| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
There is no point in supporting two different build systems.
|
| |
|
|
|
|
|
|
|
|
| |
On my non-representative hardware, the full build using autotools
(./autogen.sh && CFLAGS=-O2 ./configure && make -j`nproc` && make -j`nproc` install)
takes about 45 seconds.
On the same hardware, the full build using meson
(meson setup -Doptimization=2 dir && meson compile -C dir && meson install -C dir)
takes just about 7.5 seconds.
|
| |
|
|
|
| |
... for the same reason SCONFIGDIR config.h macro was renamed to
SCONFIG_DIR.
|
| |
|
|
|
|
|
| |
This way it is visibly different from the configure variable SCONFIGDIR,
which is helpful, because their values are slightly different:
the macro is quoted while the configure variable is not quoted,
and this difference may cause problems with other build systems.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unhardcode ".libs" subdirectory where libtool stores shared objects,
as other build systems doesn't necessarily use it.
* configure.ac (AC_DEFINE_UNQUOTED): Add LTDIR.
* modules/pam_canonicalize_user/tst-pam_canonicalize_user-retval.c:
Replace ".libs/" with LTDIR.
* modules/pam_debug/tst-pam_debug-retval.c: Likewise.
* modules/pam_deny/tst-pam_deny-retval.c: Likewise.
* modules/pam_echo/tst-pam_echo-retval.c: Likewise.
* modules/pam_env/tst-pam_env-retval.c: Likewise.
* modules/pam_faildelay/tst-pam_faildelay-retval.c: Likewise.
* modules/pam_faillock/tst-pam_faillock-retval.c: Likewise.
* modules/pam_listfile/tst-pam_listfile-retval.c: Likewise.
* modules/pam_localuser/tst-pam_localuser-retval.c: Likewise.
* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: Likewise.
* modules/pam_nologin/tst-pam_nologin-retval.c: Likewise.
* modules/pam_permit/tst-pam_permit-retval.c: Likewise.
* modules/pam_pwhistory/tst-pam_pwhistory-retval.c: Likewise.
* modules/pam_rootok/tst-pam_rootok-retval.c: Likewise.
* modules/pam_sepermit/tst-pam_sepermit-retval.c: Likewise.
* modules/pam_succeed_if/tst-pam_succeed_if-retval.c: Likewise.
* modules/pam_time/tst-pam_time-retval.c: Likewise.
* modules/pam_warn/tst-pam_warn-retval.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not include <libintl.h> and other i18n stuff via config.h which is
included into every compilation unit, include "pam_i18n.h" explicitly
where necessary.
* configure.ac (AH_BOTTOM): Remove.
* libpam/pam_get_authtok.c: Include "pam_i18n.h".
* libpam/pam_item.c: Likewise.
* libpam/pam_strerror.c: Likewise.
* libpam_misc/misc_conv.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faillock/main.c: Likewise.
* modules/pam_faillock/pam_faillock.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_selinux/pam_selinux_check.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_unix/pam_unix_acct.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally, write_tally)
[HAVE_LIBAUDIT]: Check audit_log_user_message() return value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since audit_log_acct_message() was decorated with warn_unused_result
attribute, compilation of faillock helper produces the following
diagnostics:
main.c: In function 'do_user':
main.c:250:25: warning: ignoring return value of 'audit_log_acct_message' declared with attribute 'warn_unused_result' [-Wunused-result]
Given that this helper has never been picky about audit, e.g.
audit_open() errors do not affect its exit status, just silence this
new warning.
* modules/pam_faillock/main.c [HAVE_LIBAUDIT] (do_user): Silence
compilation warning.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257| rhost, NULL, tty, 1);
258|-> }
259| #endif
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The pam client library libpamc is only needed if libpam_misc is in use.
But libpam_misc is only used by an SELinux helper binary.
Remove the libpamc includes from the search path in all other cases.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
These are leftovers from fgets usages.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
Building outside of source directory fails if --disable-doc is not
explicitly chosen.
This happens because generated files are sometimes expected in the
source directory, where they won't exist.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The FAILLOCK_CONF_MAX_LINELINE limitation is not true for arguments
which derive from pam configuration file.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The asprintf function is considered as given for current code already.
Use it instead of calling malloc + strcpy + strcat manually.
Reported-by: Benny Baumann <BenBE@geshi.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
pam_faillock uses audit_log_user_message to write to the audit system.
It does not take an op argument, so you have to add one yourself. Otherwise
the pam_faillock part of the message is lost because it's not in key=value
format.
Also, we can't use uid in that event because the kernel already adds that
field. What we normally do is use 'suid' (meaning sender uid) as the
field name.
|
| |
|
|
|
|
|
|
|
| |
Otherwise the corresponding files are still installed in /etc/security.
* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
|
| |
* modules/pam_faillock/main.c (usage): Remove extra whitespace from the
usage diagnostics.
Fixes: 94f0f5ebb ("faillock: add support to print login failure info in legacy format")
|
| |
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
a consecutive login failure message for the root user in case when
even_deny_root is not set.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
user specific faillock files after reboot.
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
user specific faillock files after reboot.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
| |
|
|
|
|
|
|
|
|
|
| |
pam_tally2 had a simple and minimalstic output to show login failure
info, new output of faillock makes the output look a bit complex and
doesn't show failure counts in a straight manner.
This patch fixes the above issue by adding "--legacy-output" flag to
faillock which makes it possible to get output in pam_tally2 style.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
| |
Move the code to it's own function.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
|
|
|
|
| |
No need to do any further processing if a non existent username is given
to faillock.
For first time successful login, failure field should be 0 and faillock
should show something like pam_tally2 did.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c: Load configuration from file
* modules/pam_faillock/pam_faillock: Improve tally directory management
* modules/pam_faillock/faillock_config.c: Print errors
* modules/pam_faillock/faillock_config.h: Extend options structure and
define get_tally_dir().
* modules/pam_faillock/Makefile.am: Compile faillock_config.c for
faillock binary.
* modules/pam_faillock/faillock.8.xml: Update with the new configuration
option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configuration load can be reused by faillock.
* modules/pam_faillock/faillock_config.c: Move configuration loading
functions (read_config_file and set_conf_opt) to this file.
* modules/pam_faillock/faillock_config.h: Move configuration loading
macros and structures.
* modules/pam_faillock/Makefile.am: Add faillock_config.
* modules/pam_faillock/faillock.h: Remove configuration loading macros.
* modules/pam_faillock/pam_faillock.c: Remove configuration loading
functions, macros and structures.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
* modules/pam_faillock/tst-pam_faillock-retval.c: New file.
* modules/pam_faillock/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faillock_retval_LDADD): New variables.
Resolves: https://github.com/linux-pam/linux-pam/pull/431
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
| | |
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
comment that meant to help translators but actually confused xgettext.
|
| |
|
|
| |
convert spaces to tab which mixture use in modules/pam_faillock/main.c
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The default tallydir is "/var/run/faillock", and this default
tallydir may not exist.
Function open may fail as tallydir does not exist when creating
the tallyfile. Therefore, faillock will not work well.
Fix this problem by creating tallydir before creating tallyfile
when the tallydir does not exist.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* NEWS: Replace "an user" with "a user".
* modules/pam_faillock/pam_faillock.8.xml: Likewise.
* modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_sepermit/sepermit.conf: Likewise.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
|
| |
|
|
| |
Fixes #295
|
| |
|
|
|
| |
modules/pam_faillock/main.c: remove store statement since the value is
only read in the enclosing expression.
|
| |
|
|
|
|
| |
args_parse function pass "conf=" argument to set_conf_opt() after handling by self.
set_conf_opt is not able to handle "conf" argument and write error:
sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
|
| |
|
|
|
|
|
|
|
| |
There are going to be other options added to CFLAGS and LDFLAGS
of executables made along with modules.
* configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of
PIE_CFLAGS and PIE_LDFLAGS. All users updated.
|
| |
|
|
|
|
| |
* modules/pam_faillock/.gitignore: Add faillock.
Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
|
| |
|
|
|
|
|
|
|
| |
Nowadays, /run/faillock/$USER files have user:root ownership and 0600
permissions. This forces the process that writes to these files to have
CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
the capability can be removed, which leads to a more secure system.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
|
| |
|
|
|
|
|
|
|
|
| |
Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
fgetpwent_r which is not available on musl.
Resolves: https://github.com/linux-pam/linux-pam/issues/236
Resolves: https://github.com/linux-pam/linux-pam/pull/237
Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
PAM_BUF_ERR and PAM_CONV_ERR return values.
|
| |
|
|
|
|
|
|
|
| |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
|
