aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_exec
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_exec')
-rw-r--r--modules/pam_exec/Makefile.am4
-rw-r--r--modules/pam_exec/Makefile.in15
-rw-r--r--modules/pam_exec/README.xml32
-rw-r--r--modules/pam_exec/pam_exec.824
-rw-r--r--modules/pam_exec/pam_exec.8.xml65
-rw-r--r--modules/pam_exec/pam_exec.c44
6 files changed, 101 insertions, 83 deletions
diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am
index 713de6af..a0582226 100644
--- a/modules/pam_exec/Makefile.am
+++ b/modules/pam_exec/Makefile.am
@@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_exec
TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
+if HAVE_VENDORDIR
+secureconfdir = $(VENDOR_SCONFIGDIR)
+else
secureconfdir = $(SCONFIGDIR)
+endif
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
$(WARN_CFLAGS)
diff --git a/modules/pam_exec/Makefile.in b/modules/pam_exec/Makefile.in
index a312387a..f738998d 100644
--- a/modules/pam_exec/Makefile.in
+++ b/modules/pam_exec/Makefile.in
@@ -428,6 +428,7 @@ CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
+DOCBOOK_RNG = @DOCBOOK_RNG@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -440,11 +441,13 @@ EXEEXT = @EXEEXT@
EXE_CFLAGS = @EXE_CFLAGS@
EXE_LDFLAGS = @EXE_LDFLAGS@
FGREP = @FGREP@
+FILECMD = @FILECMD@
FO2PDF = @FO2PDF@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
+HTML_STYLESHEET = @HTML_STYLESHEET@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -476,12 +479,14 @@ LIBSELINUX = @LIBSELINUX@
LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
+LOGIND_CFLAGS = @LOGIND_CFLAGS@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
+MAN_STYLESHEET = @MAN_STYLESHEET@
MKDIR_P = @MKDIR_P@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
@@ -504,6 +509,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
+PDF_STYLESHEET = @PDF_STYLESHEET@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
@@ -514,12 +520,16 @@ SECUREDIR = @SECUREDIR@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
-STRINGPARAM_HMAC = @STRINGPARAM_HMAC@
+STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@
STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
STRIP = @STRIP@
+SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
+SYSTEMD_LIBS = @SYSTEMD_LIBS@
TIRPC_CFLAGS = @TIRPC_CFLAGS@
TIRPC_LIBS = @TIRPC_LIBS@
+TXT_STYLESHEET = @TXT_STYLESHEET@
USE_NLS = @USE_NLS@
+VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@
VERSION = @VERSION@
WARN_CFLAGS = @WARN_CFLAGS@
XGETTEXT = @XGETTEXT@
@@ -593,7 +603,8 @@ XMLS = README.xml pam_exec.8.xml
dist_check_SCRIPTS = tst-pam_exec
TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR)
+@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
$(WARN_CFLAGS)
diff --git a/modules/pam_exec/README.xml b/modules/pam_exec/README.xml
index 5e76cab3..1928d7f9 100644
--- a/modules/pam_exec/README.xml
+++ b/modules/pam_exec/README.xml
@@ -1,41 +1,27 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_exec.8.xml">
--->
-]>
+<article xmlns="http://docbook.org/ns/docbook" version="5.0">
-<article>
-
- <articleinfo>
+ <info>
<title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-name")/*)'/>
</title>
- </articleinfo>
+ </info>
<section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-description")/*)'/>
</section>
<section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-options")/*)'/>
</section>
<section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-examples")/*)'/>
</section>
<section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_exec.8.xml" xpointer='xpointer(id("pam_exec-author")/*)'/>
</section>
-</article>
+</article> \ No newline at end of file
diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8
index 71087918..4c7023d9 100644
--- a/modules/pam_exec/pam_exec.8
+++ b/modules/pam_exec/pam_exec.8
@@ -1,13 +1,13 @@
'\" t
.\" Title: pam_exec
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 09/03/2021
+.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
+.\" Date: 05/07/2023
.\" Manual: Linux-PAM Manual
-.\" Source: Linux-PAM Manual
+.\" Source: Linux-PAM
.\" Language: English
.\"
-.TH "PAM_EXEC" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_EXEC" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -57,12 +57,12 @@ Commands called by pam_exec need to be aware of that the user can have control o
.SH "OPTIONS"
.PP
.PP
-\fBdebug\fR
+debug
.RS 4
Print debug information\&.
.RE
.PP
-\fBexpose_authtok\fR
+expose_authtok
.RS 4
During authentication the calling command can read the password from
\fBstdin\fR(3)\&. Only first
@@ -70,18 +70,18 @@ During authentication the calling command can read the password from
bytes of a password are provided to the command\&.
.RE
.PP
-\fBlog=\fR\fB\fIfile\fR\fR
+log=file
.RS 4
The output of the command is appended to
file
.RE
.PP
-\fBtype=\fR\fB\fItype\fR\fR
+type=type
.RS 4
Only run the command if the module type matches the given type\&.
.RE
.PP
-\fBstdout\fR
+stdout
.RS 4
Per default the output of the executed command is written to
/dev/null\&. With this option, the stdout output of the executed command is redirected to the calling application\&. It\*(Aqs in the responsibility of this application what happens with the output\&. The
@@ -89,17 +89,17 @@ Per default the output of the executed command is written to
option is ignored\&.
.RE
.PP
-\fBquiet\fR
+quiet
.RS 4
Per default pam_exec\&.so will echo the exit status of the external command if it fails\&. Specifying this option will suppress the message\&.
.RE
.PP
-\fBquiet_log\fR
+quiet_log
.RS 4
Per default pam_exec\&.so will log the exit status of the external command if it fails\&. Specifying this option will suppress the log message\&.
.RE
.PP
-\fBseteuid\fR
+seteuid
.RS 4
Per default pam_exec\&.so will execute the external command with the real user ID of the calling process\&. Specifying this option means the command is run with the effective user ID\&.
.RE
diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
index 7e89943c..13abe6e6 100644
--- a/modules/pam_exec/pam_exec.8.xml
+++ b/modules/pam_exec/pam_exec.8.xml
@@ -1,57 +1,54 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_exec">
+<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_exec">
<refmeta>
<refentrytitle>pam_exec</refentrytitle>
<manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ <refmiscinfo class="source">Linux-PAM</refmiscinfo>
+ <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
</refmeta>
- <refnamediv id="pam_exec-name">
+ <refnamediv xml:id="pam_exec-name">
<refname>pam_exec</refname>
<refpurpose>PAM module which calls an external command</refpurpose>
</refnamediv>
<refsynopsisdiv>
- <cmdsynopsis id="pam_exec-cmdsynopsis">
+ <cmdsynopsis xml:id="pam_exec-cmdsynopsis" sepchar=" ">
<command>pam_exec.so</command>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
debug
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
expose_authtok
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
seteuid
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
quiet
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
quiet_log
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
stdout
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
log=<replaceable>file</replaceable>
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
type=<replaceable>type</replaceable>
</arg>
- <arg choice="plain">
+ <arg choice="plain" rep="norepeat">
<replaceable>command</replaceable>
</arg>
- <arg choice="opt">
+ <arg choice="opt" rep="norepeat">
<replaceable>...</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
- <refsect1 id="pam_exec-description">
+ <refsect1 xml:id="pam_exec-description">
<title>DESCRIPTION</title>
@@ -83,7 +80,7 @@
</refsect1>
- <refsect1 id="pam_exec-options">
+ <refsect1 xml:id="pam_exec-options">
<title>OPTIONS</title>
<para>
@@ -91,7 +88,7 @@
<varlistentry>
<term>
- <option>debug</option>
+ debug
</term>
<listitem>
<para>
@@ -102,7 +99,7 @@
<varlistentry>
<term>
- <option>expose_authtok</option>
+ expose_authtok
</term>
<listitem>
<para>
@@ -117,7 +114,7 @@
<varlistentry>
<term>
- <option>log=<replaceable>file</replaceable></option>
+ log=file
</term>
<listitem>
<para>
@@ -129,7 +126,7 @@
<varlistentry>
<term>
- <option>type=<replaceable>type</replaceable></option>
+ type=type
</term>
<listitem>
<para>
@@ -140,7 +137,7 @@
<varlistentry>
<term>
- <option>stdout</option>
+ stdout
</term>
<listitem>
<para>
@@ -151,7 +148,7 @@
<varlistentry>
<term>
- <option>quiet</option>
+ quiet
</term>
<listitem>
<para>
@@ -164,7 +161,7 @@
<varlistentry>
<term>
- <option>quiet_log</option>
+ quiet_log
</term>
<listitem>
<para>
@@ -177,7 +174,7 @@
<varlistentry>
<term>
- <option>seteuid</option>
+ seteuid
</term>
<listitem>
<para>
@@ -194,7 +191,7 @@
</para>
</refsect1>
- <refsect1 id="pam_exec-types">
+ <refsect1 xml:id="pam_exec-types">
<title>MODULE TYPES PROVIDED</title>
<para>
All module types (<option>auth</option>, <option>account</option>,
@@ -202,7 +199,7 @@
</para>
</refsect1>
- <refsect1 id='pam_exec-return_values'>
+ <refsect1 xml:id="pam_exec-return_values">
<title>RETURN VALUES</title>
<para>
<variablelist>
@@ -278,7 +275,7 @@
</para>
</refsect1>
- <refsect1 id='pam_exec-examples'>
+ <refsect1 xml:id="pam_exec-examples">
<title>EXAMPLES</title>
<para>
Add the following line to <filename>/etc/pam.d/passwd</filename> to
@@ -293,7 +290,7 @@
</para>
</refsect1>
- <refsect1 id='pam_exec-see_also'>
+ <refsect1 xml:id="pam_exec-see_also">
<title>SEE ALSO</title>
<para>
<citerefentry>
@@ -308,7 +305,7 @@
</para>
</refsect1>
- <refsect1 id='pam_exec-author'>
+ <refsect1 xml:id="pam_exec-author">
<title>AUTHOR</title>
<para>
pam_exec was written by Thorsten Kukuk &lt;kukuk@thkukuk.de&gt; and
@@ -316,4 +313,4 @@
</para>
</refsect1>
-</refentry>
+</refentry> \ No newline at end of file
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 05dec167..9d2145dc 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -48,6 +48,7 @@
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <signal.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
@@ -105,6 +106,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
FILE *stdout_file = NULL;
int retval;
const char *name;
+ struct sigaction newsa, oldsa;
if (argc < 1) {
pam_syslog (pamh, LOG_ERR,
@@ -182,6 +184,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (retval != PAM_SUCCESS)
{
+ pam_overwrite_string (resp);
_pam_drop (resp);
if (retval == PAM_CONV_AGAIN)
retval = PAM_INCOMPLETE;
@@ -192,6 +195,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
pam_set_item (pamh, PAM_AUTHTOK, resp);
strncpy (authtok, resp, sizeof(authtok) - 1);
+ pam_overwrite_string (resp);
_pam_drop (resp);
}
}
@@ -200,6 +204,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (pipe(fds) != 0)
{
+ pam_overwrite_array(authtok);
pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m");
return PAM_SYSTEM_ERR;
}
@@ -210,25 +215,38 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
if (pipe(stdout_fds) != 0)
{
+ pam_overwrite_array(authtok);
pam_syslog (pamh, LOG_ERR, "Could not create pipe: %m");
return PAM_SYSTEM_ERR;
}
stdout_file = fdopen(stdout_fds[0], "r");
if (!stdout_file)
{
+ pam_overwrite_array(authtok);
pam_syslog (pamh, LOG_ERR, "Could not fdopen pipe: %m");
return PAM_SYSTEM_ERR;
}
}
if (optargc >= argc) {
+ pam_overwrite_array(authtok);
pam_syslog (pamh, LOG_ERR, "No path given as argument");
return PAM_SERVICE_ERR;
}
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) {
+ pam_overwrite_array(authtok);
+ pam_syslog(pamh, LOG_ERR, "failed to reset SIGCHLD handler: %m");
+ return PAM_SYSTEM_ERR;
+ }
+
pid = fork();
- if (pid == -1)
+ if (pid == -1) {
+ pam_overwrite_array(authtok);
return PAM_SYSTEM_ERR;
+ }
if (pid > 0) /* parent */
{
int status = 0;
@@ -246,6 +264,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
close(fds[1]);
}
+ pam_overwrite_array(authtok);
+
if (use_stdout)
{
char buf[4096];
@@ -263,6 +283,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
while ((rc = waitpid (pid, &status, 0)) == -1 &&
errno == EINTR);
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
if (rc == (pid_t)-1)
{
pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m");
@@ -305,9 +326,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
}
else /* child */
{
- char **arggv;
+ const char **arggv;
int i;
- char **envlist, **tmp;
+ char **envlist;
int envlen, nitems;
char *envstr;
enum pam_modutil_redirect_fd redirect_stdin =
@@ -315,6 +336,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
enum pam_modutil_redirect_fd redirect_stdout =
(use_stdout || logfile) ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_NULL_FD;
+ pam_overwrite_array(authtok);
+
/* First, move all the pipes off of stdin, stdout, and stderr, to ensure
* that calls to dup2 won't close them. */
@@ -418,7 +441,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
_exit (ENOMEM);
for (i = 0; i < (argc - optargc); i++)
- arggv[i] = strdup(argv[i+optargc]);
+ arggv[i] = argv[i+optargc];
arggv[i] = NULL;
/*
@@ -430,14 +453,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
/* nothing */ ;
nitems = PAM_ARRAY_SIZE(env_items);
/* + 2 because of PAM_TYPE and NULL entry */
- tmp = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist));
- if (tmp == NULL)
+ envlist = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist));
+ if (envlist == NULL)
{
- free(envlist);
pam_syslog (pamh, LOG_CRIT, "realloc environment failed: %m");
_exit (ENOMEM);
}
- envlist = tmp;
for (i = 0; i < nitems; ++i)
{
const void *item;
@@ -446,7 +467,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
continue;
if (asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item) < 0)
{
- free(envlist);
pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m");
_exit (ENOMEM);
}
@@ -456,7 +476,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (asprintf(&envstr, "PAM_TYPE=%s", pam_type) < 0)
{
- free(envlist);
pam_syslog (pamh, LOG_CRIT, "prepare environment failed: %m");
_exit (ENOMEM);
}
@@ -466,10 +485,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (debug)
pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]);
- execve (arggv[0], arggv, envlist);
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+ execve (arggv[0], (char **) arggv, envlist);
+ DIAG_POP_IGNORE_CAST_QUAL;
i = errno;
pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m", arggv[0]);
- free(envlist);
_exit (i);
}
return PAM_SYSTEM_ERR; /* will never be reached. */
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-02 22:53:49 +0000