6 files changed, 0 insertions, 594 deletions
diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore
deleted file mode 100644
index a2072fc9..00000000
--- a/modules/pam_keyinit/.cvsignore
+++ /dev/null
@@ -1,8 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-README
-pam_keyinit.8
diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am
deleted file mode 100644
index 5039705a..00000000
--- a/modules/pam_keyinit/Makefile.am
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Copyright (c) 2006 David Howells <dhowells@redhat.com>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit
-XMLS = README.xml pam_keyinit.8.xml
-
-if HAVE_KEY_MANAGEMENT
-  man_MANS =  pam_keyinit.8
-  TESTS = tst-pam_keyinit
-endif
-
-if ENABLE_REGENERATE_MAN
-noinst_DATA = README
-README: pam_keyinit.8.xml
--include $(top_srcdir)/Make.xml.rules
-endif
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
-AM_LDFLAGS = -no-undefined -avoid-version -module
-if HAVE_VERSIONING
-  AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-if HAVE_KEY_MANAGEMENT
-  securelib_LTLIBRARIES = pam_keyinit.la
-endif
-pam_keyinit_la_LIBADD = -L$(top_builddir)/libpam -lpam
diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml
deleted file mode 100644
index 47659e89..00000000
--- a/modules/pam_keyinit/README.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-"http://www.docbook.org/xml/4.3/docbookx.dtd"
-[
-<!--
-<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml">
--->
-]>
-
-<article>
-
-  <articleinfo>
-
-    <title>
-      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/>
-    </title>
-
-  </articleinfo>
-
-  <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/>
-  </section>
-
-  <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/>
-  </section>
-
-  <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/>
-  </section>
-
-  <section>
-    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
-      href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/>
-  </section>
-
-</article>
diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml
deleted file mode 100644
index c7dddf54..00000000
--- a/modules/pam_keyinit/pam_keyinit.8.xml
+++ /dev/null
@@ -1,241 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_keyinit">
-
-  <refmeta>
-    <refentrytitle>pam_keyinit</refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
-  </refmeta>
-
-  <refnamediv id="pam_keyinit-name">
-    <refname>pam_keyinit</refname>
-    <refpurpose>Kernel session keyring initialiser module</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis id="pam_keyinit-cmdsynopsis">
-      <command>pam_keyinit.so</command>
-      <arg choice="opt">
-	debug
-      </arg>
-      <arg choice="opt">
-	force
-      </arg>
-      <arg choice="opt">
-	revoke
-      </arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1 id="pam_keyinit-description">
-    <title>DESCRIPTION</title>
-    <para>
-      The pam_keyinit PAM module ensures that the invoking process has a
-      session keyring other than the user default session keyring.
-    </para>
-    <para>
-      The session component of the module checks to see if the process's
-      session keyring is the user default, and, if it is, creates a new
-      anonymous session keyring with which to replace it.
-    </para>
-    <para>
-      If a new session keyring is created, it will install a link to the user
-      common keyring in the session keyring so that keys common to the user
-      will be automatically accessible through it.
-    </para>
-    <para>
-      The session keyring of the invoking process will thenceforth be inherited
-      by all its children unless they override it.
-    </para>
-    <para>
-      This module is intended primarily for use by login processes.  Be aware
-      that after the session keyring has been replaced, the old session keyring
-      and the keys it contains will no longer be accessible.
-    </para>
-    <para>
-      This module should not, generally, be invoked by programs like
-      <emphasis remap='B'>su</emphasis>, since it is usually desirable for the
-      key set to percolate through to the alternate context.  The keys have
-      their own permissions system to manage this.
-    </para>
-    <para>
-      This module should be included as early as possible in a PAM
-      configuration, so that other PAM modules can attach tokens to the
-      keyring.
-    </para>
-    <para>
-      The keyutils package is used to manipulate keys more directly.  This
-      can be obtained from:
-    </para>
-    <para>
-      <ulink url="http://people.redhat.com/~dhowells/keyutils/">
-	Keyutils
-      </ulink>
-    </para>
-  </refsect1>
-
-  <refsect1 id="pam_keyinit-options">
-    <title>OPTIONS</title>
-    <variablelist>
-      <varlistentry>
-        <term>
-          <option>debug</option>
-        </term>
-        <listitem>
-          <para>
-            Log debug information with <citerefentry>
-	    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
-            </citerefentry>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>
-          <option>force</option>
-        </term>
-        <listitem>
-          <para>
-	    Causes the session keyring of the invoking process to be replaced
-	    unconditionally.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>
-          <option>revoke</option>
-        </term>
-        <listitem>
-          <para>
-	    Causes the session keyring of the invoking process to be revoked
-	    when the invoking process exits if the session keyring was created
-	    for this process in the first place.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1 id="pam_keyinit-services">
-    <title>MODULE SERVICES PROVIDED</title>
-    <para>
-      Only the <emphasis remap='B'>session</emphasis> service is supported.
-    </para>
-  </refsect1>
-
-  <refsect1 id='pam_keyinit-return_values'>
-    <title>RETURN VALUES</title>
-    <variablelist>
-      <varlistentry>
-	<term>PAM_SUCCESS</term>
-	<listitem>
-	  <para>
-	    This module will usually return this value
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PAM_AUTH_ERR</term>
-        <listitem>
-           <para>
-             Authentication failure.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PAM_BUF_ERR</term>
-        <listitem>
-           <para>
-             Memory buffer error.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PAM_IGNORE</term>
-        <listitem>
-          <para>
-            The return value should be ignored by PAM dispatch.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PAM_SERVICE_ERR</term>
-        <listitem>
-          <para>
-	    Cannot determine the user name.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>PAM_SESSION_ERR</term>
-	<listitem>
-	  <para>
-	    This module will return this value if its arguments are invalid or
-	    if a system error such as ENOMEM occurs.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>PAM_USER_UNKNOWN</term>
-        <listitem>
-          <para>
-            User not known.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1 id='pam_keyinit-examples'>
-    <title>EXAMPLES</title>
-    <para>
-      Add this line to your login entries to start each login session with its
-      own session keyring:
-      <programlisting>
-session  required  pam_keyinit.so
-      </programlisting>
-    </para>
-    <para>
-      This will prevent keys from one session leaking into another session for
-      the same user.
-    </para>
-  </refsect1>
-
-  <refsect1 id='pam_keyinit-see_also'>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>
-      <citerefentry>
-	<refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>
-    </para>
-  </refsect1>
-
-  <refsect1 id='pam_keyinit-author'>
-    <title>AUTHOR</title>
-      <para>
-        pam_keyinit was written by David Howells, &lt;dhowells@redhat.com&gt;.
-      </para>
-  </refsect1>
-
-</refentry>
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
deleted file mode 100644
index 378a7723..00000000
--- a/modules/pam_keyinit/pam_keyinit.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/* pam_keyinit.c: Initialise the session keyring on login through a PAM module
- *
- * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- */
-
-#include "config.h"
-#include <stdarg.h>
-#include <string.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <unistd.h>
-#include <errno.h>
-#include <security/pam_modules.h>
-#include <security/pam_modutil.h>
-#include <security/pam_ext.h>
-#include <sys/syscall.h>
-
-#define KEY_SPEC_SESSION_KEYRING	-3 /* ID for session keyring */
-#define KEY_SPEC_USER_KEYRING		-4 /* ID for UID-specific keyring */
-#define KEY_SPEC_USER_SESSION_KEYRING	-5 /* - key ID for UID-session keyring */
-
-#define KEYCTL_GET_KEYRING_ID		0 /* ask for a keyring's ID */
-#define KEYCTL_JOIN_SESSION_KEYRING	1 /* start named session keyring */
-#define KEYCTL_REVOKE			3 /* revoke a key */
-#define KEYCTL_LINK			8 /* link a key into a keyring */
-
-static int my_session_keyring;
-static int session_counter;
-static int do_revoke;
-static int revoke_as_uid;
-static int revoke_as_gid;
-static int xdebug = 0;
-
-static void debug(pam_handle_t *pamh, const char *fmt, ...)
-	__attribute__((format(printf, 2, 3)));
-
-static void debug(pam_handle_t *pamh, const char *fmt, ...)
-{
-	va_list va;
-
-	if (xdebug) {
-		va_start(va, fmt);
-		pam_vsyslog(pamh, LOG_DEBUG, fmt, va);
-		va_end(va);
-	}
-}
-
-static int error(pam_handle_t *pamh, const char *fmt, ...)
-	__attribute__((format(printf, 2, 3)));
-
-static int error(pam_handle_t *pamh, const char *fmt, ...)
-{
-	va_list va;
-
-	va_start(va, fmt);
-	pam_vsyslog(pamh, LOG_ERR, fmt, va);
-	va_end(va);
-
-	return PAM_SESSION_ERR;
-}
-
-/*
- * initialise the session keyring for this process
- */
-static int init_keyrings(pam_handle_t *pamh, int force)
-{
-	int session, usession, ret;
-
-	if (!force) {
-		/* get the IDs of the session keyring and the user session
-		 * keyring */
-		session = syscall(__NR_keyctl,
-				  KEYCTL_GET_KEYRING_ID,
-				  KEY_SPEC_SESSION_KEYRING,
-				  0);
-		debug(pamh, "GET SESSION = %d", session);
-		if (session < 0) {
-			/* don't worry about keyrings if facility not
-			 * installed */
-			if (errno == ENOSYS)
-				return PAM_SUCCESS;
-			return PAM_SESSION_ERR;
-		}
-
-		usession = syscall(__NR_keyctl,
-				   KEYCTL_GET_KEYRING_ID,
-				   KEY_SPEC_USER_SESSION_KEYRING,
-				   0);
-		debug(pamh, "GET SESSION = %d", usession);
-		if (usession < 0)
-			return PAM_SESSION_ERR;
-
-		/* if the user session keyring is our keyring, then we don't
-		 * need to do anything if we're not forcing */
-		if (session != usession)
-			return PAM_SUCCESS;
-	}
-
-	/* create a session keyring, discarding the old one */
-	ret = syscall(__NR_keyctl,
-		      KEYCTL_JOIN_SESSION_KEYRING,
-		      NULL);
-	debug(pamh, "JOIN = %d", ret);
-	if (ret < 0)
-		return PAM_SESSION_ERR;
-
-	my_session_keyring = ret;
-
-	/* make a link from the session keyring to the user keyring */
-	ret = syscall(__NR_keyctl,
-		      KEYCTL_LINK,
-		      KEY_SPEC_USER_KEYRING,
-		      KEY_SPEC_SESSION_KEYRING);
-
-	return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS;
-}
-
-/*
- * revoke the session keyring for this process
- */
-static void kill_keyrings(pam_handle_t *pamh)
-{
-	int old_uid, old_gid;
-
-	/* revoke the session keyring we created earlier */
-	if (my_session_keyring > 0) {
-		debug(pamh, "REVOKE %d", my_session_keyring);
-
-		old_uid = geteuid();
-		old_gid = getegid();
-		debug(pamh, "UID:%d [%d]  GID:%d [%d]",
-		      revoke_as_uid, old_uid, revoke_as_gid, old_gid);
-
-		/* switch to the real UID and GID so that we have permission to
-		 * revoke the key */
-		if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
-			error(pamh, "Unable to change GID to %d temporarily\n",
-			      revoke_as_gid);
-
-		if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
-			error(pamh, "Unable to change UID to %d temporarily\n",
-			      revoke_as_uid);
-
-		syscall(__NR_keyctl,
-			KEYCTL_REVOKE,
-			my_session_keyring);
-
-		/* return to the orignal UID and GID (probably root) */
-		if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
-			error(pamh, "Unable to change UID back to %d\n", old_uid);
-
-		if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
-			error(pamh, "Unable to change GID back to %d\n", old_gid);
-
-		my_session_keyring = 0;
-	}
-}
-
-/*
- * open a PAM session by making sure there's a session keyring
- */
-PAM_EXTERN
-int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
-			int argc, const char **argv)
-{
-	struct passwd *pw;
-	const char *username;
-	int ret, old_uid, uid, old_gid, gid, loop, force = 0;
-
-	for (loop = 0; loop < argc; loop++) {
-		if (strcmp(argv[loop], "force") == 0)
-			force = 1;
-		else if (strcmp(argv[loop], "debug") == 0)
-			xdebug = 1;
-		else if (strcmp(argv[loop], "revoke") == 0)
-			do_revoke = 1;
-	}
-
-	/* don't do anything if already created a keyring (will be called
-	 * multiple times if mentioned more than once in a pam script)
-	 */
-	session_counter++;
-
-	debug(pamh, "OPEN %d", session_counter);
-
-	if (my_session_keyring > 0)
-		return PAM_SUCCESS;
-
-	/* look up the target UID */
-	ret = pam_get_user(pamh, &username, "key user");
-	if (ret != PAM_SUCCESS)
-		return ret;
-
-	pw = pam_modutil_getpwnam(pamh, username);
-	if (!pw) {
-		error(pamh, "Unable to look up user \"%s\"\n", username);
-		return PAM_USER_UNKNOWN;
-	}
-
-	revoke_as_uid = uid = pw->pw_uid;
-	old_uid = getuid();
-	revoke_as_gid = gid = pw->pw_gid;
-	old_gid = getgid();
-	debug(pamh, "UID:%d [%d]  GID:%d [%d]", uid, old_uid, gid, old_gid);
-
-	/* switch to the real UID and GID so that the keyring ends up owned by
-	 * the right user */
-	if (gid != old_gid && setregid(gid, -1) < 0) {
-		error(pamh, "Unable to change GID to %d temporarily\n", gid);
-		return PAM_SESSION_ERR;
-	}
-
-	if (uid != old_uid && setreuid(uid, -1) < 0) {
-		error(pamh, "Unable to change UID to %d temporarily\n", uid);
-		setregid(old_gid, -1);
-		return PAM_SESSION_ERR;
-	}
-
-	ret = init_keyrings(pamh, force);
-
-	/* return to the orignal UID and GID (probably root) */
-	if (uid != old_uid && setreuid(old_uid, -1) < 0)
-		ret = error(pamh, "Unable to change UID back to %d\n", old_uid);
-
-	if (gid != old_gid && setregid(old_gid, -1) < 0)
-		ret = error(pamh, "Unable to change GID back to %d\n", old_gid);
-
-	return ret;
-}
-
-/*
- * close a PAM session by revoking the session keyring if requested
- */
-PAM_EXTERN
-int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
-			 int argc UNUSED, const char **argv UNUSED)
-{
-	debug(pamh, "CLOSE %d,%d,%d",
-	      session_counter, my_session_keyring, do_revoke);
-
-	session_counter--;
-
-	if (session_counter == 0 && my_session_keyring > 0 && do_revoke)
-		kill_keyrings(pamh);
-
-	return PAM_SUCCESS;
-}
-
-#ifdef PAM_STATIC
-
-/* static module data */
-
-struct pam_module _pam_keyinit_modstruct = {
-     "pam_keyinit",
-     NULL,
-     NULL,
-     NULL,
-     pam_sm_open_session,
-     pam_sm_close_session,
-     NULL
-};
-#endif
-
diff --git a/modules/pam_keyinit/tst-pam_keyinit b/modules/pam_keyinit/tst-pam_keyinit
deleted file mode 100755
index f0a7b9bc..00000000
--- a/modules/pam_keyinit/tst-pam_keyinit
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-../../tests/tst-dlopen .libs/pam_keyinit.so