| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
Updated pot and po files
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (116 of 116 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
|
| |
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
Translated using Weblate (Polish)
Currently translated at 100.0% (121 of 121 strings)
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deleted translation using Weblate (German (Low))
Deleted translation using Weblate (Angika)
Deleted translation using Weblate (English (United Kingdom))
Deleted translation using Weblate (Asturian)
Deleted translation using Weblate (bal (generated))
Deleted translation using Weblate (Bodo)
Deleted translation using Weblate (Breton)
Deleted translation using Weblate (Cornish)
Deleted translation using Weblate (Cornish)
Deleted translation using Weblate (ilo (generated))
Deleted translation using Weblate (Maithili)
Deleted translation using Weblate (Pedi)
Deleted translation using Weblate (Tibetan)
Deleted translation using Weblate (Twi)
Deleted translation using Weblate (wba (generated))
|
| |
|
|
|
|
|
| |
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: linux-pam/master
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
|
| |
|
|
|
|
| |
If kernel audit is disabled the socket open will return
EPROTONOSUPPORT.
Return PAM_IGNORE from pam_tty_audit and log a warning
in this situation so login is not blocked by the module.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When pam_modutil_sanitize_helper_fds() is invoked with
PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
or stderr, it closes the read end of the newly created dummy pipe.
The negative side effect of this approach is that any write to such
descriptor triggers a SIGPIPE. Avoid this by closing the write end of
the dummy pipe and using its read end as a dummy pipe descriptor for
output. Any read from such descriptor returns 0, and any write just
fails with EBADF, which should work better with unprepared writers.
* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
|
| |
|
|
| |
u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
|
| |
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Replace bare & with &.
* modules/pam_time/time.conf.5.xml: Likewise.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* modules/pam_group/group.conf.5.xml: Document what logic list means.
* modules/pam_time/time.conf.5.xml: Likewise.
* modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
further operations.
* modules/pam_time/pam_time.c (logic_field): Likewise.
|
| |
|
|
|
|
| |
If the shell is empty in /etc/passwd entry it means /bin/sh.
* modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
|
| |
|
|
|
| |
* modules/pam_env/pam_env.8.xml: Document the change.
* modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
|
| |
|
|
|
|
|
|
|
| |
Raise BUF_SIZE to 8192 bytes.
* modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
(_assemble_line): Detect long lines and binary files.
(_check_var): Avoid overwriting global variable.
(_expand_arg): Avoid repeated strlen calls.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
| |
* modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
* modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
|
| |
|
|
|
|
|
|
|
|
| |
Adding nullresetok to auth phase of pam_unix module will allow users
with blank password to authenticate in order to immediatelly change
their password even if nullok is not set.
This allows to have blank password authentication disabled but still
allows administrator to create new user accounts with expired blank
password that must be change on the first login.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Examples:
account requisite pam_succeed_if.so user ingroup group1:group2
OR
account requisite pam_succeed_if.so user notingroup group1:group2
OR
account requisite pam_succeed_if.so user ingroup wheel
OR
account requisite pam_succeed_if.so user notingroup wheel
Can be very convenient to grant access based on complex group memberships (LDAP, etc)
|
| |
|
|
|
| |
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
|
| |
|
|
|
| |
* modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent
* modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module will check if the user account type is system or regular based
on its uid. To evaluate the condition it will use 0-99 reserved range
together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
If these values are not set, it uses configure-time defaults
`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
`SYS_UID_MAX` defaults to `UID_MIN - 1`.
This information can be used to skip specific module in pam stack
based on the account type. `pam_succeed_if uid < 1000` is used at the moment
however it does not reflect changes to `login.defs`.
|
| |
|
|
|
|
|
|
| |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new internal header file with definitions of
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
use them to temporary silence -Wcast-qual compilation warnings
in various modules.
* libpam/include/pam_cc_compat.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
(create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
(pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
(nl_send): Wrap the cast that discards ‘const’ qualifier in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
(_unix_run_verify_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
(_unix_run_update_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
(unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/support.c: Include "pam_cc_compat.h".
(_unix_run_helper_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
(run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also fix the following compilation warning:
tests/tst-pam_mkargv.c:21:22: warning: initialization discards ‘const’
qualifier from pointer target type [-Wdiscarded-qualifiers]
char *argvstring = "user = XENDT\\userα user=XENDT\\user1";
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* libpam/pam_misc.c (_pam_mkargv): Add const qualifier to the first
argument.
* libpam/pam_private.h (_pam_mkargv): Likewise.
* tests/tst-pam_mkargv.c (main): Convert argvstring from a pointer into
a static const string, make argvresult array static const.
|
| |
|
|
|
|
|
|
|
|
| |
* libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
non-const char *.
* modules/pam_filter/pam_filter.c: Avoid using const char **.
* modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
* modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
* modules/pam_tally2/pam_tally2.c: String literal must be assigned to
const char *.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the call to the crypt(3) function failed for some reason during
hashing a new login passphrase, the wrapper function for computing
a hash with the md5crypt method was called internally by the pam_unix
module in previous versions of linux-pam.
With CVE-2012-3287 in mind, the md5crypt method is not considered to
be a safe nor recommended hashing method for a new login passphrase
since at least 2012. Thus pam_unix should error out in case of a
failure in crypt(3) instead of silently computing a hashed passphrase
using a potentially unsafe method.
* modules/pam_unix/pam_unix.8.xml: Update documentation.
* modules/pam_unix/passverify.c (create_password_hash): Return NULL
on error instead of silently invoke crypt_md5_wrapper().
|
| |
|
| |
helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
|
| |
|
|
|
| |
According to the man pages, "Each invocation of va_start() must be
matched by a corresponding invocation of va_end() in the same function."
|
| |
|
|
|
|
| |
Signed-off-by: Russ Allbery <rra@debian.org>
Bug-Debian: https://bugs.debian.org/651560
|
| | |
|
| | |
|
| |
|
|
|
| |
Add a short description of the nousergroups to the pam_umask(8)
man-page.
|
| |
|
|
|
|
|
|
|
|
| |
This is particularly useful when pam has been built with the new
--enable-usergroups configure switch, allowing users to override
the default-enabled state and disabling usergroups at runtime.
This is synonymous but opposite to current and previous pam_umask
default that could be changed to enabled at runtime with the usergroups
argument.
|
| |
|
|
|
|
|
|
|
|
| |
This change adds a configure option to set the default value of the
usergroups option (of the pam_umask module) at build-time.
Distributions usually makes the decision if usergroups should be used or
not. This allows them to control the built-in default value, without
having to ship the value in a config file (cluttering up the view
of actually relevant user/system configuration overrides).
|
| |
|
|
|
|
|
| |
IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
should be 32.
Fixes #161
|
| |
|
|
|
|
|
|
| |
To be able to set CFLAGS from make command-line but not to lose the
warning flags.
* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
|
| |
|
|
|
| |
Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.
* modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.
* modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
|
| |
|
|
|
|
|
|
|
|
|
| |
This runs "make distcheck" using gcc-9, gcc-8, gcc-7, and clang
on x86_64, x86, x32, aarch64, s390x, and ppc64le architectures.
* .travis.yml: New file.
* ci/install-dependencies.sh: Likewise.
* ci/run-build-and-tests.sh: Likewise.
Resolves: https://github.com/linux-pam/linux-pam/issues/28
|
| |
|
|
|
|
|
|
|
|
|
| |
When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
build with the following diagnostics:
modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
Fix this by using the same check for xcrypt as in other modules.
* modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
HAVE_LIBXCRYPT.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
* doc/specs/Makefile.am: Likewise.
* libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
* modules/pam_access/pam_access.c: Avoid double const.
* modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
without copying the NUL byte.
* modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_limits/pam_limits.c: Remove unused units variable.
* modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
* modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
* modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
of hardcoded value.
* modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
* modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
* modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
cast for comparison.
* modules/pam_unix/support.c: Remove unused function.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a useful indication for update-motd profile.d snippet which can
also try to show MOTD when it is not already shown.
The use-case for that is showing MOTD in shells in containers without
PAM being involved.
* modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD
* modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an auth module to pam_keyinit, whose implementation of
pam_sm_setcred
is identical to the implementation of pam_sm_open_session.
It is useful with PAM applications, which call pam_setcred,
before calling pam_open_session.
* modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.
* modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage
to describe the new functionality.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
noexec, nosuid, and nodev flags support.
* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
filter out the flags.
(parse_method): Call the function.
(ns_setup): Apply the flags to the tmpfs mount.
* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
|
| |
|
|
|
|
|
|
| |
There is no point in rising the allocation size by doubling when
we can allocate required memory size at once in the second pass.
* libpam/pam_modutil_ingroup.c (checkgrouplist): Allocate some reasonable
default size in first pass and required size in the second pass.
|
