| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This adds the UID of the target user to the session open log.
Also fixing tabulation in pam_unix_sess.c.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
* modules/pam_unix/support.c: Likewise.
|
| | |
|
| |
|
|
|
|
|
| |
Issue #118: Protect against Denial of Service attacks.
To prevent hashsum generation via crypt of very long passwords the
password is now stripped to 512 characters. This is equivalent behavior
to unix_chkpwd.
|
| |
|
|
|
|
|
|
|
|
|
| |
* libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
* libpam/Makefile.am: Add the pam_modutil_searchkey.c.
* libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
* libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
* modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
pam_modutil_search_key().
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_unix/support.c: Likewise.
|
| |
|
|
|
|
|
|
| |
* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
to verify_pwd_hash() call.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt can be build-time configured to support (or not support)
various hashing methods. Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.
For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.
Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
|
| |
|
|
| |
This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations. As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.
* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
* modules/pam_unix/passverify.c: Add crypt_default method.
* modules/pam_unix/support.h: Likewise.
|
| |
|
|
|
|
|
|
|
| |
pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.
* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
of disabled or invalid salt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
|
| |
|
|
|
|
|
|
| |
This has been overlooked during review of commit dce80b3f11b3.
* modules/pam_unix/support.c (_set_ctrl): Fix closing curly brace.
Closes: https://github.com/linux-pam/linux-pam/issues/77
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt v4.3 has added the crypt_checksalt function to whether
the prefix at the begining of a given hash string refers to a
supported hashing method.
Future revisions of this function will add support to check whether
the hashing method, the prefix refers to, was disabled or considered
deprecated by the system's factory presets or system administrator.
Furthermore it will be able to detect whether the parameters, which
are used by the corresponding hashing method, being encoded in the
hash string are not considered to be strong enough anymore.
*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
|
| |
|
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bcrypt hashes used the "$2a$" prefix since 1997.
However, in 2011 an implementation bug was discovered in bcrypt
affecting the handling of characters in passphrases with the 8th
bit set.
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
for a behavior that exactly matches crypt_blowfish's "$2y$", and
the crypt_blowfish implementation supports it as well since v1.1.
That said new computed bcrypt hashes should use the "$2b$" prefix.
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turn into proper sentences those messages that are printed without
further modifications using pam_prompt in contexts where proper
sentences are expected.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
of the message passed to pam_error.
* modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
grammar of error messages passed to pam_error.
* modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
passed to pam_info.
* modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
* modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
grammar of messages passed to pam_prompt.
* modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
passed to pam_info.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
of messages passed to _make_remark.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
pam_sm_chauthtok): Likewise.
* po/Linux-PAM.pot: Regenerate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
_UNIX_NEW_AUTHTOK macros
The last use of these macros was removed by commit Linux-PAM-1.3.0~5
so their definitions should go as well.
* modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
* modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
_UNIX_NEW_AUTHTOK): Likewise.
Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")
|
| |
|
|
|
|
|
|
|
|
| |
The function was removed by commit Linux-PAM-1.3.0~5
so the function prototype should go as well.
* modules/pam_unix/support.h (_unix_read_password): Remove.
Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")
|
| |
|
|
|
|
|
|
| |
Check the return value of malloc and if it failed print debug info, send
a syslog message and return an error code.
The test in AUTH_RETURN for ret_data not being NULL becomes redundant.
Signed-off-by: Peter Urbanec <git.user@urbanec.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
|
| |
|
|
|
| |
modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
to store the old passwords when remember option is set.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to drop support for not_set_pass option which is not much useful
anyway. Instead we get proper support for authtok_type option.
* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
pe
option.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
sword()
call with equivalent pam_get_authtok() call.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
support for not_set_pass.
* modules/pam_unix/support.c (_unix_read_password): Remove.
* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
expiration messages more user-friendly.
|
| |
|
|
|
|
|
|
| |
The old SunRPC functions don't work with IPv6.
* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
rpcb_getaddr if available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux-PAM. It was never official supported and was broken since years.
* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.
|
| |
|
|
|
|
|
| |
new libnsl.
* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
|
| |
|
|
|
|
|
|
|
| |
Fixes a minor bug in behavior when is_selinux_enabled()
returned negative value.
* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
(unix_update_shadow): Safe cast forwho to non-const char *.
* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
|
| |
|
|
|
| |
* modules/pam_unix/passverify.c (create_password_hash): Change the
salt length for new hashes to 16 characters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch by Louis Sautier
* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
* doc/man/pam.3.xml: Likewise.
* doc/man/pam_acct_mgmt.3.xml: Likewise.
* doc/man/pam_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* modules/pam_limits/limits.conf.5.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
|
| |
|
|
|
|
|
|
|
| |
messages from session.
* modules/pam_unix/pam_unix.8.xml: Document new option.
* modules/pam_unix/support.h: Add quiet option.
* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
'quiet' option is set.
|
| |
|
|
|
|
|
| |
* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
instead of crypt() if available.
* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
instead of crypt() if available.
|
| |
|
|
|
|
|
| |
* modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
in opasswd entry and return error.
* modules/pam_unix/passverify.c (save_old_password): Test for missing fields
in opasswd entry and skip it.
|
| |
|
|
|
| |
modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
NULL return from Goodcrypt_md5().
|
| |
|
|
| |
* modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change introduces pam_modutil_sanitize_helper_fds - a new function
that redirects standard descriptors and closes all other descriptors.
pam_modutil_sanitize_helper_fds supports three types of input and output
redirection:
- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
- PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented
by creating a pipe, closing its write end, and redirecting stdin to
its read end. Likewise, for stdout/stderr it is implemented by
creating a pipe, closing its read end, and redirecting to its write
end. Unlike stdin redirection, stdout/stderr redirection to a pipe
has a side effect that a process writing to such descriptor should be
prepared to handle SIGPIPE appropriately.
- PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is
implemented via PAM_MODUTIL_PIPE_FD because there is no functional
difference. For stdout/stderr, it is classic redirection to
/dev/null.
PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
security restrictions, but when the helper process might be writing to
the corresponding descriptor and termination of the helper process by
SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.
* libpam/pam_modutil_sanitize.c: New file.
* libpam/Makefile.am (libpam_la_SOURCES): Add it.
* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
pam_modutil_sanitize_helper_fds): New declarations.
* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
* modules/pam_exec/pam_exec.c (call_exec): Use
pam_modutil_sanitize_helper_fds.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
* modules/pam_unix/support.h (MAX_FD_NO): Remove.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no need to copy strings passed as arguments to execve,
the only potentially noticeable effect of using strdup/x_strdup
would be a malformed argument list in case of memory allocation error.
Also, x_strdup, being a thin wrapper around strdup, is of no benefit
when its argument is known to be non-NULL, and should not be used in
such cases.
* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
instead of x_strdup, the latter is of no benefit in this case.
* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
x_strdup for strings passed as arguments to execve.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
(_unix_verify_password): Use strdup instead of x_strdup, the latter
is of no benefit in this case.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
strings passed as arguments to execv.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
for old password if NIS account.
|
| |
|
|
| |
* modules/pam_unix/support.h: Add UNIX_DES
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.
|
| |
|
|
| |
modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
|
| |
|
|
| |
modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
|
| |
|
|
| |
* modules/pam_unix/pam_unix_acct.c: fix last change
|
| |
|
|
|
|
| |
* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.
|
| |
|
|
|
| |
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
|
| |
|
|
|
|
|
|
|
| |
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
|
| |
|
|
|
| |
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
|
| |
|
|
|
| |
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.
* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
|
