diff options
Diffstat (limited to 'modules/pam_timestamp')
| -rw-r--r-- | modules/pam_timestamp/Makefile.am | 17 | ||||
| -rw-r--r-- | modules/pam_timestamp/Makefile.in | 51 | ||||
| -rw-r--r-- | modules/pam_timestamp/README.xml | 35 | ||||
| -rw-r--r-- | modules/pam_timestamp/hmac_openssl_wrapper.c | 9 | ||||
| -rw-r--r-- | modules/pam_timestamp/hmacsha1.c | 16 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.8 | 21 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.8.xml | 53 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.c | 49 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8 | 14 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8.xml | 45 |
10 files changed, 166 insertions, 144 deletions
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am index d290b85f..27d61237 100644 --- a/modules/pam_timestamp/Makefile.am +++ b/modules/pam_timestamp/Makefile.am @@ -16,15 +16,19 @@ dist_check_SCRIPTS = tst-pam_timestamp TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) if HAVE_VERSIONING pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -42,17 +46,14 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ -if COND_USE_OPENSSL -hmacfile_SOURCES = hmac_openssl_wrapper.c -else +if !COND_USE_OPENSSL hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -endif hmacfile_LDADD = $(top_builddir)/libpam/libpam.la - check_PROGRAMS = hmacfile +endif if ENABLE_REGENERATE_MAN dist_noinst_DATA = README diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in index 440020b5..feffca8e 100644 --- a/modules/pam_timestamp/Makefile.in +++ b/modules/pam_timestamp/Makefile.in @@ -100,7 +100,7 @@ host_triplet = @host@ sbin_PROGRAMS = pam_timestamp_check$(EXEEXT) @COND_USE_OPENSSL_TRUE@am__append_2 = hmac_openssl_wrapper.c @COND_USE_OPENSSL_FALSE@am__append_3 = hmacsha1.c sha1.c -check_PROGRAMS = hmacfile$(EXEEXT) +@COND_USE_OPENSSL_FALSE@check_PROGRAMS = hmacfile$(EXEEXT) subdir = modules/pam_timestamp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ @@ -158,7 +158,9 @@ am__uninstall_files_from_dir = { \ $(am__cd) "$$dir" && rm -f $$files; }; \ } LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +am__DEPENDENCIES_1 = +pam_timestamp_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) am__pam_timestamp_la_SOURCES_DIST = pam_timestamp.c \ hmac_openssl_wrapper.c hmacsha1.c sha1.c @COND_USE_OPENSSL_TRUE@am__objects_1 = pam_timestamp_la-hmac_openssl_wrapper.lo @@ -175,18 +177,17 @@ pam_timestamp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_la_CFLAGS) $(CFLAGS) \ $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@ -am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c \ - hmac_openssl_wrapper.c +am__hmacfile_SOURCES_DIST = hmacfile.c hmacsha1.c sha1.c @COND_USE_OPENSSL_FALSE@am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) \ @COND_USE_OPENSSL_FALSE@ hmacsha1.$(OBJEXT) sha1.$(OBJEXT) -@COND_USE_OPENSSL_TRUE@am_hmacfile_OBJECTS = \ -@COND_USE_OPENSSL_TRUE@ hmac_openssl_wrapper.$(OBJEXT) hmacfile_OBJECTS = $(am_hmacfile_OBJECTS) -hmacfile_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +@COND_USE_OPENSSL_FALSE@hmacfile_DEPENDENCIES = \ +@COND_USE_OPENSSL_FALSE@ $(top_builddir)/libpam/libpam.la am_pam_timestamp_check_OBJECTS = \ pam_timestamp_check-pam_timestamp_check.$(OBJEXT) pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS) -pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \ + $(am__DEPENDENCIES_1) pam_timestamp_check_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(pam_timestamp_check_CFLAGS) $(CFLAGS) \ @@ -206,8 +207,7 @@ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/hmac_openssl_wrapper.Po \ - ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ +am__depfiles_remade = ./$(DEPDIR)/hmacfile.Po ./$(DEPDIR)/hmacsha1.Po \ ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po \ ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo \ ./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo \ @@ -473,6 +473,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -485,11 +486,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -521,12 +524,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -549,6 +554,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -559,12 +565,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -638,25 +648,25 @@ XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml dist_check_SCRIPTS = tst-pam_timestamp TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) + $(LOGIND_CFLAGS) $(WARN_CFLAGS) pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \ $(AM_LDFLAGS) $(CRYPTO_LIBS) $(am__append_1) -pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) securelib_LTLIBRARIES = pam_timestamp.la pam_timestamp_la_SOURCES = pam_timestamp.c $(am__append_2) \ $(am__append_3) pam_timestamp_la_CFLAGS = $(AM_CFLAGS) pam_timestamp_check_SOURCES = pam_timestamp_check.c pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ @COND_USE_OPENSSL_FALSE@hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c -@COND_USE_OPENSSL_TRUE@hmacfile_SOURCES = hmac_openssl_wrapper.c -hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +@COND_USE_OPENSSL_FALSE@hmacfile_LDADD = $(top_builddir)/libpam/libpam.la @ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README all: all-am @@ -802,7 +812,6 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_openssl_wrapper.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ # am--include-marker @@ -1236,8 +1245,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po - -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacfile.Po -rm -f ./$(DEPDIR)/hmacsha1.Po -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo @@ -1290,8 +1298,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/hmac_openssl_wrapper.Po - -rm -f ./$(DEPDIR)/hmacfile.Po + -rm -f ./$(DEPDIR)/hmacfile.Po -rm -f ./$(DEPDIR)/hmacsha1.Po -rm -f ./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po -rm -f ./$(DEPDIR)/pam_timestamp_la-hmac_openssl_wrapper.Plo diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml index 5b72deb1..fe01080b 100644 --- a/modules/pam_timestamp/README.xml +++ b/modules/pam_timestamp/README.xml @@ -1,46 +1,31 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-notes")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_timestamp.8.xml" xpointer='xpointer(id("pam_timestamp-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c index 926c2fb9..2549c1db 100644 --- a/modules/pam_timestamp/hmac_openssl_wrapper.c +++ b/modules/pam_timestamp/hmac_openssl_wrapper.c @@ -54,6 +54,7 @@ #include <security/pam_modutil.h> #include "hmac_openssl_wrapper.h" +#include "pam_inline.h" #define LOGIN_DEFS "/etc/login.defs" #define CRYPTO_KEY "HMAC_CRYPTO_ALGO" @@ -144,7 +145,7 @@ read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length) if (bytes_read < (size_t)st.st_size) { pam_syslog(pamh, LOG_ERR, "Short read on key file"); - memset(tmp, 0, st.st_size); + pam_overwrite_n(tmp, st.st_size); free(tmp); return PAM_AUTH_ERR; } @@ -167,14 +168,14 @@ write_file(pam_handle_t *pamh, const char *file_name, char *text, S_IRUSR | S_IWUSR); if (fd == -1) { pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name); - memset(text, 0, text_length); + pam_overwrite_n(text, text_length); free(text); return PAM_AUTH_ERR; } if (fchown(fd, owner, group) == -1) { pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name); - memset(text, 0, text_length); + pam_overwrite_n(text, text_length); free(text); close(fd); return PAM_AUTH_ERR; @@ -294,7 +295,7 @@ done: free(hmac_message); } if (key != NULL) { - memset(key, 0, key_length); + pam_overwrite_n(key, key_length); free(key); } if (ctx != NULL) { diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c index 45a3cac2..384ccde8 100644 --- a/modules/pam_timestamp/hmacsha1.c +++ b/modules/pam_timestamp/hmacsha1.c @@ -48,6 +48,7 @@ #include <unistd.h> #include <syslog.h> #include <security/pam_ext.h> +#include "pam_inline.h" #include "hmacsha1.h" #include "sha1.h" @@ -107,7 +108,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, /* If we didn't get enough, stop here. */ if (count < key_size) { pam_syslog(pamh, LOG_ERR, "Short read on random device"); - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); return; @@ -122,7 +123,7 @@ hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, } count += i; } - memset(key, 0, key_size); + pam_overwrite_n(key, key_size); free(key); close(keyfd); } @@ -180,7 +181,7 @@ hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size, /* Require that we got the expected amount of data. */ if (count < st.st_size) { - memset(tmp, 0, st.st_size); + pam_overwrite_n(tmp, st.st_size); free(tmp); return; } @@ -204,7 +205,7 @@ hmac_sha1_generate(void **mac, size_t *mac_length, const void *raw_key, size_t raw_key_size, const void *text, size_t text_length) { - unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE]; + unsigned char key[MAXIMUM_KEY_SIZE] = {}, tmp_key[MAXIMUM_KEY_SIZE]; size_t maximum_key_size = SHA1_BLOCK_SIZE, minimum_key_size = SHA1_OUTPUT_SIZE; const unsigned char ipad = 0x36, opad = 0x5c; @@ -223,7 +224,6 @@ hmac_sha1_generate(void **mac, size_t *mac_length, /* If the key is too long, "compress" it, else copy it and pad it * out with zero bytes. */ - memset(key, 0, sizeof(key)); if (raw_key_size > maximum_key_size) { sha1_init(&sha1); sha1_update(&sha1, raw_key, raw_key_size); @@ -251,8 +251,8 @@ hmac_sha1_generate(void **mac, size_t *mac_length, sha1_output(&sha1, outer); /* We don't need any of the keys any more. */ - memset(key, 0, sizeof(key)); - memset(tmp_key, 0, sizeof(tmp_key)); + pam_overwrite_array(key); + pam_overwrite_array(tmp_key); /* Allocate space to store the output. */ *mac_length = sizeof(outer); @@ -284,7 +284,7 @@ hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, hmac_sha1_generate(mac, mac_length, key, key_length, text, text_length); - memset(key, 0, key_length); + pam_overwrite_n(key, key_length); free(key); } diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 index cd8195dc..a7b7e1c3 100644 --- a/modules/pam_timestamp/pam_timestamp.8 +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -45,33 +45,28 @@ When an application opens a session using directory for the user\&. When an application attempts to authenticate the user, a \fIpam_timestamp\fR will treat a sufficiently recent timestamp file as grounds for succeeding\&. -.PP -The default encryption hash is taken from the -\fBHMAC_CRYPTO_ALGO\fR -variable from -\fI/etc/login\&.defs\fR\&. .SH "OPTIONS" .PP -\fBtimestampdir=\fR\fB\fIdirectory\fR\fR +timestampdir=directory .RS 4 Specify an alternate directory where \fIpam_timestamp\fR creates timestamp files\&. .RE .PP -\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR +timestamp_timeout=number .RS 4 How long should \fIpam_timestamp\fR treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&. .RE .PP -\fBverbose\fR +verbose .RS 4 Attempt to inform the user when access is granted\&. .RE .PP -\fBdebug\fR +debug .RS 4 Turns on debugging messages sent to \fBsyslog\fR(3)\&. diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index 83e5aea8..a763ad86 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -1,39 +1,36 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp"> <refmeta> <refentrytitle>pam_timestamp</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp-name"> + <refnamediv xml:id="pam_timestamp-name"> <refname>pam_timestamp</refname> <refpurpose>Authenticate using cached successful authentication attempts</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp-cmdsynopsis" sepchar=" "> <command>pam_timestamp.so</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestampdir=<replaceable>directory</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> timestamp_timeout=<replaceable>number</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> verbose </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp-description"> + <refsect1 xml:id="pam_timestamp-description"> <title>DESCRIPTION</title> @@ -52,18 +49,18 @@ file as grounds for succeeding. </para> <para condition="openssl_hmac"> The default encryption hash is taken from the - <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from + <emphasis remap="B">HMAC_CRYPTO_ALGO</emphasis> variable from <emphasis>/etc/login.defs</emphasis>. </para> </refsect1> - <refsect1 id="pam_timestamp-options"> + <refsect1 xml:id="pam_timestamp-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>timestampdir=<replaceable>directory</replaceable></option> + timestampdir=directory </term> <listitem> <para> @@ -74,7 +71,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>timestamp_timeout=<replaceable>number</replaceable></option> + timestamp_timeout=number </term> <listitem> <para> @@ -86,7 +83,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>verbose</option> + verbose </term> <listitem> <para> @@ -96,7 +93,7 @@ file as grounds for succeeding. </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -109,7 +106,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id="pam_timestamp-types"> + <refsect1 xml:id="pam_timestamp-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>session</option> @@ -117,7 +114,7 @@ file as grounds for succeeding. </para> </refsect1> - <refsect1 id='pam_timestamp-return_values'> + <refsect1 xml:id="pam_timestamp-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -148,7 +145,7 @@ file as grounds for succeeding. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -157,7 +154,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -168,11 +165,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/pam_timestamp/...</filename></term> + <term>/var/run/pam_timestamp/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -180,7 +177,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -198,11 +195,11 @@ session optional pam_timestamp.so </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 01dd1385..c5fa6dfc 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -53,7 +53,6 @@ #include <time.h> #include <sys/time.h> #include <unistd.h> -#include <utmp.h> #include <syslog.h> #include <paths.h> #ifdef WITH_OPENSSL @@ -62,6 +61,12 @@ #include "hmacsha1.h" #endif /* WITH_OPENSSL */ +#ifdef USE_LOGIND +#include <systemd/sd-login.h> +#else +#include <utmp.h> +#endif + #include <security/pam_modules.h> #include <security/_pam_macros.h> #include <security/pam_ext.h> @@ -90,7 +95,7 @@ static int check_dir_perms(pam_handle_t *pamh, const char *tdir) { - char scratch[BUFLEN]; + char scratch[BUFLEN] = {}; struct stat st; int i; /* Check that the directory is "safe". */ @@ -98,7 +103,6 @@ check_dir_perms(pam_handle_t *pamh, const char *tdir) return PAM_AUTH_ERR; } /* Iterate over the path, checking intermediate directories. */ - memset(scratch, 0, sizeof(scratch)); for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) { scratch[i] = tdir[i]; if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) { @@ -200,10 +204,26 @@ timestamp_good(time_t then, time_t now, time_t interval) } static int -check_login_time(const char *ruser, time_t timestamp) +check_login_time( +#ifdef USE_LOGIND + uid_t uid, +#else + const char *ruser, +#endif + time_t timestamp) { - struct utmp utbuf, *ut; time_t oldest_login = 0; +#ifdef USE_LOGIND +#define USEC_PER_SEC ((uint64_t) 1000000ULL) + uint64_t usec = 0; + + if (sd_uid_get_login_time(uid, &usec) < 0) { + return PAM_SERVICE_ERR; + } + + oldest_login = usec/USEC_PER_SEC; +#else + struct utmp utbuf, *ut; setutent(); while( @@ -224,6 +244,7 @@ check_login_time(const char *ruser, time_t timestamp) } } endutent(); +#endif if(oldest_login == 0 || timestamp < oldest_login) { return PAM_AUTH_ERR; } @@ -532,7 +553,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) close(fd); return PAM_AUTH_ERR; } +#ifdef USE_LOGIND + struct passwd *pwd = pam_modutil_getpwnam(pamh, ruser); + if (pwd != NULL) { + return PAM_SERVICE_ERR; + } + if (check_login_time(pwd->pw_uid, then) != PAM_SUCCESS) +#else if (check_login_time(ruser, then) != PAM_SUCCESS) +#endif { pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " "older than oldest login, disallowing " @@ -728,6 +757,9 @@ main(int argc, char **argv) fd_set write_fds; char path[BUFLEN]; struct stat st; +#ifdef USE_LOGIND + uid_t uid; +#endif /* Check that there's nothing funny going on with stdio. */ if ((fstat(STDIN_FILENO, &st) == -1) || @@ -783,6 +815,9 @@ main(int argc, char **argv) if (pwd == NULL) { retval = 4; } +#ifdef USE_LOGIND + uid = pwd->pw_uid; +#endif /* Get the name of the target user. */ user = strdup(pwd->pw_name); @@ -833,7 +868,11 @@ main(int argc, char **argv) /* Check the timestamp. */ if (lstat(path, &st) != -1) { /* Check oldest login against timestamp */ +#ifdef USE_LOGIND + if (check_login_time(uid, st.st_mtime) != PAM_SUCCESS) { +#else if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) { +#endif retval = 7; } else if (timestamp_good(st.st_mtime, time(NULL), DEFAULT_TIMESTAMP_TIMEOUT) != PAM_SUCCESS) { diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 index a0373757..3425a369 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8 +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_timestamp_check .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_TIMESTAMP_CHECK" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_TIMESTAMP_CHECK" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -39,19 +39,19 @@ With no arguments will check to see if the default timestamp is valid, or optionally remove it\&. .SH "OPTIONS" .PP -\fB\-k\fR +\-k .RS 4 Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\*(Aqs \fI\-k\fR option\&. .RE .PP -\fB\-d\fR +\-d .RS 4 Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&. .RE .PP -\fB\fItarget_user\fR\fR +target_user .RS 4 By default \fBpam_timestamp_check\fR diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml index 3a65d7ef..f0c09560 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8.xml +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -1,36 +1,33 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_timestamp_check"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_timestamp_check"> <refmeta> <refentrytitle>pam_timestamp_check</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_timestamp_check-name"> + <refnamediv xml:id="pam_timestamp_check-name"> <refname>pam_timestamp_check</refname> <refpurpose>Check to see if the default timestamp is valid</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_timestamp_check-cmdsynopsis"> + <cmdsynopsis xml:id="pam_timestamp_check-cmdsynopsis" sepchar=" "> <command>pam_timestamp_check</command> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -k </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> -d </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> <replaceable>target_user</replaceable> </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_timestamp_check-description"> + <refsect1 xml:id="pam_timestamp_check-description"> <title>DESCRIPTION</title> @@ -40,13 +37,13 @@ see if the default timestamp is valid, or optionally remove it. </para> </refsect1> - <refsect1 id="pam_timestamp_check-options"> + <refsect1 xml:id="pam_timestamp_check-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>-k</option> + -k </term> <listitem> <para> @@ -57,7 +54,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option>-d</option> + -d </term> <listitem> <para> @@ -69,7 +66,7 @@ see if the default timestamp is valid, or optionally remove it. </varlistentry> <varlistentry> <term> - <option><replaceable>target_user</replaceable></option> + target_user </term> <listitem> <para> @@ -85,7 +82,7 @@ see if the default timestamp is valid, or optionally remove it. </variablelist> </refsect1> - <refsect1 id='pam_timestamp_check-return_values'> + <refsect1 xml:id="pam_timestamp_check-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -147,7 +144,7 @@ see if the default timestamp is valid, or optionally remove it. </variablelist> </refsect1> - <refsect1 id='pam_timestamp-notes'> + <refsect1 xml:id="pam_timestamp-notes"> <title>NOTES</title> <para> Users can get confused when they are not always asked for passwords when @@ -156,7 +153,7 @@ noticing that it is not being asked for. </para> </refsect1> - <refsect1 id='pam_timestamp-examples'> + <refsect1 xml:id="pam_timestamp-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_timestamp.so verbose @@ -167,11 +164,11 @@ session optional pam_timestamp.so </programlisting> </refsect1> - <refsect1 id="pam_timestamp-files"> + <refsect1 xml:id="pam_timestamp-files"> <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/sudo/...</filename></term> + <term>/var/run/sudo/...</term> <listitem> <para>timestamp files and directories</para> </listitem> @@ -179,7 +176,7 @@ session optional pam_timestamp.so </variablelist> </refsect1> - <refsect1 id='pam_timestamp-see_also'> + <refsect1 xml:id="pam_timestamp-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -197,11 +194,11 @@ session optional pam_timestamp.so </para> </refsect1> - <refsect1 id='pam_timestamp-author'> + <refsect1 xml:id="pam_timestamp-author"> <title>AUTHOR</title> <para> pam_timestamp was written by Nalin Dahyabhai. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file |