| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not include <libintl.h> and other i18n stuff via config.h which is
included into every compilation unit, include "pam_i18n.h" explicitly
where necessary.
* configure.ac (AH_BOTTOM): Remove.
* libpam/pam_get_authtok.c: Include "pam_i18n.h".
* libpam/pam_item.c: Likewise.
* libpam/pam_strerror.c: Likewise.
* libpam_misc/misc_conv.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faillock/main.c: Likewise.
* modules/pam_faillock/pam_faillock.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_selinux/pam_selinux_check.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_unix/pam_unix_acct.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally, write_tally)
[HAVE_LIBAUDIT]: Check audit_log_user_message() return value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257| rhost, NULL, tty, 1);
258|-> }
259| #endif
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
| |
The FAILLOCK_CONF_MAX_LINELINE limitation is not true for arguments
which derive from pam configuration file.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
pam_faillock uses audit_log_user_message to write to the audit system.
It does not take an op argument, so you have to add one yourself. Otherwise
the pam_faillock part of the message is lost because it's not in key=value
format.
Also, we can't use uid in that event because the kernel already adds that
field. What we normally do is use 'suid' (meaning sender uid) as the
field name.
|
| |
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
a consecutive login failure message for the root user in case when
even_deny_root is not set.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c: Load configuration from file
* modules/pam_faillock/pam_faillock: Improve tally directory management
* modules/pam_faillock/faillock_config.c: Print errors
* modules/pam_faillock/faillock_config.h: Extend options structure and
define get_tally_dir().
* modules/pam_faillock/Makefile.am: Compile faillock_config.c for
faillock binary.
* modules/pam_faillock/faillock.8.xml: Update with the new configuration
option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configuration load can be reused by faillock.
* modules/pam_faillock/faillock_config.c: Move configuration loading
functions (read_config_file and set_conf_opt) to this file.
* modules/pam_faillock/faillock_config.h: Move configuration loading
macros and structures.
* modules/pam_faillock/Makefile.am: Add faillock_config.
* modules/pam_faillock/faillock.h: Remove configuration loading macros.
* modules/pam_faillock/pam_faillock.c: Remove configuration loading
functions, macros and structures.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
comment that meant to help translators but actually confused xgettext.
|
| | |
|
| |
|
|
| |
Fixes #295
|
| |
|
|
|
|
| |
args_parse function pass "conf=" argument to set_conf_opt() after handling by self.
set_conf_opt is not able to handle "conf" argument and write error:
sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
|
| |
|
|
|
|
|
|
|
|
| |
Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
fgetpwent_r which is not available on musl.
Resolves: https://github.com/linux-pam/linux-pam/issues/236
Resolves: https://github.com/linux-pam/linux-pam/pull/237
Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
|
|
|
|
|
|
|
| |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
|
| |
|
|
|
|
| |
Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
from Linux-PAM), PAM_SM_* macros have no effect.
|
| |
|
|
| |
Also make the message the same as in pam_tally2.
|
| | |
|
| |
|
