT_LT definition. */ + +#endif /* TEST_ASSERT_H */ diff --git a/libpam/libpam.map b/libpam/libpam.map index d6835b47..c9690a91 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -72,3 +72,13 @@ LIBPAM_MODUTIL_1.1.9 { global: pam_modutil_sanitize_helper_fds; } LIBPAM_MODUTIL_1.1.3; + +LIBPAM_MODUTIL_1.3.2 { + global: + pam_modutil_search_key; +} LIBPAM_MODUTIL_1.1.9; + +LIBPAM_1.4 { + global: + pam_start_confdir; +} LIBPAM_1.0; diff --git a/libpam/pam_delay.c b/libpam/pam_delay.c index 972e72b6..549da896 100644 --- a/libpam/pam_delay.c +++ b/libpam/pam_delay.c @@ -44,10 +44,10 @@ void _pam_start_timer(pam_handle_t *pamh) /* ******************************************************************* * Compute a pseudo random time. The value is base*(1 +/- 1/5) where - * the distribution is pseudo gausian (the sum of three evenly + * the distribution is pseudo gaussian (the sum of three evenly * distributed random numbers -- central limit theorem and all ;^) The * linear random numbers are based on a formulae given in Knuth's - * Seminumerical recipies that was reproduced in `Numerical Recipies + * Seminumerical recipes that was reproduced in `Numerical Recipes * in C'. It is *not* a cryptographically strong generator, but it is * probably "good enough" for our purposes here. * @@ -79,9 +79,11 @@ static unsigned int _pam_compute_delay(unsigned int seed, unsigned int base) } /* ********************************************************************** - * the following function sleeps for a random time. The actual time - * slept is computed above.. It is based on the requested time but will - * differ by up to +/- 50%. + * By default, the following function sleeps for a random time. The + * actual time slept is computed above. It is based on the requested + * time but will differ by up to +/- 50%. If the PAM_FAIL_DELAY item is + * set by the client, this function will call the function referenced by + * that item, overriding the default behavior. */ void _pam_await_timer(pam_handle_t *pamh, int status) diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 9bfbdf0f..3fa7f7df 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -37,12 +37,15 @@ #include <security/pam_ext.h> #define PROMPT _("Password: ") -/* For Translators: "%s%s" could be replaced with "<service> " or "". */ -#define PROMPTCURRENT _("Current %s%spassword: ") -/* For Translators: "%s%s" could be replaced with "<service> " or "". */ -#define PROMPT1 _("New %s%spassword: ") -/* For Translators: "%s%s" could be replaced with "<service> " or "". */ -#define PROMPT2 _("Retype new %s%spassword: ") +/* For Translators: "%s" is replaced with "<service>". */ +#define PROMPT_CURRENT_ARG _("Current %s password: ") +#define PROMPT_CURRENT_NOARG _("Current password: ") +/* For Translators: "%s" is replaced with "<service>". */ +#define PROMPT_NEW_ARG _("New %s password: ") +#define PROMPT_NEW_NOARG _("New password: ") +/* For Translators: "%s" is replaced with "<service>". */ +#define PROMPT_RETYPE_ARG _("Retype new %s password: ") +#define PROMPT_RETYPE_NOARG _("Retype new password: ") #define MISTYPED_PASS _("Sorry, passwords do not match.") #define PAM_GETAUTHTOK_NOVERIFY 1 @@ -140,28 +143,39 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, } else if (chpass) { - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], - PROMPT1, authtok_type, - strlen (authtok_type) > 0?" ":""); + pamh->authtok_verified = 0; + + retval = *authtok_type ? + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT_NEW_ARG, authtok_type) : + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + "%s", PROMPT_NEW_NOARG); if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL) - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], - PROMPT2, authtok_type, - strlen (authtok_type) > 0?" ":""); + { + retval = *authtok_type ? + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + PROMPT_RETYPE_ARG, authtok_type) : + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + "%s", PROMPT_RETYPE_NOARG); + } } else if (item == PAM_OLDAUTHTOK) - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], - PROMPTCURRENT, authtok_type, - strlen (authtok_type) > 0?" ":""); + { + retval = *authtok_type ? + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT_CURRENT_ARG, authtok_type) : + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + "%s", PROMPT_CURRENT_NOARG); + } else - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", - PROMPT); + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", PROMPT); if (retval != PAM_SUCCESS || resp[0] == NULL || (chpass > 1 && resp[1] == NULL)) { /* We want to abort */ if (chpass) - pam_error (pamh, _("Password change aborted.")); + pam_error (pamh, _("Password change has been aborted.")); return PAM_AUTHTOK_ERR; } @@ -184,6 +198,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, if (retval != PAM_SUCCESS) return retval; + if (chpass > 1) + pamh->authtok_verified = 1; + return pam_get_item(pamh, item, (const void **)authtok); } @@ -214,6 +231,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK) return PAM_SYSTEM_ERR; + if (pamh->authtok_verified) + return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok); + if (prompt != NULL) { retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, @@ -224,16 +244,18 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, retval = pam_get_item (pamh, PAM_AUTHTOK_TYPE, (const void **)&authtok_type); if (retval != PAM_SUCCESS || authtok_type == NULL) authtok_type = ""; - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, - PROMPT2, authtok_type, - strlen (authtok_type) > 0?" ":""); + retval = *authtok_type ? + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + PROMPT_RETYPE_ARG, authtok_type) : + pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, + "%s", PROMPT_RETYPE_NOARG); } if (retval != PAM_SUCCESS || resp == NULL) { /* We want to abort the password change */ pam_set_item (pamh, PAM_AUTHTOK, NULL); - pam_error (pamh, _("Password change aborted.")); + pam_error (pamh, _("Password change has been aborted.")); return PAM_AUTHTOK_ERR; } @@ -252,5 +274,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, if (retval != PAM_SUCCESS) return retval; + pamh->authtok_verified = 1; + return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok); } diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 106ef7c2..ffa5e4ae 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -7,6 +7,7 @@ */ #include "pam_private.h" +#include "pam_inline.h" #include <stdlib.h> #include <stdio.h> @@ -280,9 +281,14 @@ _pam_open_config_file(pam_handle_t *pamh , char **path , FILE **file) { - char *p; + const char *pamd_dirs[] = { PAM_CONFIG_DF, PAM_CONFIG_DIST_DF +#ifdef VENDORDIR + , PAM_CONFIG_DIST2_DF +#endif + }; + char *p = NULL; FILE *f; - int err = 0; + size_t i; /* Absolute path */ if (service[0] == '/') { @@ -291,45 +297,40 @@ _pam_open_config_file(pam_handle_t *pamh pam_syslog(pamh, LOG_CRIT, "strdup failed"); return PAM_BUF_ERR; } + } else if (pamh->confdir != NULL) { + if (asprintf (&p, "%s/%s", pamh->confdir, service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + } - f = fopen(service, "r"); + if (p != NULL) { + D(("opening %s", p)); + f = fopen(p, "r"); if (f != NULL) { *path = p; *file = f; return PAM_SUCCESS; } - _pam_drop(p); return PAM_ABORT; } - /* Local Machine Configuration /etc/pam.d/ */ - if (asprintf (&p, PAM_CONFIG_DF, service) < 0) { - pam_syslog(pamh, LOG_CRIT, "asprintf failed"); - return PAM_BUF_ERR; - } - D(("opening %s", p)); - f = fopen(p, "r"); - if (f != NULL) { - *path = p; - *file = f; - return PAM_SUCCESS; - } + for (i = 0; i < PAM_ARRAY_SIZE(pamd_dirs); i++) { + if (asprintf (&p, pamd_dirs[i], service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } - /* System Configuration /usr/lib/pam.d/ */ - _pam_drop(p); - if (asprintf (&p, PAM_CONFIG_DIST_DF, service) < 0) { - pam_syslog(pamh, LOG_CRIT, "asprintf failed"); - return PAM_BUF_ERR; - } - D(("opening %s", p)); - f = fopen(p, "r"); - if (f != NULL) { + D(("opening %s", p)); + f = fopen(p, "r"); + if (f != NULL) { *path = p; *file = f; return PAM_SUCCESS; + } + _pam_drop(p); } - _pam_drop(p); return PAM_ABORT; } @@ -446,8 +447,14 @@ int _pam_init_handlers(pam_handle_t *pamh) struct stat test_d; /* Is there a PAM_CONFIG_D directory? */ - if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || - (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) { + if (pamh->confdir != NULL || + (stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || + (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) +#ifdef PAM_CONFIG_DIST2_D + || (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 + && S_ISDIR(test_d.st_mode)) +#endif + ) { char *path = NULL; int read_something=0; @@ -474,7 +481,8 @@ int _pam_init_handlers(pam_handle_t *pamh) #ifdef PAM_READ_BOTH_CONFS D(("checking %s", PAM_CONFIG)); - if ((f = fopen(PAM_CONFIG,"r")) != NULL) { + if (pamh->confdir == NULL + && (f = fopen(PAM_CONFIG,"r")) != NULL) { retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1); fclose(f); } else @@ -551,7 +559,7 @@ int _pam_init_handlers(pam_handle_t *pamh) /* * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" + * preceded by lines of comments and also extended with "\\\n" */ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len) @@ -665,7 +673,6 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) { int x = 0; int success; - char *mod_full_isa_path=NULL, *isa=NULL; struct loaded_module *mod; D(("_pam_load_module: loading module `%s'", mod_path)); @@ -704,19 +711,27 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) D(("_pam_load_module: _pam_dlopen'ed")); D(("_pam_load_module: dlopen'ed")); if (mod->dl_handle == NULL) { - if (strstr(mod_path, "$ISA")) { - mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1); + const char *isa = strstr(mod_path, "$ISA"); + size_t isa_len = strlen("$ISA"); + + if (isa != NULL) { + size_t pam_isa_len = strlen(_PAM_ISA); + char *mod_full_isa_path = + malloc(strlen(mod_path) - isa_len + pam_isa_len + 1); + if (mod_full_isa_path == NULL) { D(("_pam_load_module: couldn't get memory for mod_path")); pam_syslog(pamh, LOG_CRIT, "no memory for module path"); success = PAM_ABORT; } else { - strcpy(mod_full_isa_path, mod_path); - isa = strstr(mod_full_isa_path, "$ISA"); - if (isa) { - memmove(isa + strlen(_PAM_ISA), isa + 4, strlen(isa + 4) + 1); - memmove(isa, _PAM_ISA, strlen(_PAM_ISA)); - } + char *p = mod_full_isa_path; + + memcpy(p, mod_path, isa - mod_path); + p += isa - mod_path; + memcpy(p, _PAM_ISA, pam_isa_len); + p += pam_isa_len; + strcpy(p, isa + isa_len); + mod->dl_handle = _pam_dlopen(mod_full_isa_path); _pam_drop(mod_full_isa_path); } @@ -1019,7 +1034,7 @@ void _pam_free_handlers_aux(struct handler **hp) D(("called.")); while (h) { last = h; - _pam_drop(h->argv); /* This is all alocated in a single chunk */ + _pam_drop(h->argv); /* This is all allocated in a single chunk */ _pam_drop(h->mod_name); h = h->next; memset(last, 0, sizeof(*last)); diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 8148fd57..d6af710b 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -285,13 +285,13 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) if (user == NULL) { /* ensure that the module has supplied a destination */ pam_syslog(pamh, LOG_ERR, "pam_get_user: nowhere to record username"); - return PAM_PERM_DENIED; + return PAM_SYSTEM_ERR; } else *user = NULL; if (pamh->pam_conversation == NULL) { pam_syslog(pamh, LOG_ERR, "pam_get_user: no conv element in pamh"); - return PAM_SERVICE_ERR; + return PAM_SYSTEM_ERR; } if (pamh->user) { /* have one so return it */ @@ -343,28 +343,42 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) retval = pamh->pam_conversation-> conv(1, &pmsg, &resp, pamh->pam_conversation->appdata_ptr); - if (retval == PAM_CONV_AGAIN) { - /* conversation function is waiting for an event - save state */ - D(("conversation function is not ready yet")); - pamh->former.want_user = PAM_TRUE; - pamh->former.prompt = _pam_strdup(use_prompt); - } else if (resp == NULL || resp->resp == NULL) { - /* - * conversation should have given a response - */ - D(("pam_get_user: no response provided")); - retval = PAM_CONV_ERR; - pamh->former.fail_user = retval; - } else if (retval == PAM_SUCCESS) { /* copy the username */ - /* - * now we set the PAM_USER item -- this was missing from pre.53 - * releases. However, reading the Sun manual, it is part of - * the standard API. - */ - retval = pam_set_item(pamh, PAM_USER, resp->resp); - *user = pamh->user; - } else - pamh->former.fail_user = retval; + switch (retval) { + case PAM_SUCCESS: + case PAM_BUF_ERR: + case PAM_CONV_AGAIN: + case PAM_CONV_ERR: + break; + default: + retval = PAM_CONV_ERR; + } + + switch (retval) { + case PAM_CONV_AGAIN: + /* conversation function is waiting for an event - save state */ + D(("conversation function is not ready yet")); + pamh->former.want_user = PAM_TRUE; + pamh->former.prompt = _pam_strdup(use_prompt); + break; + case PAM_SUCCESS: + if (resp != NULL && resp->resp != NULL) { + /* + * now we set the PAM_USER item -- this was missing from pre.53 + * releases. However, reading the Sun manual, it is part of + * the standard API. + */ + retval = pam_set_item(pamh, PAM_USER, resp->resp); + *user = pamh->user; + break; + } else { + /* conversation should have given a response */ + D(("pam_get_user: no response provided")); + retval = PAM_CONV_ERR; + } + /* fallthrough */ + default: + pamh->former.fail_user = retval; + } if (resp) { if (retval != PAM_SUCCESS) diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index aac0e923..996f23ce 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -163,7 +163,7 @@ char *_pam_memdup(const char *x, int len) /* Generate argv, argc from s */ /* caller must free(argv) */ -int _pam_mkargv(char *s, char ***argv, int *argc) +int _pam_mkargv(const char *s, char ***argv, int *argc) { int l; int argvlen = 0; diff --git a/libpam/pam_modutil_ingroup.c b/libpam/pam_modutil_ingroup.c index 875cf3e2..356302ee 100644 --- a/libpam/pam_modutil_ingroup.c +++ b/libpam/pam_modutil_ingroup.c @@ -12,31 +12,34 @@ #include <grp.h> #ifdef HAVE_GETGROUPLIST + +#define NGROUPS_MIN 100 +#define NGROUPS_MAX 65536 + static int checkgrouplist(const char *user, gid_t primary, gid_t target) { - gid_t *grouplist = NULL; - int agroups, ngroups, i; - ngroups = agroups = 3; + int ngroups, pgroups, i; + + ngroups = NGROUPS_MIN; do { - grouplist = malloc(sizeof(gid_t) * agroups); + gid_t *grouplist; + + pgroups = ngroups; + grouplist = malloc(sizeof(gid_t) * ngroups); if (grouplist == NULL) { return 0; } - ngroups = agroups; i = getgrouplist(user, primary, grouplist, &ngroups); - if ((i < 0) || (ngroups < 1)) { - agroups *= 2; - free(grouplist); - } else { + if (i >= 0) { for (i = 0; i < ngroups; i++) { if (grouplist[i] == target) { free(grouplist); return 1; } } - free(grouplist); } - } while (((i < 0) || (ngroups < 1)) && (agroups < 10000)); + free(grouplist); + } while (i < 0 && ngroups > 0 && ngroups != pgroups && ngroups <= NGROUPS_MAX); return 0; } #endif diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c index 65f85d01..58b9537c 100644 --- a/libpam/pam_modutil_sanitize.c +++ b/libpam/pam_modutil_sanitize.c @@ -10,6 +10,13 @@ #include <fcntl.h> #include <syslog.h> #include <sys/resource.h> +#include <dirent.h> +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif +#ifdef HAVE_LINUX_MAGIC_H +#include <linux/magic.h> +#endif /* * Creates a pipe, closes its write end, redirects fd to its read end. @@ -40,34 +47,6 @@ redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name) } /* - * Creates a pipe, closes its read end, redirects fd to its write end. - * Returns fd on success, -1 otherwise. - */ -static int -redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name) -{ - int out[2]; - - if (pipe(out) < 0) { - pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m"); - return -1; - } - - close(out[0]); - - if (out[1] == fd) - return fd; - - if (dup2(out[1], fd) != fd) { - pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name); - fd = -1; - } - - close(out[1]); - return fd; -} - -/* * Opens /dev/null for writing, redirects fd there. * Returns fd on success, -1 otherwise. */ @@ -99,7 +78,7 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, { switch (mode) { case PAM_MODUTIL_PIPE_FD: - if (redirect_out_pipe(pamh, fd, name) < 0) + if (redirect_in_pipe(pamh, fd, name) < 0) return -1; break; case PAM_MODUTIL_NULL_FD: @@ -112,31 +91,69 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, return fd; } +/* Check if path is in a procfs. */ +static int +is_in_procfs(int fd) +{ +#if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC + struct statfs stfs; + + if (fstatfs(fd, &stfs) == 0) { + if (stfs.f_type == PROC_SUPER_MAGIC) + return 1; + } else { + return 0; + } +#endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */ + + return -1; +} + /* Closes all descriptors after stderr. */ static void close_fds(void) { + DIR *dir = NULL; + struct dirent *dent; + int dfd = -1; + int fd; + struct rlimit rlim; + /* * An arbitrary upper limit for the maximum file descriptor number * returned by RLIMIT_NOFILE. */ - const int MAX_FD_NO = 65535; + const unsigned int MAX_FD_NO = 65535; /* The lower limit is the same as for _POSIX_OPEN_MAX. */ - const int MIN_FD_NO = 20; - - int fd; - struct rlimit rlim; - - if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) - fd = MAX_FD_NO; - else if (rlim.rlim_max < MIN_FD_NO) - fd = MIN_FD_NO; - else - fd = rlim.rlim_max - 1; + const unsigned int MIN_FD_NO = 20; + + /* If /proc is mounted, we can optimize which fd can be closed. */ + if ((dir = opendir("/proc/self/fd")) != NULL) { + if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) { + while ((dent = readdir(dir)) != NULL) { + fd = atoi(dent->d_name); + if (fd > STDERR_FILENO && fd != dfd) + close(fd); + } + } else { + dfd = -1; + } + closedir(dir); + } - for (; fd > STDERR_FILENO; --fd) - close(fd); + /* If /proc isn't available, fallback to the previous behavior. */ + if (dfd < 0) { + if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) + fd = MAX_FD_NO; + else if (rlim.rlim_max < MIN_FD_NO) + fd = MIN_FD_NO; + else + fd = rlim.rlim_max - 1; + + for (; fd > STDERR_FILENO; --fd) + close(fd); + } } int diff --git a/libpam/pam_modutil_searchkey.c b/libpam/pam_modutil_searchkey.c new file mode 100644 index 00000000..ba023e52 --- /dev/null +++ b/libpam/pam_modutil_searchkey.c @@ -0,0 +1,128 @@ +/* + * This file implements the following functions: + * pam_modutil_search_key: + * lookup a value for key in login.defs file or similar key value format + */ + +#include "config.h" + +#include "pam_private.h" +#include "pam_modutil_private.h" +#include <security/pam_ext.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef USE_ECONF +#include <libeconf.h> +#endif + +#define BUF_SIZE 8192 + +#ifdef USE_ECONF +#define LOGIN_DEFS "/etc/login.defs" + +#ifndef VENDORDIR +#define VENDORDIR NULL +#endif + +static char * +econf_search_key (const char *name, const char *suffix, const char *key) +{ + econf_file *key_file = NULL; + char *val; + + if (econf_readDirs (&key_file, VENDORDIR, SYSCONFDIR, name, suffix, + " \t", "#")) + return NULL; + + if (econf_getStringValue (key_file, NULL, key, &val)) { + econf_free (key_file); + return NULL; + } + + econf_free (key_file); + + return val; +} + +#endif + +/* lookup a value for key in login.defs file or similar key value format */ +char * +pam_modutil_search_key(pam_handle_t *pamh UNUSED, + const char *file_name, + const char *key) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + +#ifdef USE_ECONF + if (strcmp (file_name, LOGIN_DEFS) == 0) + return econf_search_key ("login", ".defs", key); +#endif + + fp = fopen(file_name, "r"); + if (NULL == fp) + return NULL; + + while (!feof(fp)) { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline(&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim(&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) { + buflen = BUF_SIZE; + buf = malloc(buflen); + if (buf == NULL) { + fclose(fp); + return NULL; + } + } + buf[0] = '\0'; + if (fgets(buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen(buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + if (cp[n - 1] == '\n') + cp[n - 1] = '\0'; + + tmp = strchr(cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace((int)*cp) || *cp == '=') + ++cp; + else + cp = buf + n; /* empty string */ + + if (strcasecmp(tmp, key) == 0) { + retval = strdup(cp); + break; + } + } + fclose(fp); + + free(buf); + + return retval; +} diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 7ff9f758..508527cf 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -29,6 +29,11 @@ #define PAM_CONFIG_DF "/etc/pam.d/%s" #define PAM_CONFIG_DIST_D "/usr/lib/pam.d" #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s" +#ifdef VENDORDIR +#define PAM_CONFIG_DIST2_D VENDORDIR"/pam.d" +#define PAM_CONFIG_DIST2_DF VENDORDIR"/pam.d/%s" +#endif + #define PAM_DEFAULT_SERVICE "other" /* lower case */ @@ -172,6 +177,8 @@ struct pam_handle { #ifdef HAVE_LIBAUDIT int audit_state; /* keep track of reported audit messages */ #endif + int authtok_verified; + char *confdir; }; /* Values for select arg to _pam_dispatch() */ @@ -213,7 +220,7 @@ int _pam_free_handlers(pam_handle_t *pamh); /* Parse config file, allocate handler structures, dlopen() */ int _pam_init_handlers(pam_handle_t *pamh); -/* Set all hander stuff to 0/NULL - called once from pam_start() */ +/* Set all handler stuff to 0/NULL - called once from pam_start() */ void _pam_start_handlers(pam_handle_t *pamh); /* environment helper functions */ @@ -265,7 +272,7 @@ char *_pam_strdup(const char *s); char *_pam_memdup(const char *s, int len); -int _pam_mkargv(char *s, char ***argv, int *argc); +int _pam_mkargv(const char *s, char ***argv, int *argc); void _pam_sanitize(pam_handle_t *pamh); diff --git a/libpam/pam_start.c b/libpam/pam_start.c index 328416d2..59d06224 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -15,10 +15,11 @@ #include <string.h> #include <syslog.h> -int pam_start ( +static int _pam_start_internal ( const char *service_name, const char *user, const struct pam_conv *pam_conversation, + const char *confdir, pam_handle_t **pamh) { D(("called pam_start: [%s] [%s] [%p] [%p]" @@ -80,6 +81,18 @@ int pam_start ( } else (*pamh)->user = NULL; + if (confdir) { + if (((*pamh)->confdir = _pam_strdup(confdir)) == NULL) { + pam_syslog(*pamh, LOG_CRIT, + "pam_start: _pam_strdup failed for confdir"); + _pam_drop((*pamh)->service_name); + _pam_drop((*pamh)->user); + _pam_drop(*pamh); + return (PAM_BUF_ERR); + } + } else + (*pamh)->confdir = NULL; + (*pamh)->tty = NULL; (*pamh)->prompt = NULL; /* prompt for pam_get_user() */ (*pamh)->ruser = NULL; @@ -94,6 +107,7 @@ int pam_start ( #endif (*pamh)->xdisplay = NULL; (*pamh)->authtok_type = NULL; + (*pamh)->authtok_verified = 0; memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); if (((*pamh)->pam_conversation = (struct pam_conv *) @@ -139,3 +153,24 @@ int pam_start ( return PAM_SUCCESS; } + +int pam_start_confdir ( + const char *service_name, + const char *user, + const struct pam_conv *pam_conversation, + const char *confdir, + pam_handle_t **pamh) +{ + return _pam_start_internal(service_name, user, pam_conversation, + confdir, pamh); +} + +int pam_start ( + const char *service_name, + const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh) +{ + return _pam_start_internal(service_name, user, pam_conversation, + NULL, pamh); +} |