aboutsummaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAgeFilesLines
...
* pam_usertype: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Rename to pam_usertype, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_usertype.
* pam_succeed_if: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Rename to pam_succeed_if, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_succeed_if.
* pam_sepermit: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-6/+12
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Rename to pam_sepermit, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_sepermit.
* pam_localuser: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename to pam_localuser, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_localuser.
* pam_listfile: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-17/+23
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Rename to pam_listfile, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_listfile.
* pam_lastlog: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-4/+10
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Rename to pam_auth, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_auth.
* pam_access: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-12/+18
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_access/pam_access.c (pam_sm_authenticate): Rename to pam_access, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_access.
* pam_listfile: log all option errorsDmitry V. Levin2024-01-131-15/+38
| | | | | | | | | The parser of module options used to bail out after the first option error without checking other options. With this change, while the return code semantics remains unchanged, all option errors are logged. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log all option errors.
* pam_listfile: consistently log unknown optionsDmitry V. Levin2024-01-131-2/+6
| | | | | | | | In most cases the parser of module options already logs unknown options before returning, but in two cases it didn't. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log unknown onerr= and sense= options.
* pam_access: add quiet_log optionAndreas Vögele2024-01-132-3/+24
| | | | | | | | | | | If quiet_log option is specified, no "access denied" message is logged. * modules/pam_access/pam_access.c (struct login_info): Add quiet_log. (parse_args): Initialize it. (pam_sm_authenticate): Use it. * modules/pam_access/pam_access.8.xml: Document quiet_log option. Closes: https://github.com/linux-pam/linux-pam/issues/706
* pam_listfile: treat \r like \nTobias Stoeckmann2024-01-121-7/+2
| | | | | | | | The characters \r and \n are replaced by NUL byte. Treat a line which is empty after removal of \r just like lines which are empty after the removal of \n. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow escaping of escape characterTobias Stoeckmann2024-01-122-3/+3
| | | | | | Otherwise it is not possible to add \ into an environment variable. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: simplify newline removalTobias Stoeckmann2024-01-123-17/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_debug: simplify state functionTobias Stoeckmann2024-01-121-8/+2
| | | | | | The return value of function state is never checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: fix Makefile.am dependenciesTobias Stoeckmann2024-01-121-1/+1
| | | | | | Comply with doc/man and enforce that pam_env.conf.5 does exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-1245-45/+45
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: build unix_update only with SELinux enabledChristian Göttsche2024-01-081-3/+16
| | | | | The helper unix_update(8) is only called from code enabled when SELinux support is enabled.
* pam_unix: fix memory leakChristian Göttsche2024-01-081-0/+1
| | | | | | | | The the allocated line buffer on success. Reported by GCC analyzer. Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")
* pam_unix: do not truncate user namesTobias Stoeckmann2024-01-082-6/+2
| | | | | | | | | | | | | | | | This could allow users with very long names to impersonate a user with a 255 characters long name. The check if the argument argv[1] actually matches the user name implies that "user" can unconditionally be set to argv[1]: If they are equal, the strings are obviously equal. If they are not or if null is returned by getuidname, "user" is set to argv[1] anyway. This way, the static buffer can be safely removed because the result of getpwuid() is not stored, which means that subsequent calls to such functions can safely overwrite their internal buffers. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_access: avoid group name truncationTobias Stoeckmann2024-01-081-7/+5
| | | | | | | | If a very long group name is supplied, do not truncate it. It is safe to work directly on the supplied token, which is also already done in user_match, from where group_match is also called. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: prevent overflow with very long lineTobias Stoeckmann2024-01-081-6/+11
| | | | | | | | The strcpy is not safe anymore because input lines can be very long. Use strdup instead. If allocation fails, treat the error exactly like a memory allocation issue in pam_modutil functions. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: use _pam_assemble_lineTobias Stoeckmann2024-01-051-100/+14
| | | | | | | When pam_env is compiled without libeconf support enabled, this removes fgets limitations and allows arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: skip _expand_arg if possibleTobias Stoeckmann2024-01-051-0/+7
| | | | | | | If no special characters exist, simply skip _expand_arg to avoid memory allocations and string copying. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: extend test for escaped newlinesTobias Stoeckmann2024-01-051-1/+3
| | | | | | | | This covers the _assemble_line functionality, which slightly differs from _pam_assemble_line in libpam, i.e. does not replace the backslash with a blank. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow very long variable expansionsTobias Stoeckmann2024-01-052-40/+123
| | | | | | | | Variable expansion can exceed the maximum line length allowed in an environment configuration file. Since PAM environment variables already support arbitrary lengths, allow them in pam_env as well. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: fix typo in manual pageTobias Stoeckmann2024-01-051-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in manual pageTobias Stoeckmann2024-01-051-3/+3
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typos in commentsTobias Stoeckmann2024-01-054-5/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix/passverify: always run the helper to obtain shadow password file ↵Dmitry V. Levin2024-01-041-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entries Initially, when pam_unix.so verified the password, it used to try to obtain the shadow password file entry for the given user by invoking getspnam(3), and only when that didn't work and the effective uid was nonzero, pam_unix.so used to invoke the helper as a fallback. When SELinux support was introduced by commit 67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended also for the case when SELinux was enabled. Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the fallback conditions for the case when pam_modutil_getspnam() failed with EACCES. Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is invoked as a fallback when pam_modutil_getspnam() fails for any reason. The ultimate solution for the case when pam_unix.so does not have permissions to obtain the shadow password file entry is to stop trying to use pam_modutil_getspnam() and to invoke the helper instead. Here are two recent examples. https://github.com/linux-pam/linux-pam/pull/484 describes a system configuration where libnss_systemd is enabled along with libnss_files in the shadow entry of nsswitch.conf, so when libnss_files is unable to obtain the shadow password file entry for the root user, e.g. when SELinux is enabled, NSS falls back to libnss_systemd which returns a synthesized shadow password file entry for the root user, which in turn locks the root user out. https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes essentially the same problem in a similar system configuration. This commit is the final step in the direction of addressing the issue: for password verification pam_unix.so now invokes the helper instead of making the pam_modutil_getspnam() call. * modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. Complements: https://github.com/linux-pam/linux-pam/pull/386 Resolves: https://github.com/linux-pam/linux-pam/pull/484 Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
* pam_timestamp: correct failure conditionChristian Göttsche2024-01-041-1/+1
| | | | | | | | Bail out on NULL pointer, not otherwise. Reported by cppcheck. Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")
* pam_filter: drop invalid tty hackChristian Göttsche2024-01-041-5/+0
| | | | | | | | | The open(3) flag O_NOCTTY does not detach the calling process from the opened file descriptor, like TIOCNOTTY, see tty(4), does. Drop the invalid hack to avoid the file descriptor being leaked. Reported by cppcheck.
* pam_timestamp: fix condition orderChristian Göttsche2024-01-041-2/+2
| | | | | | | Check the array index first before dereferencing the array. Also convert the index type to size_t to avoid casting. Reported by cppcheck.
* pam_listfile: use getlineTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getlineTobias Stoeckmann2024-01-032-4/+8
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_xauth: use getlineTobias Stoeckmann2024-01-031-2/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_faillock: use getlineTobias Stoeckmann2024-01-031-3/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_access: use getlineTobias Stoeckmann2024-01-031-7/+12
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_exec: use getlineTobias Stoeckmann2024-01-031-2/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: use getlineTobias Stoeckmann2024-01-031-8/+16
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_sepermit: use getlineTobias Stoeckmann2024-01-031-4/+10
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_securetty: use getlineTobias Stoeckmann2024-01-031-9/+24
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: reduce variable visibilityTobias Stoeckmann2024-01-031-3/+7
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: calculate user length only if neededTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getline in _unix_getpwnamTobias Stoeckmann2024-01-031-12/+18
| | | | | | Use getline instead of fgets to allow arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: unify error handlingTobias Stoeckmann2024-01-031-15/+14
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use calloc instead of malloc/memsetTobias Stoeckmann2024-01-031-2/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use size_t instead of int for sizesTobias Stoeckmann2024-01-031-5/+5
| | | | | | | Also rename buflen to retlen, since it is not associated with the variable buf, but ret. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: avoid reading uninitialized variableTobias Stoeckmann2024-01-031-10/+8
| | | | | | | | | | | | | | | | | | | | | The function _unix_comesfromsource calls _unix_getpwnam internally. When changing the authentication token, it is first called to read local passwd file and optionally contacting NIS. If an entry is found, _unix_getpwnam is called, this time definitely reading passwd file and contacting NIS (if support exists) and parsing the entry. This is meant to check if the entry is not just available but also valid. Since the return value of _unix_getpwnam is not checked and the supplied pointer is only set in case of success, the check for a NULl pointer afterwards can lead to undefined behavior. It is easier to call _unix_getpwnam directly, check its return value and then check if the entry could be parsed. This in turn reduces the amount of /etc/passwd accesses (and fixes a theoretical TOCTOU race). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: validate amount of uids in configTobias Stoeckmann2024-01-031-1/+6
| | | | | | | | | | | | | If more than INT_MAX uids are found in a configuration line, the variable `count` would trigger a signed integer overflow. If more than UINT_MAX uids are found in a configuration line, then the `num_uids` counter is invalid, which could eventually lead to out of boundary accesses. Also make sure that size multiplication for malloc does not overflow. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: document that the namespace.init script runs as rootMatthias Gerstner2024-01-032-2/+8
|
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-18 22:25:04 +0000