aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_faillock
Commit message (Collapse)AuthorAgeFilesLines
* build: drop autotools supportDmitry V. Levin2024-10-232-57/+0
| | | | There is no point in supporting two different build systems.
* meson: build Linux-PAM using mesonDmitry V. Levin2024-09-101-0/+1
| | | | | | | | | | On my non-representative hardware, the full build using autotools (./autogen.sh && CFLAGS=-O2 ./configure && make -j`nproc` && make -j`nproc` install) takes about 45 seconds. On the same hardware, the full build using meson (meson setup -Doptimization=2 dir && meson compile -C dir && meson install -C dir) takes just about 7.5 seconds.
* build: rename VENDOR_SCONFIGDIR config.h macro to VENDOR_SCONFIG_DIRDmitry V. Levin2024-08-261-2/+2
| | | | | ... for the same reason SCONFIGDIR config.h macro was renamed to SCONFIG_DIR.
* build: rename SCONFIGDIR config.h macro to SCONFIG_DIRDmitry V. Levin2024-08-251-1/+1
| | | | | | | This way it is visibly different from the configure variable SCONFIGDIR, which is helpful, because their values are slightly different: the macro is quoted while the configure variable is not quoted, and this difference may cause problems with other build systems.
* build: parametrize libtool subdirectoryDmitry V. Levin2024-08-221-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | Unhardcode ".libs" subdirectory where libtool stores shared objects, as other build systems doesn't necessarily use it. * configure.ac (AC_DEFINE_UNQUOTED): Add LTDIR. * modules/pam_canonicalize_user/tst-pam_canonicalize_user-retval.c: Replace ".libs/" with LTDIR. * modules/pam_debug/tst-pam_debug-retval.c: Likewise. * modules/pam_deny/tst-pam_deny-retval.c: Likewise. * modules/pam_echo/tst-pam_echo-retval.c: Likewise. * modules/pam_env/tst-pam_env-retval.c: Likewise. * modules/pam_faildelay/tst-pam_faildelay-retval.c: Likewise. * modules/pam_faillock/tst-pam_faillock-retval.c: Likewise. * modules/pam_listfile/tst-pam_listfile-retval.c: Likewise. * modules/pam_localuser/tst-pam_localuser-retval.c: Likewise. * modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: Likewise. * modules/pam_nologin/tst-pam_nologin-retval.c: Likewise. * modules/pam_permit/tst-pam_permit-retval.c: Likewise. * modules/pam_pwhistory/tst-pam_pwhistory-retval.c: Likewise. * modules/pam_rootok/tst-pam_rootok-retval.c: Likewise. * modules/pam_sepermit/tst-pam_sepermit-retval.c: Likewise. * modules/pam_succeed_if/tst-pam_succeed_if-retval.c: Likewise. * modules/pam_time/tst-pam_time-retval.c: Likewise. * modules/pam_warn/tst-pam_warn-retval.c: Likewise.
* Include pam_i18n.h where i18n definitions are requiredDmitry V. Levin2024-08-212-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Do not include <libintl.h> and other i18n stuff via config.h which is included into every compilation unit, include "pam_i18n.h" explicitly where necessary. * configure.ac (AH_BOTTOM): Remove. * libpam/pam_get_authtok.c: Include "pam_i18n.h". * libpam/pam_item.c: Likewise. * libpam/pam_strerror.c: Likewise. * libpam_misc/misc_conv.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faillock/main.c: Likewise. * modules/pam_faillock/pam_faillock.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_selinux/pam_selinux_check.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_unix/pam_unix_acct.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise.
* pam_faillock: fix compilation warningDmitry V. Levin2024-08-161-6/+12
| | | | | * modules/pam_faillock/pam_faillock.c (check_tally, write_tally) [HAVE_LIBAUDIT]: Check audit_log_user_message() return value.
* pam_faillock: silence compilation warningDmitry V. Levin2024-07-281-1/+2
| | | | | | | | | | | | | | | | Since audit_log_acct_message() was decorated with warn_unused_result attribute, compilation of faillock helper produces the following diagnostics: main.c: In function 'do_user': main.c:250:25: warning: ignoring return value of 'audit_log_acct_message' declared with attribute 'warn_unused_result' [-Wunused-result] Given that this helper has never been picky about audit, e.g. audit_open() errors do not affect its exit status, just silence this new warning. * modules/pam_faillock/main.c [HAVE_LIBAUDIT] (do_user): Silence compilation warning.
* pam_faillock: close the audit socket after useIker Pedrosa2024-05-231-0/+1
| | | | | | | | | | | | | | | | | | | | | * modules/pam_faillock/pam_faillock.c (check_tally): Close the audit socket when it will no longer be used. ``` Error: RESOURCE_LEAK (CWE-772): Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open". Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()". Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message". Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle. 256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, 257| rhost, NULL, tty, 1); 258|-> } 259| #endif 260| opts->flags |= FAILLOCK_FLAG_UNLOCKED; ``` Resolves: https://issues.redhat.com/browse/RHEL-36475 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* pam_faillock: drop duplicate includeChristian Göttsche2024-02-221-1/+0
|
* modules: enclose macro parameterChristian Göttsche2024-02-221-1/+1
|
* modules: add pamc headers to the search path only when neededTobias Stoeckmann2024-01-211-2/+1
| | | | | | | | | The pam client library libpamc is only needed if libpam_misc is in use. But libpam_misc is only used by an SELinux helper binary. Remove the libpamc includes from the search path in all other cases. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: remove unused definesTobias Stoeckmann2024-01-131-1/+0
| | | | | | These are leftovers from fgets usages. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-121-1/+1
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_faillock: use getlineTobias Stoeckmann2024-01-031-3/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_faillock: do not truncate argumentsTobias Stoeckmann2024-01-021-7/+11
| | | | | | | The FAILLOCK_CONF_MAX_LINELINE limitation is not true for arguments which derive from pam configuration file. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: use asprintf to construct stringsTobias Stoeckmann2023-12-191-9/+7
| | | | | | | | The asprintf function is considered as given for current code already. Use it instead of calling malloc + strcpy + strcat manually. Reported-by: Benny Baumann <BenBE@geshi.org> Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: cast to unsigned char for character handling functionChristian Göttsche2023-08-071-4/+4
| | | | | | | | Character handling functions, like isspace(3), expect a value representable as unsigned char or equal to EOF. Otherwise the behavior is undefined. See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
* pam_faillock: free handle in testChristian Göttsche2023-08-071-0/+1
|
* pam_faillock: fix formatting of audit messagesSteve Grubb2023-08-041-2/+2
| | | | | | | | | | | pam_faillock uses audit_log_user_message to write to the audit system. It does not take an op argument, so you have to add one yourself. Otherwise the pam_faillock part of the message is lost because it's not in key=value format. Also, we can't use uid in that event because the kernel already adds that field. What we normally do is use 'suid' (meaning sender uid) as the field name.
* build: use <vendordir>/security directory for installation if it has been setStefan Schubert2023-02-071-0/+4
| | | | | | | | | Otherwise the corresponding files are still installed in /etc/security. * configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR. (AM_CONDITIONAL): Add HAVE_VENDORDIR. * modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
* doc: Update PAM documentation from DockBook 4 to DocBook 5Stefan Schubert2022-12-164-114/+89
| | | | | | | | | | | | | | | | | | | | Changed files -------------- Make.xml.rules.in: - Using RNG file instead of DTD file for checking XML files. - Taking the correct stylesheet for README files. doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am: - Using RNG file instead of DTD file for checking XML files. configure.ac: - Adding a new option for selecting RNG check file (-enable-docbook-rng) - Switching stylesheets to docbook 5 - Checking DocBook 5 environment instead of DocBook 4 environment *.xml: Update from DockBook 4 to DocBook 5
* pam_faillock: fix typo in usage diagnosticsDmitry V. Levin2022-11-111-1/+1
| | | | | | | * modules/pam_faillock/main.c (usage): Remove extra whitespace from the usage diagnostics. Fixes: 94f0f5ebb ("faillock: add support to print login failure info in legacy format")
* pam_faillock: avoid logging an erroneous consecutive login failure messageDeepak Das2022-11-071-3/+5
| | | | | | | | * modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging a consecutive login failure message for the root user in case when even_deny_root is not set. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
* pam_faillock: Clarify missing user faillock files after rebootDeepak Das2022-11-072-0/+10
| | | | | | | | | | * modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing user specific faillock files after reboot. * modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing user specific faillock files after reboot. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
* faillock: add support to print login failure info in legacy formatShreenidhi Shedi2022-07-012-11/+66
| | | | | | | | | | | pam_tally2 had a simple and minimalstic output to show login failure info, new output of faillock makes the output look a bit complex and doesn't show failure counts in a straight manner. This patch fixes the above issue by adding "--legacy-output" flag to faillock which makes it possible to get output in pam_tally2 style. Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
* faillock: refactor faillock info printing codeShreenidhi Shedi2022-07-011-21/+31
| | | | | | Move the code to it's own function. Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
* faillock: error out if user does not existShreenidhi Shedi2022-07-011-1/+5
| | | | | | | | | | No need to do any further processing if a non existent username is given to faillock. For first time successful login, failure field should be 0 and faillock should show something like pam_tally2 did. Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
* faillock: load configuration from fileIker Pedrosa2022-05-246-33/+109
| | | | | | | | | | | | | | | | * modules/pam_faillock/main.c: Load configuration from file * modules/pam_faillock/pam_faillock: Improve tally directory management * modules/pam_faillock/faillock_config.c: Print errors * modules/pam_faillock/faillock_config.h: Extend options structure and define get_tally_dir(). * modules/pam_faillock/Makefile.am: Compile faillock_config.c for faillock binary. * modules/pam_faillock/faillock.8.xml: Update with the new configuration option. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* pam_faillock: move config to its own fileIker Pedrosa2022-05-245-230/+322
| | | | | | | | | | | | | | | The configuration load can be reused by faillock. * modules/pam_faillock/faillock_config.c: Move configuration loading functions (read_config_file and set_conf_opt) to this file. * modules/pam_faillock/faillock_config.h: Move configuration loading macros and structures. * modules/pam_faillock/Makefile.am: Add faillock_config. * modules/pam_faillock/faillock.h: Remove configuration loading macros. * modules/pam_faillock/pam_faillock.c: Remove configuration loading functions, macros and structures. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* pam_faillock: add a test of return valuesStefan Schubert2022-02-042-1/+123
| | | | | | | | * modules/pam_faillock/tst-pam_faillock-retval.c: New file. * modules/pam_faillock/Makefile.am (TESTS): Add $(check_PROGRAMS). (check_PROGRAMS, tst_pam_faillock_retval_LDADD): New variables. Resolves: https://github.com/linux-pam/linux-pam/pull/431
* pam_faillock: use vendor specific faillock.conf as fallbackStefan Schubert2022-02-013-1/+29
| | | | | | | | | | | | | | | | Use the vendor directory defined by --enable-vendordir=DIR configure option as fallback for the distribution provided default config file if there is no configuration in /etc. * modules/pam_faillock/pam_faillock.8.xml: Describe this. * modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR] (VENDOR_FAILLOCK_DEFAULT_CONF): New macro. * modules/pam_faillock/pam_faillock.c (read_config_file) [VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF file when FAILLOCK_DEFAULT_CONF file does not exist. Co-authored-by: Dmitry V. Levin <ldv@altlinux.org> Resolves: https://github.com/linux-pam/linux-pam/pull/423
* modules: use SCONFIGDIR macroDmitry V. Levin2022-01-231-1/+1
| | | | | | | | | | | | | | | | | Use SCONFIGDIR macro instead of open-coding "/etc/security", the latter is not correct when configured using --enable-sconfigdir with an argument different from /etc/security. * modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use SCONFIGDIR. * modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove. (PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR, NAMESPACE_D_GLOB): Use SCONFIGDIR. * modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove -DSECURECONF_DIR. * modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR. * modules/pam_unix/passverify.h: Likewise. * modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
* Check the return value of localtime in faillock (#421)pyllyukko2022-01-121-0/+5
|
* pam_faillock: remove confusing commentDmitry V. Levin2021-07-201-1/+0
| | | | | * modules/pam_faillock/pam_faillock.c (faillock_message): Remove the comment that meant to help translators but actually confused xgettext.
* pam_faillock: convert spaces to tab to keep code stylechuanqin2021-03-251-3/+2
| | | | convert spaces to tab which mixture use in modules/pam_faillock/main.c
* faillock: create tallydir before creating tallyfileChangqing Li2021-01-271-0/+3
| | | | | | | | | | | | | The default tallydir is "/var/run/faillock", and this default tallydir may not exist. Function open may fail as tallydir does not exist when creating the tallyfile. Therefore, faillock will not work well. Fix this problem by creating tallydir before creating tallyfile when the tallydir does not exist. Signed-off-by: Changqing Li <changqing.li@windriver.com>
* faillock: Use pluralization via dngettext or fallbackKolja2021-01-251-1/+16
|
* Fix grammar: replace "an user" with "a user" everywhereDmitry V. Levin2020-11-241-1/+1
| | | | | | | | | | * NEWS: Replace "an user" with "a user". * modules/pam_faillock/pam_faillock.8.xml: Likewise. * modules/pam_lastlog/pam_lastlog.8.xml: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_sepermit/sepermit.conf: Likewise. * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise.
* faillock: Add a nodelay optionTavian Barnes2020-11-122-1/+17
| | | | Fixes #295
* pam_faillock: fix unread store statementikerexxe2020-11-031-1/+1
| | | | | modules/pam_faillock/main.c: remove store statement since the value is only read in the enclosing expression.
* pam_faillock: fix invalid error messageMikhail Labiuk2020-10-131-3/+9
| | | | | | args_parse function pass "conf=" argument to set_conf_opt() after handling by self. set_conf_opt is not able to handle "conf" argument and write error: sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
* build: rename PIE_* AC_SUBST variables to EXE_*Dmitry V. Levin2020-08-071-2/+2
| | | | | | | | | There are going to be other options added to CFLAGS and LDFLAGS of executables made along with modules. * configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of PIE_CFLAGS and PIE_LDFLAGS. All users updated.
* pam_faillock: add faillock executable to gitignoreikerexxe2020-06-261-0/+1
| | | | | | * modules/pam_faillock/.gitignore: Add faillock. Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
* pam_faillock: change /run/faillock/$USER permissions to 0660ikerexxe2020-06-171-1/+13
| | | | | | | | | Nowadays, /run/faillock/$USER files have user:root ownership and 0600 permissions. This forces the process that writes to these files to have CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660 the capability can be removed, which leads to a more secure system. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
* pam_faillock: fix build on muslFabrice Fontaine2020-06-151-38/+1
| | | | | | | | | | Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of fgetpwent_r which is not available on musl. Resolves: https://github.com/linux-pam/linux-pam/issues/236 Resolves: https://github.com/linux-pam/linux-pam/pull/237 Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* modules: downgrade syslog level for errors related to pam_get_userDmitry V. Levin2020-05-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | * modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade the syslog level for diagnostics of errors returned by pam_modutil_getpwnam for users returned by pam_get_user from LOG_ERR to LOG_NOTICE. * modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session, pam_sm_close_session): Likewise. * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade the syslog level for diagnostics of errors returned by pam_modutil_getpwnam for users returned by pam_get_user from LOG_WARNING to LOG_NOTICE. Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
* pam_faillock: Document return values forwarded from pam_get_userDmitry V. Levin2020-05-151-0/+17
| | | | | * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document PAM_BUF_ERR and PAM_CONV_ERR return values.
* pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAINDmitry V. Levin2020-05-152-1/+10
| | | | | | | | | Give the application a chance to handle PAM_INCOMPLETE. * modules/pam_faillock/pam_faillock.c (get_pam_user): Return PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns PAM_CONV_AGAIN. * modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
* modules: remove PAM_SM_* macrosDmitry V. Levin2020-05-031-4/+0
| | | | | | Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-08 18:59:52 +0000