aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_localuser/pam_localuser.c
Commit message (Collapse)AuthorAgeFilesLines
* pam_localuser: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename to pam_localuser, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_localuser.
* Move check_user_in_passwd from pam_localuser.c to pam_modutilFabrice Fontaine2020-06-151-84/+2
| | | | | | | | | | | | | | | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> * modules/pam_localuser/pam_localuser.c: Include <security/pam_modutil.h>. (pam_sm_authenticate): Replace check_user_in_passwd with pam_modutil_check_user_in_passwd. (check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd, move to ... * libpam/pam_modutil_check_user.c: ... new file. * libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c. * libpam/include/security/pam_modutil.h (pam_modutil_check_user_in_passwd): New function declaration. * libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface. Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
* pam_localuser: refactor pam_sm_authenticateDmitry V. Levin2020-05-221-56/+63
| | | | | | * modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New function. (pam_sm_authenticate): Use it.
* pam_localuser: downgrade syslog level for errors related to user inputDmitry V. Levin2020-05-221-3/+3
| | | | | | | | * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade the syslog level for errors related to pam_get_user from LOG_ERR to LOG_NOTICE. Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
* pam_localuser: re-format pam_sm_* function declarationsDmitry V. Levin2020-05-211-10/+7
|
* pam_localuser: remove unused includesDmitry V. Levin2020-05-211-10/+1
| | | | | | | | Also, remove unused MODULE_NAME macro. * modules/pam_localuser/pam_localuser.c: Stop including unused header files. (MODULE_NAME): Remove.
* pam_localuser: forward error values returned by pam_get_userDmitry V. Levin2020-05-211-1/+1
| | | | | | | | | | | | Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38, pam_get_user is guaranteed to return one of the following values: PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not replace non-PAM_CONV_AGAIN error values returned by pam_get_user with PAM_SERVICE_ERR. * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document new return values.
* pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAINDmitry V. Levin2020-05-211-4/+5
| | | | | | | | | | Give the application a chance to handle PAM_INCOMPLETE. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns PAM_CONV_AGAIN. * modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document it.
* pam_localuser: open the passwd file after user name validationDmitry V. Levin2020-05-211-12/+7
| | | | | | | | Since user name is untrusted input, it should be validated earlier rather than later. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open the passwd file after user name validation.
* pam_localuser: use BUFSIZ as the line buffer sizeDmitry V. Levin2020-05-211-1/+1
| | | | | | | | | | As BUFSIZ is the buffer size used in stdio, it must be an efficient size for the line buffer. Also, it's larger than LINE_MAX used as the line buffer size before this change, effectively raising the maximum user name length supported by this module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace LINE_MAX with BUFSIZ.
* pam_localuser: handle long lines in passwd files properlyDmitry V. Levin2020-05-211-3/+32
| | | | | | | | | Before this change, a long line in the passwd file used to be treated as several lines which could potentially result to false match and, consequently, to incorrect PAM_SUCCESS return value. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle long lines in passwd files properly.
* pam_localuser: get rid of a temporary bufferDmitry V. Levin2020-05-211-6/+10
| | | | | | * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not copy the user name into a temporary buffer, use the user name itself in comparisons.
* pam_localuser: log unrecognized optionsDmitry V. Levin2020-05-211-0/+8
| | | | | * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log unrecognized options.
* pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERRDmitry V. Levin2020-05-211-3/+3
| | | | | | | | | When passwd file cannot be opened or the user name either cannot be obtained or is not valid, return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
* pam_localuser: reject user names that are too longDmitry V. Levin2020-05-211-0/+6
| | | | | | | | Too long user names used to be truncated which could potentially result to false match and, consequently, to incorrect PAM_SUCCESS return value. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_SERVICE_ERR if the user name is too long.
* pam_localuser: reject user names containing a colonDmitry V. Levin2020-05-211-0/+9
| | | | | | | | "root:x" is not a local user name even if the passwd file contains a line starting with "root:x:". * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return PAM_PERM_DENIED if the user name contains a colon.
* modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESSDmitry V. Levin2020-05-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise.
* modules: remove PAM_SM_* macrosDmitry V. Levin2020-05-031-2/+2
| | | | | | Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect.
* modules/pam_localuser: use pam_str_skip_prefixDmitry V. Levin2020-03-191-2/+5
| | | | | | * modules/pam_localuser/pam_localuser.c: Include "pam_inline.h". (pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp invocations.
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-291-22/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* Relevant BUGIDs: 1606180Thorsten Kukuk2006-12-131-3/+24
| | | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2006-12-13 Thorsten Kukuk <kukuk@suse.de> * modules/pam_localuser/pam_localuser.c: Add support for session and chauthtok [SF#1606180]. * modules/pam_localuser/pam_localuser.8.xml: Document last change. * libpam/pam_audit.c (_pam_audit_writelog): Print error message only once.
* Relevant BUGIDs: noneDmitry V. Levin2005-11-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- 2005-11-24 Dmitry V. Levin <ldv@altlinux.org> * configure.in: Do not check for strerror. * libpam_misc/misc_conv.c (read_string): Replace strerror() call with %m specifier. * libpamc/pamc_converse.c (pamc_converse): Likewise. * modules/pam_echo/pam_echo.c (pam_echo): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_selinux/pam_selinux.c (security_label_tty): Likewise. (security_restorelabel_tty, security_label_tty): Append %m specifier where appropriate. * modules/pam_selinux/pam_selinux_check.c (main): Replace strerror() call with %m specifier. * modules/pam_unix/pam_unix_passwd.c (save_old_password, _update_passwd, _update_shadow): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. * modules/pam_unix/unix_chkpwd.c (_update_shadow): Likewise. * po/Linux-PAM.pot: Update strings from pam_selinux. * po/cs.po: Likewise. * po/de.po: Likewise. * po/es.po: Likewise. * po/fi.po: Likewise. * po/fr.po: Likewise. * po/hu.po: Likewise. * po/it.po: Likewise. * po/ja.po: Likewise. * po/nb.po: Likewise. * po/pa.po: Likewise. * po/pl.po: Likewise. * po/pt.po: Likewise. * po/pt_BR.po: Likewise. * po/zh_CN.po: Likewise. * po/zh_TW.po: Likewise.
* Relevant BUGIDs: noneThorsten Kukuk2005-09-051-19/+11
| | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- use pam_syslog().
* Relevant BUGIDs: noneThorsten Kukuk2005-08-161-7/+9
| | | | | | | | | Purpose of commit: new feature Commit summary: --------------- Big "automake/autoconf/libtool" commit
* Relevant BUGIDs: noneThorsten Kukuk2005-07-201-1/+1
| | | | | | | | | Purpose of commit: cleanup Commit summary: --------------- Rename _pam_aconf.h to config.h.
* Relevant BUGIDs:Tomas Mraz2005-01-121-5/+4
| | | | | | | | Purpose of commit: cleanup Commit summary: --------------- Get user name by pam_get_user call instead of pam_get_item
* Relevant BUGIDs:Thorsten Kukuk2004-09-241-0/+160
Purpose of commit: Commit summary: --------------- new feature: Bug 436444: Add pam_localuser module
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-17 02:03:54 +0000