| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.
|
| |
|
|
| |
* po/*.po: Updated translations from Transifex.
|
| |
|
|
|
|
|
| |
pam_rootok.c explicitly uses functions from libaudit, so the module has
to be linked with the library.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
|
| |
|
|
|
| |
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
|
| |
|
|
|
|
|
|
|
| |
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
|
| |
|
|
|
|
| |
modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.
|
| |
|
|
|
| |
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
|
| |
|
|
|
| |
modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.
|
| |
|
|
|
| |
modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
|
| |
|
|
|
| |
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
|
| |
|
|
|
| |
modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.
|
| |
|
|
|
| |
modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
|
| |
|
|
|
| |
modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
when run as root.
|
| |
|
|
| |
po/Linux-PAM.pot: Update to reflect current sources.
|
| |
|
|
|
| |
po/LINGUAS: Added new languages.
po/*.po: Updated translations from Transifex including new languages.
|
| |
|
|
|
| |
modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
(compute_exec_context): Drop manual_context() call.
|
| |
|
|
| |
modules/pam_limits/limits.conf: Fix grammatical mistake.
|
| |
|
|
|
| |
xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
running with real uid == 0.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.
* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
|
| |
|
|
|
|
|
|
|
| |
modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
|
| |
|
|
|
|
|
|
| |
modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.
|
| |
|
|
|
| |
configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
of AC_HELP_STRING.
|
| |
|
|
|
|
|
| |
modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
|
| |
|
|
|
|
| |
configure.in: Bump version to 1.1.6
NEWS: Document changes
po/*.po: Regenerate *.po files
|
| |
|
|
|
|
|
| |
modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
|
| |
|
|
|
|
| |
libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
item when obtained from module options.
(pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.
|
| |
|
|
| |
modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.
|
| |
|
|
|
|
|
| |
modules/pam_namespace/Makefile.am: Add install-data-local target to create
namespaceddir.
modules/pam_sepermit/Makefile.am: Add install-data-local target to create
sepermitlockdir.
|
| |
|
|
|
|
|
|
| |
sys/resource.h.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
|
| |
|
|
|
| |
modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
parsing.
|
| |
|
|
|
|
|
| |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
(sequence): New function to check for too long monotonic sequence of characters.
(password_check): Call the sequence().
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.
|
| |
|
|
| |
modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.
|
| |
|
|
| |
po/*.po: Updated translations.
|
| |
|
|
|
|
| |
modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
the process instead of the target user UID (same as in pam_cracklib) to
check for root. Always record old password.
|
| |
|
|
|
|
| |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
|
| |
|
|
|
|
|
|
|
|
| |
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
(simple): Add the check for the same class repetition.
(usercheck): Refactor into wordcheck().
(gecoscheck): New test for words from the GECOS field.
(password_check): Call the gecoscheck().
(pam_sm_chauthtok): Drop the diff_ignore from options struct.
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
|
| |
|
|
|
|
| |
modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
uid==0.
modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
option.
* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
(_pam_session_parse): Renamed from _pam_parse.
(_pam_auth_parse): New function to parse auth arguments.
(_last_login_open): Factor out opening of the lastlog file.
(_last_login_read): Factor out opening of the lastlog file.
(pam_sm_authenticate): Implement the lockout functionality.
(pam_sm_setcred): Just return PAM_SUCCESS.
(pam_sm_acct_mgmt): Call pam_sm_authenticate().
|
| |
|
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
returning NULL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In --enable-static-modules mode, it was not possible to use "pam_unix"
in PAM config files. Instead, different names had to be used for each
management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
pam_unix_session. This change makes pam_unix configuration consistent
with other PAM modules.
* README: Remove the paragraph describing pam_unix distinctions in
--enable-static-modules mode.
* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
_pam_unix_session_modstruct): Remove.
(_pam_unix_modstruct): New pam_module declaration.
* modules/pam_unix/pam_unix_static.h: New file.
* modules/pam_unix/pam_unix_static.c: Likewise.
* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_session_modstruct): Remove.
Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
|
| |
|
|
|
|
| |
* configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
* libpam/pam_static_modules.h (static_modules): Guard the use of
_pam_cracklib_modstruct by HAVE_LIBCRACK macro.
|
| |
|
|
| |
* libpam/include/security/pam_modutil.h: Add missing includes for used types.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
obsolete declaration.
(static_modules): Remove undefined reference to
_pam_rhosts_auth_modstruct.
* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
{save,check}_old_pass in order to avoid conflicts with pam_unix.
* modules/pam_pwhistory/opasswd.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
_pam_tally2_modstruct.
Signed-off-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
|
| |
|
|
|
|
|
|
|
| |
There is no way to build "modules" subdirectory before "libpam" anyway.
In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
produce a usable libpam.a without undefined references to multiple
_pam_*_modstruct symbols.
* Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.
|
| |
|
|
| |
* configure.in: Change '-disable-nis' to '--disable-nis'.
|
| |
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
the unmount_on_close option and make the default to be to not unmount.
* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
PAMNS_UNMOUNT_ON_CLOSE.
* modules/pam_namespace/pam_namespace.8.xml: Document the change.
|
| |
|
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
(check_inst_parent): Drop the always argument from protect_dir().
(create_polydir): Likewise.
(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.
|
| |
|
|
|
|
|
| |
* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
rhost, and tty as left operand.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
possible left operands.
|
