| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add this option to support the following scenario:
prefix = '/usr'
servicedir = '/lib/systemd/system'
* The default behavior is changed:
If this option is not given, servicedir will be set to the value that is
obtained from systemd pkg-config file. If the value cannot be obtained,
servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check for the unlikely case string_to_security_class() does not find the
associated SELinux security class.
This will only happen if the loaded SELinux policy does not define the
class "dir" (which no sane policy does) or querying the selinuxfs
fails.
Suggested by #309
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
about polyinstantiation and refer to gdm's documentation.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Apparently, gcc is also not smart enough to infer the alignment
of structure fields, for details see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
Use unions to avoid these casts altogether, this fixes compilation
warnings reported by gcc on arm, e.g.:
md5.c: In function 'MD5Update':
md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c: In function 'MD5Final':
md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
| ^
md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
* modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
"in" fields with unions. All users updated.
* modules/pam_unix/md5.h (struct MD5Context): Likewise.
* modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
with a union. All users updated.
Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
|
| | |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/md5.c: Do not check against the list of
architectures that are known to be little-endian, instead check
for WORDS_BIGENDIAN macro defined by AC_C_BIGENDIAN autoconf macro
on big-endian platforms.
|
| | |
| |
| |
| |
| |
| |
| | |
These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
|
| | |
| |
| |
| |
| | |
The matchpathcon family is deprecated.
Use the selabel family.
|
| | |
| |
| |
| |
| | |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ldv: rewrote commit message]
* modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
opened file descriptor "srcfd" in an unlikely case when it cannot be
fstat'ed.
* modules/pam_namespace/pam_namespace.c (create_instance): Close just
opened file descriptor "fd" in an unlikely case when it cannot be
fstat'ed.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_namespace/.gitignore: Add pam_namespace.service.
Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
|
| |\| |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... and remove $(TESTS) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
-e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| | |
... and remove $(MANS) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/Makefile.am (service_DATA): New variable.
(install-data-local): Remove all commands related to servicedir.
(uninstall-local): Remove.
Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")
|
| | |
| |
| |
| |
| |
| |
| | |
... and remove $(DATA) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| | |
... and remove $(SCRIPTS) from EXTRA_DIST.
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Remove $(SCRIPTS).
(secureconf_SCRIPTS): Rename to dist_secureconf_SCRIPTS.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
As namespace.init is listed in secureconf_SCRIPTS which is part of
generated SCRIPTS variable.
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.init
with $(SCRIPTS).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the whole $(DATA) is listed in EXTRA_DIST, $(secureconf_DATA)
can be safely de-listed.
* modules/pam_access/Makefile.am (EXTRA_DIST): Remove
$(secureconf_DATA).
* modules/pam_env/Makefile.am: Likewise.
* modules/pam_group/Makefile.am: Likewise.
* modules/pam_limits/Makefile.am: Likewise.
* modules/pam_namespace/Makefile.am: Likewise.
* modules/pam_sepermit/Makefile.am: Likewise.
* modules/pam_time/Makefile.am: Likewise.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the GNU Automake distributes README files by default, the only
reason why README had to be listed in EXTRA_DIST was to make these
README files generated.
Since README is also listed in noinst_DATA, we can safely replace
README in EXTRA_DIST with $(DATA), this also opens the way for
further EXTRA_DIST cleanup.
* modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).
|
| | |
| |
| |
| |
| | |
This is essentially a no-op change that makes modules/*/Makefile.am
files less divergent.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make.xml.rules
As the rule is now the same in every modules/*/Makefile.am file,
move it to Make.xml.rules.
* Make.xml.rules (README): New prerequisites rule.
* modules/pam_access/Makefile.am (README): Remove rule.
* modules/pam_cracklib/Makefile.am (README): Likewise.
* modules/pam_debug/Makefile.am (README): Likewise.
* modules/pam_deny/Makefile.am (README): Likewise.
* modules/pam_echo/Makefile.am (README): Likewise.
* modules/pam_env/Makefile.am (README): Likewise.
* modules/pam_exec/Makefile.am (README): Likewise.
* modules/pam_faildelay/Makefile.am (README): Likewise.
* modules/pam_filter/Makefile.am (README): Likewise.
* modules/pam_ftp/Makefile.am (README): Likewise.
* modules/pam_group/Makefile.am (README): Likewise.
* modules/pam_issue/Makefile.am (README): Likewise.
* modules/pam_keyinit/Makefile.am (README): Likewise.
* modules/pam_lastlog/Makefile.am (README): Likewise.
* modules/pam_limits/Makefile.am (README): Likewise.
* modules/pam_listfile/Makefile.am (README): Likewise.
* modules/pam_localuser/Makefile.am (README): Likewise.
* modules/pam_loginuid/Makefile.am (README): Likewise.
* modules/pam_mail/Makefile.am (README): Likewise.
* modules/pam_mkhomedir/Makefile.am (README): Likewise.
* modules/pam_motd/Makefile.am (README): Likewise.
* modules/pam_namespace/Makefile.am (README): Likewise.
* modules/pam_nologin/Makefile.am (README): Likewise.
* modules/pam_permit/Makefile.am (README): Likewise.
* modules/pam_pwhistory/Makefile.am (README): Likewise.
* modules/pam_rhosts/Makefile.am (README): Likewise.
* modules/pam_rootok/Makefile.am (README): Likewise.
* modules/pam_securetty/Makefile.am (README): Likewise.
* modules/pam_selinux/Makefile.am (README): Likewise.
* modules/pam_sepermit/Makefile.am (README): Likewise.
* modules/pam_setquota/Makefile.am (README): Likewise.
* modules/pam_shells/Makefile.am (README): Likewise.
* modules/pam_succeed_if/Makefile.am (README): Likewise.
* modules/pam_tally/Makefile.am (README): Likewise.
* modules/pam_tally2/Makefile.am (README): Likewise.
* modules/pam_time/Makefile.am (README): Likewise.
* modules/pam_timestamp/Makefile.am (README): Likewise.
* modules/pam_tty_audit/Makefile.am (README): Likewise.
* modules/pam_umask/Makefile.am (README): Likewise.
* modules/pam_unix/Makefile.am (README): Likewise.
* modules/pam_userdb/Makefile.am (README): Likewise.
* modules/pam_usertype/Makefile.am (README): Likewise.
* modules/pam_warn/Makefile.am (README): Likewise.
* modules/pam_wheel/Makefile.am (README): Likewise.
* modules/pam_xauth/Makefile.am (README): Likewise.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is no need to list prerequisites of README targets manually as
all README targets depend on $(XMLS).
The change is performed automatically using the following script:
sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am
* modules/pam_access/Makefile.am (README): Replace pam_access.8.xml
and access.conf.5.xml with $(XMLS).
* modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml
with $(XMLS).
* modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml
with $(XMLS).
* modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml
with $(XMLS).
* modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml
with $(XMLS).
* modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and
pam_env.conf.5.xml with $(XMLS).
* modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml
with $(XMLS).
* modules/pam_faildelay/Makefile.am (README): Replace
pam_faildelay.8.xml with $(XMLS).
* modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml
with $(XMLS).
* modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with
$(XMLS).
* modules/pam_group/Makefile.am (README): Replace pam_group.8.xml
and group.conf.5.xml with $(XMLS).
* modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml
with $(XMLS).
* modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml
with $(XMLS).
* modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml
with $(XMLS).
* modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml
and limits.conf.5.xml with $(XMLS).
* modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml
with $(XMLS).
* modules/pam_localuser/Makefile.am (README): Replace
pam_localuser.8.xml with $(XMLS).
* modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml
with $(XMLS).
* modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml
with $(XMLS).
* modules/pam_mkhomedir/Makefile.am (README): Replace
pam_mkhomedir.8.xml with $(XMLS).
* modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml
with $(XMLS).
* modules/pam_namespace/Makefile.am (README): Replace
pam_namespace.8.xml, namespace.conf.5.xml,
and pam_namespace_helper.8.xml with $(XMLS).
* modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml
with $(XMLS).
* modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml
with $(XMLS).
* modules/pam_pwhistory/Makefile.am (README): Replace
pam_pwhistory.8.xml with $(XMLS).
* modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml
with $(XMLS).
* modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml
with $(XMLS).
* modules/pam_securetty/Makefile.am (README): Replace
pam_securetty.8.xml with $(XMLS).
* modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml
with $(XMLS).
* modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml
with $(XMLS).
* modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml
with $(XMLS).
* modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml
with $(XMLS).
* modules/pam_succeed_if/Makefile.am (README): Replace
pam_succeed_if.8.xml with $(XMLS).
* modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml
with $(XMLS).
* modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml
with $(XMLS).
* modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and
time.conf.5.xml with $(XMLS).
* modules/pam_timestamp/Makefile.am (README): Replace
pam_timestamp.8.xml with $(XMLS).
* modules/pam_tty_audit/Makefile.am (README): Replace
pam_tty_audit.8.xml with $(XMLS).
* modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml
with $(XMLS).
* modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml
with $(XMLS).
* modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml
with $(XMLS).
* modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml
with $(XMLS).
* modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml
with $(XMLS).
* modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml
with $(XMLS).
* modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml
with $(XMLS).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The change was prepared using the following script:
git grep -l secureconf_DATA modules/*/Makefile.am |while read m; do
t="$(sed '/^secureconf_DATA = /!d;s///;q' -- "$m")"
sed -i "/^EXTRA_DIST =/ s/\\<$t\\>/\$(secureconf_DATA)/" -- "$m"
done
* modules/pam_access/Makefile.am (EXTRA_DIST): Replace access.conf with
$(secureconf_DATA).
* modules/pam_env/Makefile.am (EXTRA_DIST): Replace pam_env.conf with
$(secureconf_DATA).
* modules/pam_group/Makefile.am (EXTRA_DIST): Replace group.conf with
$(secureconf_DATA).
* modules/pam_limits/Makefile.am (EXTRA_DIST): Replace limits.conf with
$(secureconf_DATA).
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.conf
with $(secureconf_DATA).
* modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace sepermit.conf
with $(secureconf_DATA).
* modules/pam_time/Makefile.am (EXTRA_DIST): Replace time.conf with
$(secureconf_DATA).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The change was prepared using the following script:
git grep -l '^TESTS = tst-pam_' modules/ |while read m; do
t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")"
sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m"
done
* modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access
with $(TESTS).
* modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace
tst-pam_cracklib with $(TESTS).
* modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with
$(TESTS).
* modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with
$(TESTS).
* modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with
$(TESTS).
* modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with
$(TESTS).
* modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with
$(TESTS).
* modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace
tst-pam_faildelay with $(TESTS).
* modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter
with $(TESTS).
* modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with
$(TESTS).
* modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with
$(TESTS).
* modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with
$(TESTS).
* modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit
with $(TESTS).
* modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog
with $(TESTS).
* modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits
with $(TESTS).
* modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace
tst-pam_listfile with $(TESTS).
* modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace
tst-pam_localuser with $(TESTS).
* modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace
tst-pam_loginuid with $(TESTS).
* modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with
$(TESTS).
* modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace
tst-pam_mkhomedir with $(TESTS).
* modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with
$(TESTS).
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
tst-pam_namespace with $(TESTS).
* modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin
with $(TESTS).
* modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit
with $(TESTS).
* modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace
tst-pam_pwhistory with $(TESTS).
* modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts
with $(TESTS).
* modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok
with $(TESTS).
* modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace
tst-pam_securetty with $(TESTS).
* modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace
tst-pam_sepermit with $(TESTS).
* modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace
tst-pam_setquota with $(TESTS).
* modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells
with $(TESTS).
* modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress
with $(TESTS).
* modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace
tst-pam_succeed_if with $(TESTS).
* modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with
$(TESTS).
* modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2
with $(TESTS).
* modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with
$(TESTS).
* modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
tst-pam_tty_audit with $(TESTS).
* modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with
$(TESTS).
* modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb
with $(TESTS).
* modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace
tst-pam_usertype with $(TESTS).
* modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with
$(TESTS).
* modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with
$(TESTS).
* modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with
$(TESTS).
|
| | |
| |
| |
| | |
* modules/pam_namespace/Makefile.am: Merge MAN5 and MAN8 into man_MANS.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
COND_BUILD_PAM_NAMESPACE.
* modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
Define.
(SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
* modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
|
| | | |
|
| | |
| |
| |
| |
| | |
* modules/pam_namespace/pam_namespace.c (root_shared): Use
pam_str_skip_prefix instead of ugly strncmp invocations.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
which is less error-prone and implements an additional type check.
* libpam/pam_handlers.c: Include "pam_inline.h".
(_pam_open_config_file): Use PAM_ARRAY_SIZE.
* modules/pam_exec/pam_exec.c: Include "pam_inline.h".
(call_exec): Use PAM_ARRAY_SIZE.
* modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
(filter_mntopts): Use PAM_ARRAY_SIZE.
* modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
(testvectors): Use PAM_ARRAY_SIZE.
* modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
(run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
* tests/tst-pam_get_item.c: Include "pam_inline.h".
(main): Use PAM_ARRAY_SIZE.
* tests/tst-pam_set_item.c: Likewise.
* xtests/tst-pam_pwhistory1.c: Likewise.
* xtests/tst-pam_time1.c: Likewise.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Unlike gcc, clang is not smart enough to infer the alignment
of structure fields, so add some alignment hints to the code.
* libpam/include/pam_cc_compat.h (PAM_ATTRIBUTE_ALIGNED): New macro.
* modules/pam_namespace/md5.h: Include "pam_cc_compat.h".
(struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
* modules/pam_namespace/md5.c [!(__i386__ || __x86_64__)]
(uint8_aligned): New type.
[!(__i386__ || __x86_64__)] (byteReverse): Use it instead of
unsigned char.
* modules/pam_timestamp/sha1.h: Include "pam_cc_compat.h".
(struct sha1_context): Add PAM_ATTRIBUTE_ALIGNED to pending field.
* modules/pam_unix/md5.h: Include "pam_cc_compat.h".
(struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
* modules/pam_unix/md5.c [!HIGHFIRST] (uint8_aligned): New type.
[!HIGHFIRST] (byteReverse): Use it instead of unsigned char.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
"$(MAN5) $(MAN8)" with "$(MANS)" as the former is conditional
on HAVE_DOC.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_namespace/.gitignore: New file.
Resolves: https://github.com/linux-pam/linux-pam/pull/192
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Allow the user to disable documentation through --disable-doc (enabled
by default), this is especially useful when cross-compiling for embedded
targets
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce a new internal header file with definitions of
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
use them to temporary silence -Wcast-qual compilation warnings
in various modules.
* libpam/include/pam_cc_compat.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
(create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
(pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
(nl_send): Wrap the cast that discards ‘const’ qualifier in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
(_unix_run_verify_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
(_unix_run_update_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
(unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_unix/support.c: Include "pam_cc_compat.h".
(_unix_run_helper_binary): Wrap execve invocation in
DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
* modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
(run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
and DIAG_POP_IGNORE_CAST_QUAL.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
non-const char *.
* modules/pam_filter/pam_filter.c: Avoid using const char **.
* modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
* modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
* modules/pam_tally2/pam_tally2.c: String literal must be assigned to
const char *.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
To be able to set CFLAGS from make command-line but not to lose the
warning flags.
* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
noexec, nosuid, and nodev flags support.
* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
filter out the flags.
(parse_method): Call the function.
(ns_setup): Apply the flags to the tmpfs mount.
* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
namespace init script, so that scripts run with maximum privilege regardless
of the shell implementation.
* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
shebang line
This is not a POSIX standard option, it's a bashism. The bash manpage says
that it's used to prevent the effective user id from being reset to the real
user id on startup, and to ignore certain unsafe variables from the
environment.
In the case of pam_namespace, the -p is not necessary for environment
sanitizing because the PAM module (properly) sanitizes the environment
before execing the script.
The stated reason given in CVS history for passing -p is to "preserve euid
when called from setuid apps (su, newrole)." This should be done more
portably, by calling setuid() before spawning the shell.
Signed-off-by: Steve Langasek <vorlon@debian.org>
Bug-Debian: http://bugs.debian.org/624842
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
|
| |\| |
|
| | |
| |
| |
| |
| | |
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
|
