| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.6.1.
* po/Linux-PAM.pot (Project-Id-Version): Likewise.
* NEWS: Update.
Resolves: https://github.com/linux-pam/linux-pam/issues/774
|
| |
|
|
|
|
|
| |
* configure.ac (AC_HEADER_STDC, AC_HEADER_TIME): Remove.
(AC_CHECK_HEADERS): Remove fcntl.h, limits.h, malloc.h, sys/file.h,
sys/ioctl.h, sys/time.h, syslog.h, net/if.h, termio.h, unistd.h,
sys/fsuid.h, and inittypes.h.
|
| |
|
|
|
|
|
| |
Failing if a feature is directly requested is default by now.
Do the same for --enable-nis=yes.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
Move function bodies from headers into dedicated object files stored in
libpam_internal. This library won't be installed.
Keep the debug function body in header, even though disabled when
building Linux-PAM, to stay API compatible with previous versions.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The options whether to build with support for libprelude, libaudit,
libselinux, or libeconf are set to enable-if-available. These options
also have a configure flag `--enable-foo`, which currently fall back to
the feature being disabled if not available.
Change these feature flags to fail if specified explicitly and the
required dependencies cannot be satisfied.
Prompted by #728 and #746
|
| |
|
|
|
|
|
|
|
|
|
| |
React on actual test if SELinux is available, not just if SELinux
should be tested for.
Currently the supposedly disabled binaries are still installed even if
SELinux is not available.
Fixes: cb9f88ba944d ("pam_unix: build unix_update only with SELinux enabled")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.6.0.
* po/Linux-PAM.pot (Project-Id-Version): Likewise.
* NEWS: Update.
Resolves: https://github.com/linux-pam/linux-pam/issues/690
|
| |
|
|
|
|
|
| |
Fail if --enable-logind is specified while libsystemd cannot be found,
so the feature is reliably enabled on request.
Complements: v1.5.3~26 ("Y2038: use logind instead of utmp")
|
| |
|
|
|
|
|
|
|
|
| |
Building outside of source directory fails if --disable-doc is not
explicitly chosen.
This happens because generated files are sometimes expected in the
source directory, where they won't exist.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The helper unix_update(8) is only called from code enabled when SELinux
support is enabled.
|
| |
|
|
|
|
|
|
| |
Use getrandom to retrieve random numbers for delay calculation.
If it fails or is not available, keep using current algorithm.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Even if these checks reveal that a function does not exist, there are
no corresponding HAVE_* or ac_cv_func_* checks in source files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AC_CHECK_HEADERS): Add sys/random.h.
(AC_CHECK_FUNCS): Add getrandom.
* modules/pam_timestamp/hmac_openssl_wrapper.c [HAVE_SYS_RANDOM_H]:
Include <sys/random.h>.
(generate_key) [HAVE_GETRANDOM]: Call getrandom(2) before trying
to open /dev/urandom.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, getline is being used unconditionally in pam_namespace and
pam_sepermit. In pam_namespace, it is being used since 2006 when the
module was introduced in the first place.
Let's assume getline is universally available and let's use it
unconditionally in other cases, too.
* configure.ac (AC_CHECK_FUNCS): Remove getline and getdelim.
* libpam/pam_modutil_searchkey.c (pam_modutil_search_key): Use getline
unconditionally.
* modules/pam_pwhistory/opasswd.c (check_old_pass, save_old_pass):
Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module uses the name of the user obtained via pam_get_user(3)
as a key to query the password database, and replaces PAM_USER
with the pw_name value that has been returned.
The main usage scenario is systems where a user name is used in several
distinct authentication systems, some of them being case sensitive while
others are not.
* configure.ac (AC_CONFIG_FILES): Add
modules/pam_canonicalize_user/Makefile.
* doc/sag/pam_canonicalize_user.xml: New file.
* doc/sag/Linux-PAM_SAG.xml: Add a reference to
pam_canonicalize_user.xml.
* modules/Makefile.am (SUBDIRS): Add pam_canonicalize_user.
* modules/pam_canonicalize_user/Makefile.am: New file.
* modules/pam_canonicalize_user/README.xml: New file.
* modules/pam_canonicalize_user/pam_canonicalize_user.8.xml: New file.
* modules/pam_canonicalize_user/pam_canonicalize_user.c: New file.
* modules/pam_canonicalize_user/tst-pam_canonicalize_user: New file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: check whether close_range() is available in the system.
* libpam/pam_modutil_sanitize.c: use close_range() to close all file
descriptors. If the interface isn't available use the previous
approach.
Link: https://github.com/linux-pam/linux-pam/pull/276
Resolves: https://issues.redhat.com/browse/RHEL-5099
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
| |
Without the change locales are not visible to applications using PAM if
PAM library is installed into a --prefix= different from the default
one.
|
| |
|
|
|
|
|
|
| |
* configure.ac: add `gdbm` option to `enable-db`
* modules/pam_userdb/pam_userdb.c: conditionally provide database access
depending on the database technology
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
Allow the user to not build the examples through --disable-examples
(enabled by default); this can be useful:
- when cross-compiling, as the examples are not useful
- in distribution builds, not building stuff that is not used in any
way
|
| |
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.3.
* NEWS: Update.
|
| |
|
|
|
|
|
| |
* Make.xml.rules.in: Avoid conflicting profile.condition settings.
* configure.ac: Likewise.
Resolves: https://github.com/linux-pam/linux-pam/issues/553
|
| |
|
|
|
|
| |
configure.ac: Disable NIS if RPC or YP header files are missing
modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence
modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too
|
| |
|
|
|
|
|
|
|
|
| |
Avoid compiler optimizations to elide the memory erasure by using a
secure method: either memset_explicit() [C23], bzero_explicit() [glibc
2.25] or a manual memory barrier.
Since the current helpers _pam_overwrite*() and _pam_drop_reply() are
publicly exported, create new ones in "pam_inline.h" and deprecate the
old ones.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The struct utmp from glibc uses on many 64bit architectures a 32bit
time_t for compatibility with a 32bit userland, which means utmp will
not survive the year 2038 (32bit time_t overflow). Use the data from
logind instead of utmp.
* configure.ac: Add option --enable-logind
* modules/pam_issue/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_issue/pam_issue.c: Use sd_get_sessions instead of utmp
* modules/pam_timestamp/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_timestamp/pam_timestamp.c: query logind for login time
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pam_lastlog uses utmp, wtmp, btmp and lastlog. None of them is Y2038
safe, even on 64bit architectures. Most 64bit architectures use 32bit
time_t for compat reasons with 32bit userland.
Additionally, all relevant tools for which pam_lastlog would make sense
already have their own support for all four files, so this module will
most likely only create duplicate entries.
* configure.ac: don't build pam_lastlog by default.
* ci/run-build-and-tests.sh: enable pam_lastlog.
|
| |
|
|
|
|
|
|
|
| |
Otherwise the corresponding files are still installed in /etc/security.
* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac: Define HAVE_NIS if NIS is enabled.
* modules/pam_unix/Makefile.am: Don't link against yppasswd_xdr.c
if NIS is disabled.
* modules/pam_unix/pam_unix_passwd.c: Don't redefine HAVE_NIS.
Resolves: https://github.com/linux-pam/linux-pam/issues/523
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no one in /etc.
* Makefile.am: Add libeconf setting.
* pam_env.c: Take care about the fallback configuration in the vendor directory.
* pam_env.8.xml: Add description for the vendor directory.
* pam_env.conf.5.xml: Add description for the vendor directory.
* tst-pam_env-retval.c: Add tests for libeconf.
* configure.ac: Add ECONF settings for building man pages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
default config if there is no one in /etc.
If pam will be compiled with the option --enable-vendordir=<vendor_dir> and
NOT defined --disable-econf, the files which define valid login shells will
be parsed in following order:
- <vendor_dir>/shells
- <vendor_dir>/shells.d/*
- /etc/shells.d/shells
But all files in <vendor_dir> will be ingnored if the user has defined his
own file /etc/shells.
This commit solves issue: https://github.com/linux-pam/linux-pam/issues/498
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, all stylesheets were hardcoded.
With this change, stylesheets can be defined at configure stage.
* configure.ac: Add new options to configure stylesheets:
--enable-html-stylesheet=FILE
--enable-txt-stylesheet=FILE
--enable-pdf-stylesheet=FILE
--enable-man-stylesheet=FILE
* doc/custom-html.xsl: Rename to doc/custom-html.xsl.in, parametrize html
stylesheet.
* doc/custom-man.xsl: Rename to doc/custom-man.xsl.in, parametrize man
stylesheet.
* doc/.gitignore: Add custom-man.xsl and custom-html.xsl.
* doc/adg/Makefile.am: Use stylesheet variables.
* doc/mwg/Makefile.am: Likewise.
* doc/sag/Makefile.am: Likewise.
Resolves: https://github.com/linux-pam/linux-pam/pull/499
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error with Clang 15 (which makes implicit function
declarations an error by default):
```
+error: call to undeclared library function 'exit' with type 'void (int) __attribute__((noreturn))'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
exit(0);
^
note: include the header <stdlib.h> or explicitly provide a declaration for 'exit'
```
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
using SYS_UID_MIN to check if it is a system account, because all
accounts below the SYS_UID_MAX are system users.
* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
as it is no longer used to calculate the system accounts.
* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
| |
This is a VENDORDIR version of SCONFIGDIR macro, defined to
VENDORDIR"/security" when --enable-vendordir is used for build.
* configure.ac (AC_DEFINE_UNQUOTED): Add VENDOR_SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
| |
Follow the VENDORDIR example and introduce a macro defined to the
argument of --enable-sconfigdir option. Unlike --enable-vendordir,
--enable-sconfigdir has a default value, so when --enable-sconfigdir
is not used for build, SCONFIGDIR will be defined to that default value.
* configure.ac (AC_DEFINE_UNQUOTED): Add SCONFIGDIR.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt provides a libcrypt.pc file so use it if available as this
will allow to retrieve the library path (e.g.
-L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
which is useful when cross-compiling and will avoid the following build
failure on buildroot:
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.2.
* NEWS: Update.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix the following build failure with libxcrypt and uclibc-ng:
ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* .gitignore: Add .pc files as they are generated by autoconf.
* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
* libpam/Makefile.am: Install pam.pc.
* libpam/pam.pc.in: New file.
* libpam_misc/Makefile.am: Install pam_misc.pc
* libpam_misc/pam_misc.pc.in: New file.
* libpamc/Makefile.am: Install pamc.pc
This allow applications and PAM modules to automatically find libpam,
libpam_misc and libpamc if they are installed instead of having to
manually search for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since many distributions are shipping a version of libxcrypt >= 4.0.0
as a replacement for glibc's libcrypt now, older versions of xcrypt,
which could be installed in parallel, are not relevant anymore.
* configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
(AC_SEARCH_LIBS): Remove xcrypt.
(AC_CHECK_FUNCS): Remove crypt_gensalt_r.
(AC_DEFINE): Remove HAVE_LIBXCRYPT.
* modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
* modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
(create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add --with-misc-conv-bufsize=<number> option to configure to allow
a longer buffer size for libpam_misc's misc_conv() function (it still
defaults to 512 bytes).
Signed-off-by: Jeff Squyres <jsquyres@cisco.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.
modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Add this option to support the following scenario:
prefix = '/usr'
servicedir = '/lib/systemd/system'
* The default behavior is changed:
If this option is not given, servicedir will be set to the value that is
obtained from systemd pkg-config file. If the value cannot be obtained,
servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes `test: too many arguments` when building Linux-PAM using sbase.
This is due to a non-POSIX syntax test ... -a ... and test ... -o ....
> The XSI extensions specifying the -a and -o binary primaries and the
> '(' and ')' operators have been marked obsolescent.
See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
|
| |
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.1.
|
| |
|
|
|
| |
* configure.ac (AC_INIT): Raise version to 1.5.0.
* NEWS: Update.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-tally --enable-tally2.
* configure.ac: Remove --enable-tally and --enable-tally2 options.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
(AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
modules/pam_tally2/Makefile.
* doc/sag/pam_tally.xml: Remove.
* doc/sag/pam_tally2.xml: Likewise.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
pam_tally2.xml.
* modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
(SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
* modules/pam_tally/.gitignore: Remove.
* modules/pam_tally/Makefile.am: Likewise.
* modules/pam_tally/README.xml: Likewise.
* modules/pam_tally/faillog.h: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally/pam_tally_app.c: Likewise.
* modules/pam_tally/tst-pam_tally: Likewise.
* modules/pam_tally2/.gitignore: Likewise.
* modules/pam_tally2/Makefile.am: Likewise.
* modules/pam_tally2/README.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_tally2/pam_tally2_app.c: Likewise.
* modules/pam_tally2/tallylog.h: Likewise.
* modules/pam_tally2/tst-pam_tally2: Likewise.
* modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
pam_tally with pam_timestamp.
* po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
and ./modules/pam_tally2/pam_tally2.c.
* NEWS: Document this change.
|
