aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_unix
Commit message (Collapse)AuthorAgeFilesLines
* pam_unix: avoid integer truncation in debug outputBenny Baumann2023-11-141-1/+1
| | | | | | | | When printing the current day and when the password was last changed, a truncation of the value could happen due to incorrect data types used in the format string. Signed-off-by: Benny Baumann <BenBE@geshi.org>
* pam_unix: avoid printing NULL valuesBenny Baumann2023-11-141-1/+1
| | | | | | | The value of pp can potentially be NULL. This handles this case when printing debug output. Signed-off-by: Benny Baumann <BenBE@geshi.org>
* pam_unix: only output length check message on failureBenny Baumann2023-11-141-2/+3
| | | | | | | | | | The debug message was placed outside the password length check and thus if the length check succeeded no message would have been placed. Comparing this location with other occurrences indicates this was by mistake, thus the message is now suppressed if there's nothing to print anyway. Signed-off-by: Benny Baumann <BenBE@geshi.org>
* treewide: do not cast calloc/malloc/reallocTobias Stoeckmann2023-11-121-1/+1
| | | | | | | It is not required to cast the results of calloc, malloc, realloc, etc. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: cast to unsigned char for character handling functionChristian Göttsche2023-08-071-1/+1
| | | | | | | | Character handling functions, like isspace(3), expect a value representable as unsigned char or equal to EOF. Otherwise the behavior is undefined. See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
* pam_unix: improve fallback values for "rounds" for yescrypt and blowfishJulian Kranz2023-07-171-4/+8
| | | | | | | | This change improves the fallback values for the "rounds" parameter for yescrypt and blowfish by using the smallest reasonable value if the user sets a too low value and by using the highest reasonable value if the user sets a too high value. This better realizes user intent and is consistent with the approach taken for SHA256.
* configure: Disable NIS if header files are missingThorsten Kukuk2023-04-062-9/+3
| | | | | | configure.ac: Disable NIS if RPC or YP header files are missing modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too
* modules: make use of secure memory erasureChristian Göttsche2023-02-289-26/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | Use empty initialization of structs to minimize the memset() usage, to reduce the amount of calls which are not sensitive. Non trivial changes: - pam_env: * erase environment variables where possible - pam_exec: * erase responce on error * erase auth token - pam_pwhistory: * erase buffers containing old passwords - pam_selinux: skip overwriting data structure consisting of only pointers to insensitive data, which also gets free'd afterwards (so it currently does not protect against double-free or use-after-free on the member pointers) - pam_unix: erase cipher data in more places - pam_userdb: erase password hashes
* build: use <vendordir>/security directory for installation if it has been setStefan Schubert2023-02-071-0/+4
| | | | | | | | | Otherwise the corresponding files are still installed in /etc/security. * configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR. (AM_CONDITIONAL): Add HAVE_VENDORDIR. * modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
* pam_unix: don't link against yppasswd_xdr if NIS is disabledThorsten Kukuk2023-01-312-6/+5
| | | | | | | | | * configure.ac: Define HAVE_NIS if NIS is enabled. * modules/pam_unix/Makefile.am: Don't link against yppasswd_xdr.c if NIS is disabled. * modules/pam_unix/pam_unix_passwd.c: Don't redefine HAVE_NIS. Resolves: https://github.com/linux-pam/linux-pam/issues/523
* Enable undef warningChristian Göttsche2023-01-301-4/+4
| | | | | | * modules/pam_unix/pam_unix_passwd.c: Wrap checks for configure macros into defined() operator. * m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wundef.
* pam_unix: regenerate yppasswd.h/yppasswd_xdr.c (#480)Thorsten Kukuk2023-01-242-61/+72
| | | | | | | Regenerate yppasswd.h and yppasswd_xdr.c from yppasswd.x (libnsl) to avoid GPL code in a PAM module. Link: https://github.com/thkukuk/libnsl/blob/master/src/rpcsvc/yppasswd.x
* pam_unix: silence compiler warning in md5.cDmitry V. Levin2023-01-191-13/+12
| | | | | | | | | | | | | | | | | | | | | | | | | clang-14 insists on issuing the following warning: In file included from md5_good.c:4: md5.c:92:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch] byteReverse(ctx->in.c, 16); ^ md5.c:101:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch] byteReverse(ctx->in.c, 16); ^ md5.c:136:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch] byteReverse(ctx->in.c, 16); ^ md5.c:145:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch] byteReverse(ctx->in.c, 14); ^ md5.c:151:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch] byteReverse(ctx->buf.c, 4); ^ * modules/pam_unix/md5.c (byteReverse): Use uint32 instead of uint8_aligned, update all users. (uint8_aligned): Remove unused type.
* doc: Update PAM documentation from DockBook 4 to DocBook 5Stefan Schubert2022-12-164-95/+72
| | | | | | | | | | | | | | | | | | | | Changed files -------------- Make.xml.rules.in: - Using RNG file instead of DTD file for checking XML files. - Taking the correct stylesheet for README files. doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am: - Using RNG file instead of DTD file for checking XML files. configure.ac: - Adding a new option for selecting RNG check file (-enable-docbook-rng) - Switching stylesheets to docbook 5 - Checking DocBook 5 environment instead of DocBook 4 environment *.xml: Update from DockBook 4 to DocBook 5
* modules: use SCONFIGDIR macroDmitry V. Levin2022-01-232-2/+2
| | | | | | | | | | | | | | | | | Use SCONFIGDIR macro instead of open-coding "/etc/security", the latter is not correct when configured using --enable-sconfigdir with an argument different from /etc/security. * modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use SCONFIGDIR. * modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove. (PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR, NAMESPACE_D_GLOB): Use SCONFIGDIR. * modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove -DSECURECONF_DIR. * modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR. * modules/pam_unix/passverify.h: Likewise. * modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
* Fix a typo found using codespell toolDmitry V. Levin2021-09-031-3/+3
| | | | | | | * modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with "hashed password" in comment. * modules/pam_unix/passverify.c (create_password_hash): Rename "crypted" local variable to "hashed".
* pam_unix: workaround the problem caused by libnss_systemdDmitry V. Levin2021-08-191-2/+1
| | | | | | | | | | | | | | | | | | | The getspnam(3) manual page says that errno shall be set to EACCES when the caller does not have permission to access the shadow password file. Unfortunately, this contract is broken when libnss_systemd is used in the nss stack. Workaround this problem by falling back to the helper invocation when pam_modutil_getspnam returns NULL regardless of errno. As pam_unix already behaves this way when selinux is enabled, it should be OK for the case when selinux is not enabled, too. * modules/pam_unix/passverify.c (get_account_info): When pam_modutil_getspnam returns NULL, unconditionally fall back to the helper invocation. Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root") Resolves: https://github.com/linux-pam/linux-pam/issues/379
* Permit unix_chkpwd & pam_unix.so to run without being setuid-root.Andrew G. Morgan2021-06-291-4/+8
| | | | | | | | | | | | | | | | | | | | | Remove the hard-coding of the idea that the only way pam_unix.so can read the shadow file is if it can, in some way, run setuid-root. Linux capabilities only require cap_dac_override to read the /etc/shadow file. This change achieves two things: it opens a path for a linux-pam application to run without being setuid-root; further, it allows unix_chkpwd to run non-setuid-root if it is installed: sudo setcap cap_dac_override=ep unix_chkpwd If we wanted to link against libcap, we could install this binary with cap_dac_override=p, and use cap_set_proc() to raise the effective bit at runtime. However, some distributions already link unix_chkpwd against libcap-ng for some, likely spurious, reason so "ep" is fine for now. Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
* Remove support for legacy xcryptBjörn Esser2021-06-142-22/+6
| | | | | | | | | | | | | | | | Since many distributions are shipping a version of libxcrypt >= 4.0.0 as a replacement for glibc's libcrypt now, older versions of xcrypt, which could be installed in parallel, are not relevant anymore. * configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h. (AC_SEARCH_LIBS): Remove xcrypt. (AC_CHECK_FUNCS): Remove crypt_gensalt_r. (AC_DEFINE): Remove HAVE_LIBXCRYPT. * modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove. * modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise. * modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise. * modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise. (create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
* pam_unix: do not use crypt_checksalt when checking for password expirationDmitry V. Levin2021-06-101-6/+0
| | | | | | | | | | | | | | According to Zack Weinberg, the intended meaning of CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing method", it is not supposed to mean "force a password change on next login for any user with an existing stored hash using this method". This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5. * modules/pam_unix/passverify.c (check_shadow_expiry) [CRYPT_CHECKSALT_AVAILABLE]: Remove. Closes: https://github.com/linux-pam/linux-pam/issues/367
* pam_unix: fix memory leak on error pathThomas M. DuBuisson2020-11-241-0/+6
| | | | | * modules/pam_unix/bigcrypt.c (bigcrypt) [HAVE_CRYPT_R]: Do not leak cdata if crypt_r() fails.
* Second blank check with root for non-existent users must never return 1Tomas Mraz2020-11-201-26/+13
| | | | | | | | | | | | | | | The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced a regression where the blank check could return 1 if root had an empty password hash because in the second case the password hash of root was used. We now always return 0 in this case. The issue was found by Johannes Löthberg. Fixes #284 * modules/pam_unix/support.c (_unix_blankpasswd): Make the loop to cover the complete blank check so both existing and non existing cases are identical except for the possible return value.
* Remove deprecated pam_cracklib moduleDmitry V. Levin2020-10-291-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ci/install-dependencies.sh: Remove libcrack2-dev. * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-cracklib=check. * conf/pam.conf: Remove references to pam_cracklib.so. * configure.ac: Remove --enable-cracklib option. (AC_SUBST): Remove LIBCRACK. (AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB. (AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile. * doc/sag/pam_cracklib.xml: Remove. * doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml. * modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove. (SUBDIRS): Remove MAYBE_PAM_CRACKLIB. * modules/pam_cracklib/Makefile.am: Remove. * modules/pam_cracklib/README.xml: Likewise. * modules/pam_cracklib/pam_cracklib.8.xml: Likewise. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_cracklib/tst-pam_cracklib: Likewise. * xtests/tst-pam_cracklib1.c: Likewise. * xtests/tst-pam_cracklib1.pamd: Likewise. * xtests/tst-pam_cracklib2.c: Likewise. * xtests/tst-pam_cracklib2.pamd: Likewise. * modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib in examples with pam_passwdqc. * modules/pam_unix/pam_unix.8.xml: Likewise. * po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c. * xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2. * xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd and tst-pam_cracklib2.pamd. (XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2. * NEWS: Document this change.
* Add missing format function attributes and enable -Wmissing-format-attributeChristian Göttsche2020-10-251-0/+1
| | | | | | | | | | | | | | | | | Exported functions already have these attributes, add them to other functions. This enables compilers to find format specifier mismatches, like: foo_print("Hello %d", "world") * m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wmissing-format-attribute. * conf/pam_conv1/Makefile.am (AM_CFLAGS): Add -I$(top_srcdir)/libpam/include. * conf/pam_conv1/pam_conv_y.y: Include <security/_pam_types.h>. (yyerror): Add printf format attribute. * modules/pam_pwhistory/opasswd.c (helper_log_err): Likewise. * modules/pam_rootok/pam_rootok.c (log_callback): Likewise. * modules/pam_tally/pam_tally.c (tally_log): Likewise. * modules/pam_tally2/pam_tally2.c (tally_log): Likewise. * modules/pam_unix/passverify.c (helper_log_err): Likewise.
* Prevent SEGFAULT for unknown UIDAnton D. Kachalov2020-09-301-1/+1
| | | | | | | | | | When running systemd service with DynamicUser being set, the dynamic UID might be not mapped to user name (/etc/nsswitch.conf is not configured with systemd nss module). The getuidname() routine might return NULL and this is not checked by callee. Signed-off-by: Anton D. Kachalov <rnouse@google.com>
* build: rename PIE_* AC_SUBST variables to EXE_*Dmitry V. Levin2020-08-071-4/+4
| | | | | | | | | There are going to be other options added to CFLAGS and LDFLAGS of executables made along with modules. * configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of PIE_CFLAGS and PIE_LDFLAGS. All users updated.
* Fix -Wcast-align compilation warnings on armDmitry V. Levin2020-08-062-22/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apparently, gcc is also not smart enough to infer the alignment of structure fields, for details see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133 Use unions to avoid these casts altogether, this fixes compilation warnings reported by gcc on arm, e.g.: md5.c: In function 'MD5Update': md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align] 92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); | ^ md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align] 101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); | ^ md5.c: In function 'MD5Final': md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align] 136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); | ^ md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align] 147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); | ^ md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align] 149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); | ^ * modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and "in" fields with unions. All users updated. * modules/pam_unix/md5.h (struct MD5Context): Likewise. * modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace with a union. All users updated. Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
* pam_unix: skip context translationChristian Göttsche2020-08-052-44/+44
| | | | | | | These retrieved contexts are just passed to libselinux functions and not printed or otherwise made available to the outside, so a context translation to human readable MCS/MLS labels is not needed. (see man:setrans.conf(5))
* pam_unix: replace deprecated security_context_tChristian Göttsche2020-08-052-7/+7
| | | | | libselinux 3.1 deprecated the typedef security_context_t. Use the underlaying type.
* pam_unix: Add comment for the ignored PAM_AUTHTOK_ERR caseTomas Mraz2020-07-221-0/+4
| | | | | * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment about the reason for ignoring PAM_AUTHTOK_ERR.
* Fix missing initialization of daysleftTomas Mraz2020-07-221-1/+1
| | | | | | | | | | The daysleft otherwise stays uninitialized if there is no shadow entry. Regression from commit f5adefa. Fixes #255 * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
* Move read_passwords function from pam_unix to pam_inline.hikerexxe2020-07-154-47/+4
| | | | | | | | | | | | | | [ldv: rewrote commit message] * modules/pam_unix/passverify.h (read_passwords): Remove prototype. * modules/pam_unix/passverify.c (read_passwords): Move ... * libpam/include/pam_inline.h: ... here, rename to pam_read_passwords, add static inline qualifiers. Include <unistd.h> and <errno.h>. * modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h". (main): Replace read_passwords with pam_read_passwords. * modules/pam_unix/unix_update.c: Include "pam_inline.h". (set_password): Replace read_passwords with pam_read_passwords.
* pam_unix: use PAM_MAX_RESP_SIZE instead of its alias MAXPASSDmitry V. Levin2020-07-156-14/+12
| | | | | | | | | | * modules/pam_unix/passverify.h (MAXPASS): Remove. * modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS with PAM_MAX_RESP_SIZE. * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise. * modules/pam_unix/support.c (_unix_verify_password): Likewise. * modules/pam_unix/unix_chkpwd.c (main): Likewise. * modules/pam_unix/unix_update.c (set_password): Likewise.
* pam_unix: avoid determining if user existsikerexxe2020-06-172-7/+32
| | | | | | | | | Taking a look at the time for the password prompt to appear it was possible to determine if a user existed in a system. Solved it by matching the runtime until the password prompt was shown by always checking the password hash for an existing and a non-existing user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
* modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESSDmitry V. Levin2020-05-152-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise.
* modules: remove PAM_SM_* macrosDmitry V. Levin2020-05-034-19/+7
| | | | | | Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect.
* modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTSDmitry V. Levin2020-05-031-2/+3
| | | | | | | | ... and remove $(TESTS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \ -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
* modules/*/Makefile.am: rename man_MANS to dist_man_MANSDmitry V. Levin2020-05-031-2/+2
| | | | | | | ... and remove $(MANS) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
* modules/*/Makefile.am: add dist_ prefix to *_DATADmitry V. Levin2020-05-031-2/+2
| | | | | | | ... and remove $(DATA) from EXTRA_DIST. The change is performed automatically using the following script: sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
* modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DISTDmitry V. Levin2020-04-271-1/+1
| | | | | | | | | | | | Since the GNU Automake distributes README files by default, the only reason why README had to be listed in EXTRA_DIST was to make these README files generated. Since README is also listed in noinst_DATA, we can safely replace README in EXTRA_DIST with $(DATA), this also opens the way for further EXTRA_DIST cleanup. * modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).
* modules/*/Makefile.am: reorder lines to promote uniformityDmitry V. Levin2020-04-271-1/+0
| | | | | This is essentially a no-op change that makes modules/*/Makefile.am files less divergent.
* build: move README prerequisites rule from modules/*/Makefile.am to ↵Dmitry V. Levin2020-04-271-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make.xml.rules As the rule is now the same in every modules/*/Makefile.am file, move it to Make.xml.rules. * Make.xml.rules (README): New prerequisites rule. * modules/pam_access/Makefile.am (README): Remove rule. * modules/pam_cracklib/Makefile.am (README): Likewise. * modules/pam_debug/Makefile.am (README): Likewise. * modules/pam_deny/Makefile.am (README): Likewise. * modules/pam_echo/Makefile.am (README): Likewise. * modules/pam_env/Makefile.am (README): Likewise. * modules/pam_exec/Makefile.am (README): Likewise. * modules/pam_faildelay/Makefile.am (README): Likewise. * modules/pam_filter/Makefile.am (README): Likewise. * modules/pam_ftp/Makefile.am (README): Likewise. * modules/pam_group/Makefile.am (README): Likewise. * modules/pam_issue/Makefile.am (README): Likewise. * modules/pam_keyinit/Makefile.am (README): Likewise. * modules/pam_lastlog/Makefile.am (README): Likewise. * modules/pam_limits/Makefile.am (README): Likewise. * modules/pam_listfile/Makefile.am (README): Likewise. * modules/pam_localuser/Makefile.am (README): Likewise. * modules/pam_loginuid/Makefile.am (README): Likewise. * modules/pam_mail/Makefile.am (README): Likewise. * modules/pam_mkhomedir/Makefile.am (README): Likewise. * modules/pam_motd/Makefile.am (README): Likewise. * modules/pam_namespace/Makefile.am (README): Likewise. * modules/pam_nologin/Makefile.am (README): Likewise. * modules/pam_permit/Makefile.am (README): Likewise. * modules/pam_pwhistory/Makefile.am (README): Likewise. * modules/pam_rhosts/Makefile.am (README): Likewise. * modules/pam_rootok/Makefile.am (README): Likewise. * modules/pam_securetty/Makefile.am (README): Likewise. * modules/pam_selinux/Makefile.am (README): Likewise. * modules/pam_sepermit/Makefile.am (README): Likewise. * modules/pam_setquota/Makefile.am (README): Likewise. * modules/pam_shells/Makefile.am (README): Likewise. * modules/pam_succeed_if/Makefile.am (README): Likewise. * modules/pam_tally/Makefile.am (README): Likewise. * modules/pam_tally2/Makefile.am (README): Likewise. * modules/pam_time/Makefile.am (README): Likewise. * modules/pam_timestamp/Makefile.am (README): Likewise. * modules/pam_tty_audit/Makefile.am (README): Likewise. * modules/pam_umask/Makefile.am (README): Likewise. * modules/pam_unix/Makefile.am (README): Likewise. * modules/pam_userdb/Makefile.am (README): Likewise. * modules/pam_usertype/Makefile.am (README): Likewise. * modules/pam_warn/Makefile.am (README): Likewise. * modules/pam_wheel/Makefile.am (README): Likewise. * modules/pam_xauth/Makefile.am (README): Likewise.
* modules/*/Makefile.am: list prerequisites of README target uniformlyDmitry V. Levin2020-04-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is no need to list prerequisites of README targets manually as all README targets depend on $(XMLS). The change is performed automatically using the following script: sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am * modules/pam_access/Makefile.am (README): Replace pam_access.8.xml and access.conf.5.xml with $(XMLS). * modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml with $(XMLS). * modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml with $(XMLS). * modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml with $(XMLS). * modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml with $(XMLS). * modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and pam_env.conf.5.xml with $(XMLS). * modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml with $(XMLS). * modules/pam_faildelay/Makefile.am (README): Replace pam_faildelay.8.xml with $(XMLS). * modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml with $(XMLS). * modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with $(XMLS). * modules/pam_group/Makefile.am (README): Replace pam_group.8.xml and group.conf.5.xml with $(XMLS). * modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml with $(XMLS). * modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml with $(XMLS). * modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml with $(XMLS). * modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml and limits.conf.5.xml with $(XMLS). * modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml with $(XMLS). * modules/pam_localuser/Makefile.am (README): Replace pam_localuser.8.xml with $(XMLS). * modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml with $(XMLS). * modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml with $(XMLS). * modules/pam_mkhomedir/Makefile.am (README): Replace pam_mkhomedir.8.xml with $(XMLS). * modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml with $(XMLS). * modules/pam_namespace/Makefile.am (README): Replace pam_namespace.8.xml, namespace.conf.5.xml, and pam_namespace_helper.8.xml with $(XMLS). * modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml with $(XMLS). * modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml with $(XMLS). * modules/pam_pwhistory/Makefile.am (README): Replace pam_pwhistory.8.xml with $(XMLS). * modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml with $(XMLS). * modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml with $(XMLS). * modules/pam_securetty/Makefile.am (README): Replace pam_securetty.8.xml with $(XMLS). * modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml with $(XMLS). * modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml with $(XMLS). * modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml with $(XMLS). * modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml with $(XMLS). * modules/pam_succeed_if/Makefile.am (README): Replace pam_succeed_if.8.xml with $(XMLS). * modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml with $(XMLS). * modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml with $(XMLS). * modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and time.conf.5.xml with $(XMLS). * modules/pam_timestamp/Makefile.am (README): Replace pam_timestamp.8.xml with $(XMLS). * modules/pam_tty_audit/Makefile.am (README): Replace pam_tty_audit.8.xml with $(XMLS). * modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml with $(XMLS). * modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml with $(XMLS). * modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml with $(XMLS). * modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml with $(XMLS). * modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml with $(XMLS). * modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml with $(XMLS). * modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml with $(XMLS).
* modules/*/Makefile.am: list tests in EXTRA_DIST uniformlyDmitry V. Levin2020-04-271-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The change was prepared using the following script: git grep -l '^TESTS = tst-pam_' modules/ |while read m; do t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")" sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m" done * modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access with $(TESTS). * modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace tst-pam_cracklib with $(TESTS). * modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with $(TESTS). * modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with $(TESTS). * modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with $(TESTS). * modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with $(TESTS). * modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with $(TESTS). * modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace tst-pam_faildelay with $(TESTS). * modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter with $(TESTS). * modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with $(TESTS). * modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with $(TESTS). * modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with $(TESTS). * modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit with $(TESTS). * modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog with $(TESTS). * modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits with $(TESTS). * modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace tst-pam_listfile with $(TESTS). * modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace tst-pam_localuser with $(TESTS). * modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace tst-pam_loginuid with $(TESTS). * modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with $(TESTS). * modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace tst-pam_mkhomedir with $(TESTS). * modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with $(TESTS). * modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace tst-pam_namespace with $(TESTS). * modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin with $(TESTS). * modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit with $(TESTS). * modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace tst-pam_pwhistory with $(TESTS). * modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts with $(TESTS). * modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok with $(TESTS). * modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace tst-pam_securetty with $(TESTS). * modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace tst-pam_sepermit with $(TESTS). * modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace tst-pam_setquota with $(TESTS). * modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells with $(TESTS). * modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress with $(TESTS). * modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace tst-pam_succeed_if with $(TESTS). * modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with $(TESTS). * modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2 with $(TESTS). * modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with $(TESTS). * modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace tst-pam_tty_audit with $(TESTS). * modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with $(TESTS). * modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb with $(TESTS). * modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace tst-pam_usertype with $(TESTS). * modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with $(TESTS). * modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with $(TESTS). * modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with $(TESTS).
* build: cleanup: do not add -DWITH_SELINUX to CFLAGSDmitry V. Levin2020-04-261-4/+0
| | | | | | | | | | As WITH_SELINUX is already AC_DEFINE'd in configure.ac, there is no point in adding -DWITH_SELINUX to CFLAGS. * libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add -DWITH_SELINUX. * modules/pam_rootok/Makefile.am: Likewise. * modules/pam_unix/Makefile.am: Likewise.
* pam_unix: modernize example in manual pageTopi Miettinen2020-04-121-1/+1
| | | | | | | According to crypt(5), md5 should not be used for new hashes. Let's give a modern example with yescrypt. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.James Ralston2020-03-301-1/+8
| | | | | | | | | | | | | | | | | | | | | The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems that use the unix_chkpwd helper. The reason is that in unix_chkpwd.c, towards the end of main(), if helper_verify_password() does not return PAM_SUCCESS, main() ignores the actual error that helper_verify_password() returned and instead returns PAM_AUTH_ERR. This commit corrects this behavior. Specifically, if helper_verify_password() returns PAM_USER_UNKNOWN, which it does when /etc/passwd entry indicates that shadow information is present but the /etc/shadow entry is missing, the unix_chkpwd now exits with PAM_AUTHINFO_UNAVAIL. For any other error from helper_verify_password(), unix_chkpwd continues to exit with PAM_AUTH_ERR. * modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL when helper_verify_password() returns PAM_USER_UNKNOWN.
* Fix various typos found using codespell toolDmitry V. Levin2020-03-282-2/+2
|
* modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_lenDmitry V. Levin2020-03-193-8/+14
| | | | | | | | | | | | | * modules/pam_unix/passverify.c: Include "pam_inline.h". (verify_pwd_hash): Use pam_str_skip_prefix instead of ugly strncmp invocations. * modules/pam_unix/support.c: Include "pam_inline.h". (_set_ctrl): Use pam_str_skip_prefix_len instead of hardcoding string lengths. * modules/pam_unix/md5_crypt.c: Include "pam_inline.h". (crypt_md5): Use pam_str_skip_prefix_len. squash! modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len
* Fix most of clang -Wcast-align compilation warningsDmitry V. Levin2020-03-192-3/+8
| | | | | | | | | | | | | | | | | | | Unlike gcc, clang is not smart enough to infer the alignment of structure fields, so add some alignment hints to the code. * libpam/include/pam_cc_compat.h (PAM_ATTRIBUTE_ALIGNED): New macro. * modules/pam_namespace/md5.h: Include "pam_cc_compat.h". (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field. * modules/pam_namespace/md5.c [!(__i386__ || __x86_64__)] (uint8_aligned): New type. [!(__i386__ || __x86_64__)] (byteReverse): Use it instead of unsigned char. * modules/pam_timestamp/sha1.h: Include "pam_cc_compat.h". (struct sha1_context): Add PAM_ATTRIBUTE_ALIGNED to pending field. * modules/pam_unix/md5.h: Include "pam_cc_compat.h". (struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field. * modules/pam_unix/md5.c [!HIGHFIRST] (uint8_aligned): New type. [!HIGHFIRST] (byteReverse): Use it instead of unsigned char.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-15 14:25:42 +0000