| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257| rhost, NULL, tty, 1);
258|-> }
259| #endif
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
| |
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure
the returned array of strings is properly initialized
when econf_getStringValue() fails to return a value.
|
| |
|
|
|
|
|
| |
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL
value returned by econf_getStringValue().
Resolves: https://github.com/linux-pam/linux-pam/issues/796
|
| |
|
|
| |
Move all historic changelog files away to avoid confusion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since 2011, ChangeLog file is generated from git log history.
ChangeLog-CVS is a historic changelog file that was maintained before
the project was migrated from cvs to git.
CHANGELOG is another historic changelog file that was replaced by
ChangeLog in 2005.
modules/pam_unix/CHANGELOG is the oldest of historic changelog files,
it is not maintained since 1999.
All these historic changelog files are no longer relevant, so they are
no longer included into release tarballs.
|
| |
|
|
|
|
|
|
| |
libpam/pam_modutil_check_user.c: explicitly convert the character
read from /etc/passwd to type "char" to get the same signedness
as the one compared with. Otherwise the functionality will depend
on the (implementation defined) signedness of "char" on the
platform built for.
|
| |
|
|
|
|
|
| |
Dag-Erling Smørgrav's name was encoded using some encoding other than
UTF-8 (that line predates the UTF-8 consensus). This changes it to use
UTF-8, so that it renders properly and so that editors that guess the
file is UTF-8 do not get confused about it.
|
| |
|
|
| |
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
|
| |
|
|
|
|
| |
The previous sentence was strange to read.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
|
| |
|
|
|
| |
Compare the hashes in constant time as a defense-in-depth mechanism,
since performance is not a priority.
|
| |
|
|
|
|
|
|
|
| |
Add a helper function to compare two strings for equality, that performs
the same amount of operations based on the first argument, regardless of
the length of the second argument, or the position of the first
difference.
This can be used as defense-in-depth mitigation against timing attacks
of password comparisons.
|
| |
|
|
|
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.6.1.
* po/Linux-PAM.pot (Project-Id-Version): Likewise.
* NEWS: Update.
Resolves: https://github.com/linux-pam/linux-pam/issues/774
|
| |
|
|
|
| |
Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
command. This essentially updates the line numbers and timestamps.
|
| |
|
|
|
|
|
| |
* configure.ac (AC_HEADER_STDC, AC_HEADER_TIME): Remove.
(AC_CHECK_HEADERS): Remove fcntl.h, limits.h, malloc.h, sys/file.h,
sys/ioctl.h, sys/time.h, syslog.h, net/if.h, termio.h, unistd.h,
sys/fsuid.h, and inittypes.h.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_get_data manual page used to claim that PAM_NO_MODULE_DATA is
returned not only when no module specific data is present but also
when there is a corresponding data entry with NULL value.
As this claim is in contradiction with the implementation and with the
pam manual page, fix pam_get_data manual page.
* doc/man/pam_get_data.3.xml (PAM_NO_MODULE_DATA): Sync with
the implementation and with the pam manual page.
Resolves: https://github.com/linux-pam/linux-pam/pull/780
|
| |
|
|
|
| |
* tests/tst-pam_get_data.c (main): Check that PAM_NO_MODULE_DATA is
returned by pam_get_data iff the corresponding data is not present.
|
| |
|
|
|
| |
* tests/tst-pam_get_data.c: Include "test_assert.h".
(main): Rewrite using ASSERT_EQ() and ASSERT_NE() macros.
|
| |
|
|
| |
The function was not tested, so add some basic testing to it.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Call bindtextdomain() only when both the function is available and
the build is configured with --enable-nls.
* libpam/pam_start.c (_pam_start_internal): Guard bindtextdomain()
invocation with ENABLE_NLS.
Complements: v1.6.0~244 ("pam_start.c: call bindtextdomain() to expose Linux-PAM locales")
Resolves: https://github.com/linux-pam/linux-pam/pull/773
|
| |
|
|
|
|
|
|
| |
Document that pam_env.so is only called by pam_setcred() and
not by pam_authenticate() when added to the auth stack.
Resolves: https://github.com/linux-pam/linux-pam/issues/680
Signed-off-by: Thorsten Kukuk <kukuk@suse.com>
|
| | |
|
| |
|
|
|
|
| |
Currently translated at 87.1% (88 of 101 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/id/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before the change pam_unix has different behaviours for a user with
empty password for these two `/etc/shadow` entries:
nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
nulloktest::1::::::
The entry with a hash was rejected and the entry without was accepted.
The rejection happened because 9e74e90147c "pam_unix: avoid determining
if user exists" introduced the following rejection check (slightly
simplified):
...
} else if (p[0] == '\0' && nullok) {
if (hash[0] != '\0') {
retval = PAM_AUTH_ERR;
}
We should not reject the user with a hash assuming it's non-empty.
The change does that by pushing empty password check into
`verify_pwd_hash()`.
`NixOS` generates such hashed entries for empty passwords as if they
were non-empty using the following perl code:
sub hashPassword {
my ($password) = @_;
my $salt = "";
my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
$salt .= $chars[rand 64] for (1..8);
return crypt($password, '$6$' . $salt . '$');
}
Resolves: https://github.com/linux-pam/linux-pam/issues/758
Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
When limits.d is processed, pl->conf_file consequently points to
elements of filename_list array which are freed later even though
it can still be used in the logging.
Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
Fixes: f6b973b92281 ("Add support for limits.d directory to pam_limits")
|
| |
|
|
|
|
|
| |
It can happen that yp functions are found in system but their header
files are not available. In this case, do not call them.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Failing if a feature is directly requested is default by now.
Do the same for --enable-nis=yes.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Since the struct member user might be NULL use the same condition for
the value as for the preceding key.
Reported-by: Yugend
|
| |
|
|
|
|
|
|
| |
Untangle two distinct strings to simplify their usage.
Check for allocation failure of the second one.
Fix double-free of the second one in the error branch in line 692.
Reported-by: Yugend
|
| |
|
|
|
| |
On asprintf(3) failure the value of the first argument is undefined.
Set to NULL to avoid UB on cleanup.
|
| |
|
|
|
|
|
| |
The line itself is modified while parsing its content. Print the line
number and file name instead so an administrator can investigate it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
Trim all whitespaces before and after value.
Resolves: https://github.com/linux-pam/linux-pam/pull/760
Fixes: eec4358a49dc ("pam_limits: avoid sscanf in parse_config_file")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The pam_assemble_line function is renamed to pam_line_assemble and
moved into libpam_internal so it can be shared across libpam and the
pam_env module.
Applied renaming to all other relevant functions and data structures
so it is easier to locate them in files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
That function is being added to C23 with the same prototype
as memset(3):
void* memset_explicit(void*, int, size_t);
Unlike bzero, it accepts the fill byte as an argument.
Fixes: 19a292681789 ("libpam: introduce secure memory erasure helpers")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The geteuid check does not cover all cases. If a program runs with
elevated capabilities like CAP_SETUID then we can still check
credentials of other users.
Keep logging for future analysis though.
Resolves: https://github.com/linux-pam/linux-pam/issues/747
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
Move function bodies from headers into dedicated object files stored in
libpam_internal. This library won't be installed.
Keep the debug function body in header, even though disabled when
building Linux-PAM, to stay API compatible with previous versions.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The options whether to build with support for libprelude, libaudit,
libselinux, or libeconf are set to enable-if-available. These options
also have a configure flag `--enable-foo`, which currently fall back to
the feature being disabled if not available.
Change these feature flags to fail if specified explicitly and the
required dependencies cannot be satisfied.
Prompted by #728 and #746
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Use strtoll to support up to 64 bit on 32 bit systems, although only up
to 32 unsigned bits are used. The strtoul function exists but converts
negative numbers to positive ones without any form of warning.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
The pam client library libpamc is only needed if libpam_misc is in use.
But libpam_misc is only used by an SELinux helper binary.
Remove the libpamc includes from the search path in all other cases.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The struct crypt_data has the size of 32768 bytes, thus allocate it on
the heap for portability.
|
| |
|
|
| |
Clease the crypt data to avoid any potential information leakage.
|
| |
|
|
|
| |
Cleanse the crypt data also in the failure branch to sanitize in case of
partial data being written.
|
