| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The first argument of IF_NO_PAMH is supposed to be the name of the
function which was called with pamh being NULL.
With __FUNCTION__ the name can be inserted automatically by the
compiler which is also already done with D macro.
Fixes a bug in which _pam_drop_env erroneously logs with the
function name _pam_make_env.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Reading "other" is not meant as a file, which the debug message might
look like. Copy the same debug message used when opening a module.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If a configuration file contains lines which are longer than 1024
characters, _pam_assemble_line splits them into multiple ones.
This may lead to comments being interpreted as actual configuration
lines.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
An endless loop with fgets can be triggered if exactly one free byte
is left in buffer, because fgets will fill this byte with \0 without
reading any further data from file.
This requires an invalid system configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The debug output of environment variables tries to properly format
pointers in a right-aligned way. 9 characters are not enough for
32 bit pointers though due to prepended 0x. Also, it takes 18 for
64 bit systems.
Adjust the formatter properly for architectures.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
It is possible to trigger an integer overflow in _pam_strdup
if the passed string is longer than INT_MAX, which could lead
to a smaller memory allocation than needed for the strcpy call.
This in turn could lead to a heap overflow.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: check whether close_range() is available in the system.
* libpam/pam_modutil_sanitize.c: use close_range() to close all file
descriptors. If the interface isn't available use the previous
approach.
Link: https://github.com/linux-pam/linux-pam/pull/276
Resolves: https://issues.redhat.com/browse/RHEL-5099
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_putenv and pam_getenv do not properly handle strings which are
longer than 2 GB (INT_MAX).
In pam_putenv the l2eq variable could overflow and turn negative,
leading to out of boundary access (after the fact that signed integer
overflow is undefined behavior).
In pam_getenv a very long string could lead to a small int value
so other environment variables could match.
The easiest fix for both is to use size_t.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Without the change locales are not visible to applications using PAM if
PAM library is installed into a --prefix= different from the default
one.
|
| |
|
|
|
|
| |
Identifiers staring with an underscores are reserved by the C standard.
Also avoid double underscore, which are reserved by C++, in header file.
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
| |
If the pam handlers fail to initialize halfway, clean them up
afterwards. Since we set the handle to NULL callers can't clean them.
|
| |
|
|
|
|
| |
PATH_MAX is optional in POSIX, and not defined on GNU/Hurd; since these
sources are tests, it is fine to hardcoded a fallback value that allows
the tests to build and run.
|
| | |
|
| |
|
|
|
|
| |
Non trivial changes:
- erase responses in pam_get_authtok_internal() on error branch
|
| |
|
|
|
|
|
|
|
|
| |
Avoid compiler optimizations to elide the memory erasure by using a
secure method: either memset_explicit() [C23], bzero_explicit() [glibc
2.25] or a manual memory barrier.
Since the current helpers _pam_overwrite*() and _pam_drop_reply() are
publicly exported, create new ones in "pam_inline.h" and deprecate the
old ones.
|
| |
|
|
|
|
|
|
|
| |
utmp uses 32bit time_t for compatibility with 32bit userland on some
64bit systems and is thus not Y2038 safe. Use getlogin() from libc
which avoids using utmp and is more safe than the old utmp-based
implementation by using /proc/self/loginuid.
* libpam/pam_modutil_getlogin.c: Use getlogin() instead of parsing utmp
|
| |
|
|
|
|
|
|
| |
* libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_FORMAT_NONLITERAL,
DIAG_POP_IGNORE_FORMAT_NONLITERAL): New macros.
* libpam/pam_handlers.c (_pam_open_config_file): Use them to exempt
usage of format string literals from a constant array.
* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wformat=2.
|
| |
|
|
|
|
|
|
|
|
| |
Apparently, the PAM_SHL variant cannot be compiled since the very first
commit back in 2005 when it was introduced, and another variant uses
PAM_DYLD which is virtually unknown to search engines.
* libpam/pam_dynamic.c [PAM_SHL || PAM_DYLD]: Remove.
Resolves: https://github.com/linux-pam/linux-pam/issues/477
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
files.
Fix undefined references to ${exec_prefix} in pkgconfig files on Guix.
The subsequent declarations of ${libdir} and ${includedir} in the same
files require this commit when ${prefix} is set to something other
than /usr.
When the pkgconfig files were initially provided, the two lines added
here were dropped for what seemed like a good reason. [1] In the
common case of a /usr prefix, 'configure.ac' sets ${libdir} and
possibly ${includedir} explicitly [2] so the additional lines were
then not needed.
Guix and probably Nix too, however, depart from the Filesystem
Hierarchy Standard and require the missing lines. Without those lines,
the pkgconfig files are defective on Guix. [3]
Since working systems are not affected, the lines are added for all.
The fix was confirmed for Guix. One of the files looked like this:
prefix=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566/include/security
Name: PAM
Description: The primary Linux-PAM library. It is used by PAM modules and PAM-aware applications.
URL: http://www.linux-pam.org/
Version: 1.5.2
Cflags: -I${includedir}
Libs: -L${libdir} -lpam
* libpam/pam.pc.in, libpamc/pamc.pc.in, libpam_misc/pam_misc.pc.in:
Add @prefix@ and @exec_prefix@.
Resolves: https://github.com/linux-pam/linux-pam/issues/466
[1] https://github.com/linux-pam/linux-pam/pull/369#discussion_r650557756
[2] https://github.com/linux-pam/linux-pam/blob/40c271164dbcebfc5304d0537a42fb42e6b6803c/configure.ac#L28-L36
[3] https://github.com/linux-pam/linux-pam/issues/466
|
| |
|
|
|
|
|
| |
* libpam/include/security/pam_modutil.h: Improve the
pam_modutil_search_key() interface documentation.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
* libpam/pam_handlers.c (_pam_add_handler): Use calloc instead of malloc
for struct handler allocation to avoid returning garbage in some fields
of the structure on error path.
Resolves: https://github.com/linux-pam/linux-pam/issues/475
|
| |
|
|
|
|
| |
* libpam/Makefile.am (libpam_la_LIBADD): Add @LTLIBINTL@.
Resolves: https://github.com/linux-pam/linux-pam/pull/433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* .gitignore: Add .pc files as they are generated by autoconf.
* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
* libpam/Makefile.am: Install pam.pc.
* libpam/pam.pc.in: New file.
* libpam_misc/Makefile.am: Install pam_misc.pc
* libpam_misc/pam_misc.pc.in: New file.
* libpamc/Makefile.am: Install pamc.pc
This allow applications and PAM modules to automatically find libpam,
libpam_misc and libpamc if they are installed instead of having to
manually search for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
call to initgroups(). This makes sure that the user's supplementary
groups are also configured. Fall back to setgroups(0, NULL) in case the
initgroups() call fails.
This fixes the permission check in pam_motd: this feature was intended
to allow setting permissions on a motd file to prevent it from being
shown to users who are not a member of a particular group (for example,
wheel).
Closes #292
|
| |
|
|
| |
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Found with AddressSanitzer in pam_wrapper tests.
==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
==985738== at 0x4839809: malloc (vg_replace_malloc.c:307)
==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129)
==985738== by 0x489851B: _pam_start_internal (pam_start.c:85)
==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483)
==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189)
==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
==985738== by 0x403EE5: main (test_pam_wrapper.c:1059)
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
| |
|
|
|
| |
libpam/pam_dispatch: remove store statement since the value is never
read.
|
| | |
|
| |
|
|
| |
This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
|
| |
|
|
|
|
|
| |
* libpam/include/pam_inline.h (pam_read_passwords): Increment pptr once
instead of using pptr+1 several times. This change is not expected
to affect the code generated by the compiler as the latter is likely
to perform the optimization itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ldv: rewrote commit message]
* modules/pam_unix/passverify.h (read_passwords): Remove prototype.
* modules/pam_unix/passverify.c (read_passwords): Move ...
* libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
add static inline qualifiers.
Include <unistd.h> and <errno.h>.
* modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
(main): Replace read_passwords with pam_read_passwords.
* modules/pam_unix/unix_update.c: Include "pam_inline.h".
(set_password): Replace read_passwords with pam_read_passwords.
|
| |
|
|
|
|
| |
* libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
not exit the file reading loop when the user is found, continue reading
the file to avoid timing attacks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* modules/pam_localuser/pam_localuser.c: Include
<security/pam_modutil.h>.
(pam_sm_authenticate): Replace check_user_in_passwd with
pam_modutil_check_user_in_passwd.
(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
move to ...
* libpam/pam_modutil_check_user.c: ... new file.
* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
* libpam/include/security/pam_modutil.h
(pam_modutil_check_user_in_passwd): New function declaration.
* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
| |
Introduce a new internal header file for definitions of handy macros
providing convenient assertion testing functionality.
* libpam/include/test_assert.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
|
| |
|
|
|
|
|
|
|
|
| |
When the conversation function returned a value different from
PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
the return value with PAM_CONV_ERR. Fix this and replace the return
value only if it was PAM_SUCCESS.
* libpam/pam_item.c (pam_get_user): Do not override valid values
returned by the conversation function.
|
| |
|
|
|
|
|
|
|
|
| |
Do not assume that the conversation function provided by the application
strictly follows the return values guidelines, replace undocumented
return values with PAM_CONV_ERR.
* libpam/pam_item.c (pam_get_user): If the value returned by the
conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pointer
pam_get_user returns PAM_SYSTEM_ERR in case of pamh == NULL.
In case of user == NULL, however, it used to return PAM_PERM_DENIED,
and in case of NULL conversation function it used to return
PAM_SERVICE_ERR.
According to the documentation, PAM_SYSTEM_ERR shall be returned
if a NULL pointer was submitted.
Fix this inconsistency and return PAM_SYSTEM_ERR in each of these
programming error cases.
* libpam/pam_item.c (pam_get_user): Return PAM_SYSTEM_ERR instead of
PAM_PERM_DENIED if user == NULL. Return PAM_SYSTEM_ERR instead of
PAM_SERVICE_ERR if pamh->pam_conversation == NULL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
remove stereotypic definitions from other Makefiles, this way we no
longer have to worry about vendordir being used somewhere else in
documentation files.
Likewise, define VENDORDIR in config.h and remove stereotypic
-DVENDORDIR= additions from other Makefiles, this way we no longer
have to worry about VENDORDIR being used somewhere else in the code.
* configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
(AC_DEFINE_UNQUOTED): Add VENDORDIR.
(AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
* Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
@STRINGPARAM_VENDORDIR@.
* doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
* libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
* modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
(XSLTPROC_CUSTOM): Remove.
* modules/pam_securetty/pam_securetty.c: Move definitions of local
macros after config.h to benefit from macros defined there.
|
| |
|
|
|
|
|
|
|
|
| |
As WITH_SELINUX is already AC_DEFINE'd in configure.ac,
there is no point in adding -DWITH_SELINUX to CFLAGS.
* libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add
-DWITH_SELINUX.
* modules/pam_rootok/Makefile.am: Likewise.
* modules/pam_unix/Makefile.am: Likewise.
|
| | |
|
| |
|
|
|
|
|
| |
* libpam/pam_handlers.c (_pam_load_module): Reorganize $ISA handling
to reduce redundancy.
Resolves: https://github.com/linux-pam/linux-pam/pull/198
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every time I see a code like
if (strncasecmp(argv, "remember=", 9) == 0)
options->remember = strtol(&argv[9], NULL, 10);
my eyes are bleeding.
Similar to pam_str_skip_prefix_len() and pam_str_skip_prefix(),
introduce a new helper inline function pam_str_skip_icase_prefix_len()
and a new macro pam_str_skip_icase_prefix() on top of it, to be used
in subsequent commits to cleanup the ugliness.
* libpam/include/pam_inline.h (pam_str_skip_icase_prefix_len): New
function.
(pam_str_skip_icase_prefix): New macro.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every time I see a code like
if (!strncmp(*argv,"user_readenv=",13))
*user_readenv = atoi(13+*argv);
my eyes are bleeding.
Introduce a new helper inline function pam_str_skip_prefix_len() and
a new macro pam_str_skip_prefix() on top of it, to be used in subsequent
commits to cleanup the ugliness.
* libpam/include/pam_inline.h: Include <string.h>.
(pam_str_skip_prefix_len): New function.
(pam_str_skip_prefix): New macro.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
which is less error-prone and implements an additional type check.
* libpam/pam_handlers.c: Include "pam_inline.h".
(_pam_open_config_file): Use PAM_ARRAY_SIZE.
* modules/pam_exec/pam_exec.c: Include "pam_inline.h".
(call_exec): Use PAM_ARRAY_SIZE.
* modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
(filter_mntopts): Use PAM_ARRAY_SIZE.
* modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
(testvectors): Use PAM_ARRAY_SIZE.
* modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
(run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
* tests/tst-pam_get_item.c: Include "pam_inline.h".
(main): Use PAM_ARRAY_SIZE.
* tests/tst-pam_set_item.c: Likewise.
* xtests/tst-pam_pwhistory1.c: Likewise.
* xtests/tst-pam_time1.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
Introduce a new internal header file for definitions of handly inline
functions and macros providing some convenient functionality to libpam
and its modules.
* libpam/include/pam_cc_compat.h (PAM_SAME_TYPE): New macro.
* libpam/include/pam_inline.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/pam_inline.h.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN
macros, use them to silence remaining clang -Wcast-align compilation
warnings.
* libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_CAST_ALIGN,
DIAG_POP_IGNORE_CAST_ALIGN): New macros.
* modules/pam_access/pam_access.c: Include "pam_cc_compat.h".
(from_match, network_netmask_match): Wrap inet_ntop invocations
in DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN.
|
