aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_limits/pam_limits.c
Commit message (Collapse)AuthorAgeFilesLines
* meson: support elogind as a logind providerDudemanguy2024-11-261-1/+3
| | | | | | | | | | The systemd functionality used here is also supported by elogind. Introduce elogind meson option that could be used to enable logind support in pam_issue, pam_limits, and pam_timestamp via elogind. When elogind support is enabled, search for libelogind as well and use the appropriate headers.
* pam_limits: use systemd-logind instead of utmp (#822)Thorsten Kukuk2024-09-101-3/+78
| | | | | | | The utmp database is unreliable for counting logged in users, since there is no standard which defines who should create an entry at which time for which reason. And it has a Y2038 problem with glibc/x86-64. Query systemd-logind for the number of user sessions instead.
* build: rename VENDOR_SCONFIGDIR config.h macro to VENDOR_SCONFIG_DIRDmitry V. Levin2024-08-261-3/+3
| | | | | ... for the same reason SCONFIGDIR config.h macro was renamed to SCONFIG_DIR.
* build: rename SCONFIGDIR config.h macro to SCONFIG_DIRDmitry V. Levin2024-08-251-1/+1
| | | | | | | This way it is visibly different from the configure variable SCONFIGDIR, which is helpful, because their values are slightly different: the macro is quoted while the configure variable is not quoted, and this difference may cause problems with other build systems.
* Include pam_i18n.h where i18n definitions are requiredDmitry V. Levin2024-08-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Do not include <libintl.h> and other i18n stuff via config.h which is included into every compilation unit, include "pam_i18n.h" explicitly where necessary. * configure.ac (AH_BOTTOM): Remove. * libpam/pam_get_authtok.c: Include "pam_i18n.h". * libpam/pam_item.c: Likewise. * libpam/pam_strerror.c: Likewise. * libpam_misc/misc_conv.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faillock/main.c: Likewise. * modules/pam_faillock/pam_faillock.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_selinux/pam_selinux_check.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_unix/pam_unix_acct.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise.
* pam_limits: fix potential use-after-free of pl->conf_fileShaleen Bathla2024-03-041-2/+10
| | | | | | | | | | When limits.d is processed, pl->conf_file consequently points to elements of filename_list array which are freed later even though it can still be used in the logging. Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com> Co-authored-by: Dmitry V. Levin <ldv@strace.io> Fixes: f6b973b92281 ("Add support for limits.d directory to pam_limits")
* conf/modules: constify read-only data arraysChristian Göttsche2024-02-221-2/+2
|
* modules: drop redundant return at end of void functionsChristian Göttsche2024-02-221-1/+0
|
* modules: enclose macro parameterChristian Göttsche2024-02-221-6/+6
|
* pam_limits: print line number in warningTobias Stoeckmann2024-02-071-1/+5
| | | | | | | The line itself is modified while parsing its content. Print the line number and file name instead so an administrator can investigate it. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: remove whitespaces around valueTobias Stoeckmann2024-02-061-1/+21
| | | | | | | | | Trim all whitespaces before and after value. Resolves: https://github.com/linux-pam/linux-pam/pull/760 Fixes: eec4358a49dc ("pam_limits: avoid sscanf in parse_config_file") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: prevent overflow with very long lineTobias Stoeckmann2024-01-081-6/+11
| | | | | | | | The strcpy is not safe anymore because input lines can be very long. Use strdup instead. If allocation fails, treat the error exactly like a memory allocation issue in pam_modutil functions. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: use getlineTobias Stoeckmann2024-01-031-8/+16
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typos in comments and documentationTobias Stoeckmann2023-12-181-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typosTobias Stoeckmann2023-12-181-1/+1
| | | | | | Typos found with codespell Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: avoid sscanf in parse_config_fileTobias Stoeckmann2023-12-121-8/+35
| | | | | | | | | | | Even though sscanf is easy to use for scanning strings, it has the drawback that the required memory has to be allocated beforehand. Since variable "line" is not accessed anymore after sscanf, it is easier to point into the memory assigned to "line". The function strtok_r can be used as a replacement for sscanf. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: cast to unsigned char for character handling functionChristian Göttsche2023-08-071-4/+4
| | | | | | | | Character handling functions, like isspace(3), expect a value representable as unsigned char or equal to EOF. Otherwise the behavior is undefined. See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
* pam_limits: build again on non-Linux OSesPino Toscano2023-05-121-0/+8
| | | | | | | | | | Even if this module is supported officially on Linux, make sure it can still build fine on non-Linux OSes, to ease its testing/fixing a bit: - build parse_kernel_limits() and stuff needed for it only on Linux, as it is called already only on Linux - limit the code needed to apply the 'nonewprivs' options to Linux only, as it uses a Linux-specific way to set it; add a syslog message for other OSes
* modules: update Linux detectionChristian Göttsche2023-05-071-1/+1
| | | | | | | | GCC and Clang only define the macro `linux` when using the GNU dialect of C (e.g. -std=gnu11 instead of -std=c11). Since `linux` is also not in a reserved namespace it might be target of collisions. Use the canonical macro `__linux__` instead (already used in pam_limits.c).
* pam_limits: silence compiler warningDmitry V. Levin2023-01-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | gcc-12 insists on issuing the following warning: In file included from /usr/include/string.h:535, from pam_limits.c:24: In function 'strncat', inlined from 'check_logins' at pam_limits.c:287:6, inlined from 'setup_limits' at pam_limits.c:1066:13, inlined from 'pam_sm_open_session' at pam_limits.c:1267:14: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:138:10: error: '__builtin___strncat_chk' argument 2 declared attribute 'nonstring' [-Werror=stringop-overread] 138 | return __builtin___strncat_chk (__dest, __src, __len, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 139 | __glibc_objsize (__dest)); | ~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from /usr/include/utmp.h:29, from pam_limits.c:37: /usr/include/x86_64-linux-gnu/bits/utmp.h: In function 'pam_sm_open_session': /usr/include/x86_64-linux-gnu/bits/utmp.h:66:8: note: argument 'ut_user' declared here 66 | char ut_user[UT_NAMESIZE] | ^~~~~~~ * modules/pam_limits/pam_limits.c (check_logins): Use memcpy instead of strncat to pacify the compiler.
* pam_limits: use vendor specific content in limits.d directory as fallbackStefan Schubert2022-06-301-57/+141
| | | | | | | | Use the vendor directory as fallback for a distribution provided default config if there is no configuration in /etc. pam_limits.c: Take care about the fallback configuration in vendor directory. pam_limits.8.xml: Add description for vendor directory.
* pam_limits: use VENDOR_SCONFIGDIR macroDmitry V. Levin2022-01-231-2/+2
| | | | | * modules/pam_limits/pam_limits.c (parse_config_file): Use VENDOR_SCONFIGDIR macro instead of VENDORDIR.
* modules: move SCONFIGDIR-based macro definitions from Makefile.am to the ↵Dmitry V. Levin2022-01-231-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | source code Since SCONFIGDIR macro is available, the is no need to define macros based on SCONFIGDIR in Makefile.am files. * modules/pam_access/Makefile.am (AM_CFLAGS): Move definitions of PAM_ACCESS_CONFIG and ACCESS_CONF_GLOB macros ... * modules/pam_access/pam_access.c: ... here. * modules/pam_env/Makefile.am (AM_CFLAGS): Move definition of DEFAULT_CONF_FILE macro ... * modules/pam_env/pam_env.c: ... here. * modules/pam_group/Makefile.am (AM_CFLAGS): Move definition of PAM_GROUP_CONF macro ... * modules/pam_group/pam_group.c: ... here. * modules/pam_limits/Makefile.am (AM_CFLAGS): Move definition of LIMITS_FILE macro ... * modules/pam_limits/pam_limits.c: ... here. * modules/pam_sepermit/Makefile.am (AM_CFLAGS): Move definition of SEPERMIT_CONF_FILE macro ... * modules/pam_sepermit/pam_sepermit.c: ... here. * modules/pam_time/Makefile.am (AM_CFLAGS): Move definition of PAM_TIME_CONF macro ... * modules/pam_time/pam_time.c: ... here.
* pam_limits: make LIMITS_FILE_DIR macro consistentDmitry V. Levin2022-01-231-1/+1
| | | | | | | | | LIMITS_FILE_DIR used to define a glob pattern instead of a directory name, fix that inconsistency. * modules/pam_limits/Makefile.am (AM_CFLAGS): Move "/*.conf" ending of LIMITS_FILE_DIR macro ... * modules/pam_limits/pam_limits.c (LIMITS_CONF_GLOB): ... here.
* pam_limits: don't fail on missing config files (#418)Ludwig Nussel2022-01-131-0/+3
| | | | A config with only comments or an empty one is completely fine for pam_limits. So don't complain about missing config files either.
* modules/pam_limits: fix build with old Linux kernel headersDmitry V. Levin2021-11-241-0/+4
| | | | | | | | | | | | As PR_SET_NO_NEW_PRIVS was introduced by Linux kernel commit v3.5-rc1~161^2~37, provide a fallback definition to fix build with older Linux kernel headers. * modules/pam_limits/pam_limits.c [!PR_SET_NO_NEW_PRIVS] (PR_SET_NO_NEW_PRIVS): New macro. Resolves: https://github.com/linux-pam/linux-pam/issues/406 Fixes: dd9cf929 ("modules/pam_limits: add support for nonewprivs")
* Use vendor specific limits.conf as fallback (#402)Thorsten Kukuk2021-11-031-3/+16
| | | * Use vendor specific limits.conf as fallback
* pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE.Josef Moellers2021-04-221-0/+49
| | | | | | | | Replace it with a value obtained from /proc/sys/fs/nr_open * modules/pam_limits/limits.conf.5.xml: Document the replacement. * modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE value with a value obtained from /proc/sys/fs/nr_open
* Fix grammar: replace "an user" with "a user" everywhereDmitry V. Levin2020-11-241-1/+1
| | | | | | | | | | * NEWS: Replace "an user" with "a user". * modules/pam_faillock/pam_faillock.8.xml: Likewise. * modules/pam_lastlog/pam_lastlog.8.xml: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_sepermit/sepermit.conf: Likewise. * modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_limits: add support for nonewprivsVito Caputo2020-06-221-10/+37
| | | | | | | | | | | | Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item. The valid values are a boolean toggle 0/1 to keep semi-consistent with the other numeric limits. It's slightly awkward as this is an oddball relative to the other items in pam_limits but outside of the item value itself this does seem at home in pam_limits. Resolves: https://github.com/linux-pam/linux-pam/issues/224 Resolves: https://github.com/linux-pam/linux-pam/pull/225
* modules: remove PAM_SM_* macrosDmitry V. Levin2020-05-031-2/+0
| | | | | | Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect.
* Fix various typos found using codespell toolDmitry V. Levin2020-03-281-1/+1
|
* modules/pam_limits: use pam_str_skip_prefixDmitry V. Levin2020-03-191-4/+6
| | | | | | * modules/pam_limits/pam_limits.c: Include "pam_inline.h". (_pam_parse, parse_kernel_limits): Use pam_str_skip_prefix instead of ugly strncmp invocations.
* Fix or suppress various warnings when compiling with -Wall -WextraTomas Mraz2019-12-161-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS. * doc/specs/Makefile.am: Likewise. * libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL. * modules/pam_access/pam_access.c: Avoid double const. * modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy() without copying the NUL byte. * modules/pam_group/pam_group.c: Mark switch fallthrough with comment. * modules/pam_time/pam_time.c: Likewise. * modules/pam_limits/pam_limits.c: Remove unused units variable. * modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers. * modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter. * modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead of hardcoded value. * modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing. * modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters. * modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly cast for comparison. * modules/pam_unix/support.c: Remove unused function.
* Fix grammar of messages printed via pam_promptDmitry V. Levin2018-06-191-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Turn into proper sentences those messages that are printed without further modifications using pam_prompt in contexts where proper sentences are expected. * libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar of the message passed to pam_error. * modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix grammar of error messages passed to pam_error. * modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message passed to pam_info. * modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise. * modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix grammar of messages passed to pam_prompt. * modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages passed to pam_info. * modules/pam_tally2/pam_tally2.c (tally_check): Likewise. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar of messages passed to _make_remark. * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass, pam_sm_chauthtok): Likewise. * po/Linux-PAM.pot: Regenerate.
* Unification and cleanup of syslog log levels.Tomas Mraz2016-06-301-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors with LOG_ERR. * modules/pam_limits/pam_limits.c: User login limit messages are syslogged with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with LOG_ERR. * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged with LOG_NOTICE. * modules/pam_namespace/pam_namespace.c: Make memory allocation failures LOG_CRIT. * modules/pam_nologin/pam_nologin.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged with LOG_NOTICE, non-memory errors with LOG_ERR. * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors LOG_ERR. * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures LOG_CRIT. * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and max retries ignorance by application likewise. * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged with LOG_NOTICE. * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-291-17/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* pam_limits: fix utmp->ut_user handlingDmitry V. Levin2014-01-201-3/+8
| | | | | | | | | ut_user member of struct utmp is a string that is not necessarily null-terminated, so extra care should be taken when using it. * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to a null-terminated string and consistently use it where a null-terminated string is expected.
* pam_limits: detect and ignore stale utmp entriesTomas Mraz2014-01-201-0/+7
| | | | | | | | Original idea by Christopher Hailey * modules/pam_limits/pam_limits.c (check_logins): Use kill() to detect if pid of the utmp entry is still running and ignore the entry if it is not.
* Fix whitespace issuesDmitry V. Levin2011-10-261-8/+8
| | | | | | Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
* 2011-06-21 Thorsten Kukuk <kukuk@thkukuk.de>Thorsten Kukuk2011-06-211-5/+157
| | | | | | | | * modules/pam_limits/pam_limits.c: Add set_all option, read limits from PID one if no limit is specified and set_all is set. * modules/pam_limits/pam_limits.8.xml: Document set_all option. Based on Patch by Kees Cook.
* Relevant BUGIDs:Tomas Mraz2010-12-141-25/+173
| | | | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2010-12-14 Tomas Mraz <tm@t8m.info> * modules/pam_limits/pam_limits.c (parse_uid_range): New function to parse the range of uids or gids. (parse_config_file): Call parse_uid_range() and if uid/gid range is identified, setup the limits if the range matches. New parameters containing user's uid and primary gid. (pam_sm_open_session): Pass the user's uid and primary gid to parse_config_file(). * modules/pam_limits/limits.conf.5.xml: Document the uid/gid ranges.
* Relevant BUGIDs:Tomas Mraz2010-11-181-7/+0
| | | | | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- 2010-11-18 Tomas Mraz <tm@t8m.info> * modules/pam_limits/pam_limits.c (pam_parse,pam_sm_open_session): Drop obsolete and broken option change_uid. * modules/pam_limits/pam_limits.8.xml: Likewise.
* Relevant BUGIDs:Thorsten Kukuk2009-02-201-3/+77
| | | | | | | | | | | | | | Purpose of commit: enhancement Commit summary: --------------- 2009-02-20 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_limits/limits.conf.5.xml: Document that the kernel can refuse values out of range for the local system. * modules/pam_limits/pam_limits.c (setup_limits): Log if setrlimit fails.
* Relevant BUGIDs:Tomas Mraz2007-12-071-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Purpose of commit: new feature and cleanup Commit summary: --------------- 2007-12-07 Tomas Mraz <t8m@centrum.cz> * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version. * libpam/pam_audit.c: Add _pam_audit_open() and pam_modutil_audit_write(). (_pam_auditlog): Call _pam_audit_open(). * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write(). * modules/pam_access/pam_access.8.xml: Add noaudit option. Document auditing. * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and only_new_group_syntax variables to struct login_info. Add noaudit member. (_parse_args): Adjust for the move of variables and add support for noaudit option. (group_match): Add debug parameter. (string_match): Likewise. (network_netmask_match): Likewise. (login_access): Adjust for the move of variables. Add nonall_match. Add call to pam_modutil_audit_write(). (list_match): Adjust for the move of variables. (user_match): Likewise. (from_match): Likewise. (pam_sm_authenticate): Call _parse_args() earlier. * modules/pam_limits/pam_limits.8.xml: Add noaudit option. Document auditing. * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option. (setup_limits): Call pam_modutil_audit_write(). * modules/pam_time/pam_time.8.xml: Add debug and noaudit options. Document auditing. * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()). (check_account): Call _pam_parse(). Call pam_modutil_audit_write() and pam_syslog() on login denials.
* Relevant BUGIDs: Debian bug #331278Steve Langasek2007-09-031-23/+15
| | | | | | | | | | | | Purpose of commit: bugfix/cleanup Commit summary: --------------- 2007-09-03 Steve Langasek <vorlon@debian.org> * modules/pam_limits/pam_limits.c: remove a number of unnecessary string manipulations, including a strncpy() that was acting on overlapping memory.
* Relevant BUGIDs: Debian bugs #76119, #165066Steve Langasek2007-08-281-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | Purpose of commit: portability Commit summary: --------------- 2007-08-27 Steve Langasek <vorlon@debian.org> * modules/pam_limits/pam_limits.c: when building on non-Linux systems, give a warning only, not an error; no one seems to remember why this error was here in the first place, but leave something in that might still grab the attention of non-Linux users. Patch from Michal Suchanek <hramrach_l@centrum.cz>. * configure.in, modules/pam_rhosts/pam_rhosts_auth.c: check for the presence of net/if.h before using, required for Hurd compatibility. Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>. * modules/pam_limits/pam_limits.c: conditionalize the use of RLIMIT_AS, which is not present on the Hurd. Patch from Igor Khavkine <i_khavki@alcor.concordia.ca>. * modules/pam_rhosts/pam_rhosts_auth.c: use getline() instead of a static buffer when available; fixes the build on systems without MAXHOSTNAMELEN (i.e., the Hurd). * modules/pam_xauth/pam_xauth.c: make sure PATH_MAX is defined before using it.
* Relevant BUGIDs:Thorsten Kukuk2007-07-101-0/+1
| | | | | | | | | | | | | | | Purpose of commit: bugfix/new feature Commit summary: --------------- 2007-07-10 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Add --with-db-uniquename option to support db libraries and functions with unique name extension. Patch from Diego 'Flameeyes' Pettenò <flameeyes@gmail.com>. * modules/pam_limits/pam_limits.c: Include locale.h.
* Relevant BUGIDs:Thorsten Kukuk2007-06-261-1/+3
| | | | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- 2007-06-26 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_limits/pam_limits.c (process_limit): Check upper and lower limit of nice value, fix off-by-one in conversation to rlim_t. * xtests/Makefile.am: Add new pam_limits test case. * xtests/limits.conf: New, config file for test case. * xtests/pam_limits1.c: New, test case for RLIMIT_NICE. * xtests/pam_limits1.sh: Likewise. * xtests/pam_limits1.pamd: Likewise.
* Relevant BUGIDs:Thorsten Kukuk2007-06-221-4/+14
| | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- 2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Print better error message if /proc/self/loginuid cannot be opened. * modules/pam_limits/pam_limits.c (process_limit): Check for variable overflow after multiplication [bnc#283001].
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-15 11:12:30 +0000