aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* pam_succeed_if: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Rename to pam_succeed_if, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_succeed_if.
* pam_sepermit: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-6/+12
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Rename to pam_sepermit, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_sepermit.
* pam_localuser: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename to pam_localuser, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_localuser.
* pam_listfile: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-17/+23
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Rename to pam_listfile, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_listfile.
* pam_lastlog: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-4/+10
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Rename to pam_auth, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_auth.
* pam_access: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-12/+18
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_access/pam_access.c (pam_sm_authenticate): Rename to pam_access, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_access.
* pam_listfile: log all option errorsDmitry V. Levin2024-01-131-15/+38
| | | | | | | | | The parser of module options used to bail out after the first option error without checking other options. With this change, while the return code semantics remains unchanged, all option errors are logged. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log all option errors.
* pam_listfile: consistently log unknown optionsDmitry V. Levin2024-01-131-2/+6
| | | | | | | | In most cases the parser of module options already logs unknown options before returning, but in two cases it didn't. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log unknown onerr= and sense= options.
* pam_access: add quiet_log optionAndreas Vögele2024-01-132-3/+24
| | | | | | | | | | | If quiet_log option is specified, no "access denied" message is logged. * modules/pam_access/pam_access.c (struct login_info): Add quiet_log. (parse_args): Initialize it. (pam_sm_authenticate): Use it. * modules/pam_access/pam_access.8.xml: Document quiet_log option. Closes: https://github.com/linux-pam/linux-pam/issues/706
* po: update translations using Weblate (Korean)김인수2024-01-131-5/+5
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
* pam_listfile: treat \r like \nTobias Stoeckmann2024-01-121-7/+2
| | | | | | | | The characters \r and \n are replaced by NUL byte. Treat a line which is empty after removal of \r just like lines which are empty after the removal of \n. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow escaping of escape characterTobias Stoeckmann2024-01-122-3/+3
| | | | | | Otherwise it is not possible to add \ into an environment variable. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: simplify newline removalTobias Stoeckmann2024-01-123-17/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_debug: simplify state functionTobias Stoeckmann2024-01-121-8/+2
| | | | | | The return value of function state is never checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: fix Makefile.am dependenciesTobias Stoeckmann2024-01-121-1/+1
| | | | | | Comply with doc/man and enforce that pam_env.conf.5 does exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* doc: remove generated files during cleanupTobias Stoeckmann2024-01-121-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* doc: remove unneeded test statementTobias Stoeckmann2024-01-121-1/+0
| | | | | | | Since pam.d.5 is a generated file, the test for existence in srcdir can be removed. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-1248-52/+53
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: build unix_update only with SELinux enabledChristian Göttsche2024-01-082-3/+17
| | | | | The helper unix_update(8) is only called from code enabled when SELinux support is enabled.
* pam_unix: fix memory leakChristian Göttsche2024-01-081-0/+1
| | | | | | | | The the allocated line buffer on success. Reported by GCC analyzer. Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")
* pam_unix: do not truncate user namesTobias Stoeckmann2024-01-082-6/+2
| | | | | | | | | | | | | | | | This could allow users with very long names to impersonate a user with a 255 characters long name. The check if the argument argv[1] actually matches the user name implies that "user" can unconditionally be set to argv[1]: If they are equal, the strings are obviously equal. If they are not or if null is returned by getuidname, "user" is set to argv[1] anyway. This way, the static buffer can be safely removed because the result of getpwuid() is not stored, which means that subsequent calls to such functions can safely overwrite their internal buffers. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_access: avoid group name truncationTobias Stoeckmann2024-01-081-7/+5
| | | | | | | | If a very long group name is supplied, do not truncate it. It is safe to work directly on the supplied token, which is also already done in user_match, from where group_match is also called. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: prevent overflow with very long lineTobias Stoeckmann2024-01-081-6/+11
| | | | | | | | The strcpy is not safe anymore because input lines can be very long. Use strdup instead. If allocation fails, treat the error exactly like a memory allocation issue in pam_modutil functions. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: use getrandom if possibleTobias Stoeckmann2024-01-052-2/+15
| | | | | | | | Use getrandom to retrieve random numbers for delay calculation. If it fails or is not available, keep using current algorithm. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: handle long delays properlyTobias Stoeckmann2024-01-051-7/+13
| | | | | | | | | | | | | | | | | | | | If a delay close to UINT_MAX has been set, then the delay computation might overflow the value due to added randomness. Systems where linux-pam is in use should generally have a 32 bit unsigned int and a 64 bit unsigned long long, and a time_t of either 64 bit or 32 bit. Under these assumptions, using the result for delay is safe because of the division before assigning it to tv_sec (time_t). Thought about using uint64_t type here but as long as "unsigned int" is part of the API instead of uint32_t, no proper guarantees could be made anyway. Unfortunately we have to supply an unsigned int if a PAM_FAIL_DELAY function has been set. In such a case, supply a UINT_MAX if delay is larger than that. It's the best we can do without breaking the API. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: use _pam_assemble_lineTobias Stoeckmann2024-01-051-100/+14
| | | | | | | When pam_env is compiled without libeconf support enabled, this removes fgets limitations and allows arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: clear config line memory before freeTobias Stoeckmann2024-01-051-0/+3
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: allow custom escaped newline replacementTobias Stoeckmann2024-01-052-9/+14
| | | | | | | | To use _pam_assemble_line in pam_env, we must be able to modify the replacement of an escaped newline. The PAM configuration replaces it with a blank, while pam_env fully removes it. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: move line assembling functions to headerTobias Stoeckmann2024-01-053-253/+264
| | | | | | | | | | This follows the idiom of debug functions which reside in headers to allow their usage within libpam itself and its modules without adding modutil functions, i.e. extending the API. No functional change. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: skip _expand_arg if possibleTobias Stoeckmann2024-01-051-0/+7
| | | | | | | If no special characters exist, simply skip _expand_arg to avoid memory allocations and string copying. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: extend test for escaped newlinesTobias Stoeckmann2024-01-051-1/+3
| | | | | | | | This covers the _assemble_line functionality, which slightly differs from _pam_assemble_line in libpam, i.e. does not replace the backslash with a blank. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow very long variable expansionsTobias Stoeckmann2024-01-052-40/+123
| | | | | | | | Variable expansion can exceed the maximum line length allowed in an environment configuration file. Since PAM environment variables already support arbitrary lengths, allow them in pam_env as well. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: fix typo in manual pageTobias Stoeckmann2024-01-051-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* doc: Fix grammar mistake in Linux-PAM-ADG.xmlTobias Stoeckmann2024-01-051-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in manual pageTobias Stoeckmann2024-01-051-3/+3
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typos in commentsTobias Stoeckmann2024-01-059-10/+10
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: use correct function definitionTobias Stoeckmann2024-01-051-4/+4
| | | | | | | | The declaration uses static keyword, the definition does not. Fix the definition, because the function is only used in this file. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam: enclose function macrosChristian Göttsche2024-01-042-6/+8
| | | | | Avoid potential dangling-else issues by wrapping macros inside a while loop.
* libpamc: merge includesChristian Göttsche2024-01-041-4/+1
|
* libpam: fix indentationChristian Göttsche2024-01-041-1/+1
| | | | Reported by clang-tidy.
* pam_unix/passverify: always run the helper to obtain shadow password file ↵Dmitry V. Levin2024-01-041-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entries Initially, when pam_unix.so verified the password, it used to try to obtain the shadow password file entry for the given user by invoking getspnam(3), and only when that didn't work and the effective uid was nonzero, pam_unix.so used to invoke the helper as a fallback. When SELinux support was introduced by commit 67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended also for the case when SELinux was enabled. Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the fallback conditions for the case when pam_modutil_getspnam() failed with EACCES. Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is invoked as a fallback when pam_modutil_getspnam() fails for any reason. The ultimate solution for the case when pam_unix.so does not have permissions to obtain the shadow password file entry is to stop trying to use pam_modutil_getspnam() and to invoke the helper instead. Here are two recent examples. https://github.com/linux-pam/linux-pam/pull/484 describes a system configuration where libnss_systemd is enabled along with libnss_files in the shadow entry of nsswitch.conf, so when libnss_files is unable to obtain the shadow password file entry for the root user, e.g. when SELinux is enabled, NSS falls back to libnss_systemd which returns a synthesized shadow password file entry for the root user, which in turn locks the root user out. https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes essentially the same problem in a similar system configuration. This commit is the final step in the direction of addressing the issue: for password verification pam_unix.so now invokes the helper instead of making the pam_modutil_getspnam() call. * modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. Complements: https://github.com/linux-pam/linux-pam/pull/386 Resolves: https://github.com/linux-pam/linux-pam/pull/484 Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
* pam_timestamp: correct failure conditionChristian Göttsche2024-01-041-1/+1
| | | | | | | | Bail out on NULL pointer, not otherwise. Reported by cppcheck. Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")
* pam_filter: drop invalid tty hackChristian Göttsche2024-01-041-5/+0
| | | | | | | | | The open(3) flag O_NOCTTY does not detach the calling process from the opened file descriptor, like TIOCNOTTY, see tty(4), does. Drop the invalid hack to avoid the file descriptor being leaked. Reported by cppcheck.
* tests: avoid NULL dereference in error branchChristian Göttsche2024-01-041-1/+1
| | | | Reported by cppcheck.
* pam_timestamp: fix condition orderChristian Göttsche2024-01-041-2/+2
| | | | | | | Check the array index first before dereferencing the array. Also convert the index type to size_t to avoid casting. Reported by cppcheck.
* libpamc/test: fix assignmentChristian Göttsche2024-01-041-1/+1
| | | | | | Assign the error code instead of performing a no-op comparison. Reported by cppcheck.
* libpamc/test: pipe deallocation mismatchChristian Göttsche2024-01-042-2/+4
| | | | | | | Close pipes opened via popen(3) with pclose(3). Also close the pipe in error branches. Reported by cppcheck.
* pam_listfile: use getlineTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getlineTobias Stoeckmann2024-01-032-4/+8
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_xauth: use getlineTobias Stoeckmann2024-01-031-2/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-03 12:49:09 +0000