| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The pam_assemble_line function is renamed to pam_line_assemble and
moved into libpam_internal so it can be shared across libpam and the
pam_env module.
Applied renaming to all other relevant functions and data structures
so it is easier to locate them in files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
That function is being added to C23 with the same prototype
as memset(3):
void* memset_explicit(void*, int, size_t);
Unlike bzero, it accepts the fill byte as an argument.
Fixes: 19a292681789 ("libpam: introduce secure memory erasure helpers")
|
| |
|
|
|
|
|
|
|
|
| |
Move function bodies from headers into dedicated object files stored in
libpam_internal. This library won't be installed.
Keep the debug function body in header, even though disabled when
building Linux-PAM, to stay API compatible with previous versions.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If configure option --enable-read-both-confs is used, the build
fails with 1.6.0 due to missing stack level depth argument passed to
_pam_parse_conf_file.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Resolves: https://github.com/linux-pam/linux-pam/issues/736
Fixes: v1.6.0~205 ("libpam: avoid infinite recursion with includes")
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
These are leftovers from fgets usages.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Use getrandom to retrieve random numbers for delay calculation.
If it fails or is not available, keep using current algorithm.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a delay close to UINT_MAX has been set, then the delay computation
might overflow the value due to added randomness.
Systems where linux-pam is in use should generally have a 32 bit
unsigned int and a 64 bit unsigned long long, and a time_t of either
64 bit or 32 bit. Under these assumptions, using the result for delay is
safe because of the division before assigning it to tv_sec (time_t).
Thought about using uint64_t type here but as long as "unsigned int"
is part of the API instead of uint32_t, no proper guarantees could be
made anyway.
Unfortunately we have to supply an unsigned int if a PAM_FAIL_DELAY
function has been set. In such a case, supply a UINT_MAX if delay is
larger than that. It's the best we can do without breaking the API.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
To use _pam_assemble_line in pam_env, we must be able to modify the
replacement of an escaped newline. The PAM configuration replaces it
with a blank, while pam_env fully removes it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
This follows the idiom of debug functions which reside in headers to
allow their usage within libpam itself and its modules without adding
modutil functions, i.e. extending the API.
No functional change.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The declaration uses static keyword, the definition does not.
Fix the definition, because the function is only used in this
file.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
Avoid potential dangling-else issues by wrapping macros inside a while
loop.
|
| |
|
|
| |
Reported by clang-tidy.
|
| |
|
|
|
|
|
|
|
| |
Use getline in _pam_assemble_line to allow very long lines.
Also handle escaped newlines and NUL bytes better, even though
the latter are not valid for text files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
This support has to be added before arbitrarily long lines are allowed
in configuration files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
The input string "s" is duplicated into "sbuf" and tokens copied from
there into target memory "our_argv".
Since "our_argv" is allocated to be always large enough to keep the
whole string "s" (plus pointers) in it, we can skip "sbuf" entirely.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
Suggested-by: Benny Baumann <BenBE@geshi.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The D macro itself already adds the function names.
It is a follow up to 79f97b5dfddbd54942036851e49c369502689853.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Very long strings could overflow the int data type. Make sure to use
the correct data type.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The C standard guarantees that if the argument of free() is a null
pointer, no action occurs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, getline is being used unconditionally in pam_namespace and
pam_sepermit. In pam_namespace, it is being used since 2006 when the
module was introduced in the first place.
Let's assume getline is universally available and let's use it
unconditionally in other cases, too.
* configure.ac (AC_CHECK_FUNCS): Remove getline and getdelim.
* libpam/pam_modutil_searchkey.c (pam_modutil_search_key): Use getline
unconditionally.
* modules/pam_pwhistory/opasswd.c (check_old_pass, save_old_pass):
Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
This already implies that the passwd file itself is broken. Yet do not
skip lines by accident due to fgets limitations.
As a positive side effect, arbitrarily long lines and user names are
supported now as well.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Since format is a constant, the table can be skipped. Use
strspn/strcspn instead which might even be optimized compared
to custom for loops.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
It is always the same format.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The _pam_StrTok function resembles strtok_r instead of strtok. For
upcoming changes the naming should not relate to strtok anymore.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The size arguments to pam_modutil_read and pam_modutil_write are of
type int. If a negative value is specified, fail with -1 instead of
returning 0, indicating "just" a short read or write.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
This is much easier to read, does the same and is less prone
to getting memcpy and strcpy wrong.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
| |
* libpam/pam_misc.c (_pam_mkargv): Return 0 in case of memory allocation
failure.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When there's a loop of configuration files consisting solely of includes
the recursion depth level is never incremented and thus no upper limit is
enforced. This leads to a crash caused by a stack overflow.
This patch updates the logic to track both the number of includes as well
as the number of substacks we are on; ultimately adding a new parameter
to track this information.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marking the functions _pam_output_debug and _pam_output_debug_info as
potentially unused reduces the noise when compiling in debug mode.
The warning is produced whenever _pam_macros.h is included, but no
debug output is produced by the module. Just marking the function
as static inline, which would have a similar effect, does not work
for various reasons and instead produces new issues instead.
Thus silencing this warning by telling the compiler about our intentions
with these functions is the better approach.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Marking _pam_output_debug as printf-style function allows the compiler to
check for potential errors at places where this function is called, like
mismatches in the argument types or insufficient number of arguments.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The value returned by the preceeding _pam_dispatch has been limited to
PAM_INCOMPLETE by the point this debug output is generated. Thus there
is no point in repeating it in the message - in fact it was not even
part of the format string before, thus adding it would make no sense.
On the other hand, if there is no place to print the (known) value of
retval here, there's also no point in providing it to the debug output
function either. Thus let's drop it.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the TTY was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Several debug messages were using %u (unsigned int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
Previously, there was a missing argument to the debug output within
_pam_dispatch whe _pam_dispatch_aux returned an error. This updates
the debug message in that situation to include the module name that
was involved with the failure.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
The argument vector for a module is created in _pam_parse_conf_file,
which is performed by _pam_mkargv. If memory allocation fails in
_pam_mkargv, then an empty argv is returned. This has to be checked by
the caller to not silently drop arguments requested by configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
It is possible to trigger a signed integer overflow when parsing
jump numbers for pam return types.
Fail if the number becomes too large.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The first argument of IF_NO_PAMH is supposed to be the name of the
function which was called with pamh being NULL.
With __FUNCTION__ the name can be inserted automatically by the
compiler which is also already done with D macro.
Fixes a bug in which _pam_drop_env erroneously logs with the
function name _pam_make_env.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Reading "other" is not meant as a file, which the debug message might
look like. Copy the same debug message used when opening a module.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If a configuration file contains lines which are longer than 1024
characters, _pam_assemble_line splits them into multiple ones.
This may lead to comments being interpreted as actual configuration
lines.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
An endless loop with fgets can be triggered if exactly one free byte
is left in buffer, because fgets will fill this byte with \0 without
reading any further data from file.
This requires an invalid system configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
