| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Wording of no new mail message should be significantly different from
new mail so that it does not align in length or similar words.
* modules/pam_mail/pam_mail.c (report_mail): Change the wording of
no new mail message.
Resolves: https://github.com/linux-pam/linux-pam/issues/465
|
| |
|
|
|
|
|
| |
* modules/pam_faillock/main.c (usage): Remove extra whitespace from the
usage diagnostics.
Fixes: 94f0f5ebb ("faillock: add support to print login failure info in legacy format")
|
| |
|
|
|
|
|
|
|
|
| |
Fixed 2 instances in the pam_lastlog module where file locks were
not being enforced when reading and writing last login records.
* modules/pam_lastlog/pam_lastlog.c (last_login_write): The write lock
failure is fatal after 3 tries.
(last_login_read): The read lock failure is non-fatal after 3 tries.
It is non-fatal in the read case due to concerns about a possible DoS.
|
| |
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
a consecutive login failure message for the root user in case when
even_deny_root is not set.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
user specific faillock files after reboot.
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
user specific faillock files after reboot.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
| |
|
|
|
|
|
|
|
| |
Check the return value of localtime_r() before calling strftime(). This
function crashes if the argument is NULL.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (inst_init): Make sure
the SIGCHLD handler is not reset too early by moving the sigaction
call right before the fork call.
|
| |
|
|
|
|
| |
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Make sure
the SIGCHLD handler is not reset too early by moving the sigaction
call right before the fork call.
|
| |
|
|
|
|
|
|
| |
* modules/pam_xauth/pam_xauth.c (run_coprocess): Save the SIGCHLD
handler and reset it to the default before calling fork, restore the
handler after waitpid returns.
Resolves: https://github.com/linux-pam/linux-pam/pull/469
|
| |
|
|
|
|
|
|
| |
* modules/pam_exec/pam_exec.c (call_exec): Save the SIGCHLD handler and
reset it to the default before calling fork, restore the handler after
waitpid returns.
Resolves: https://github.com/linux-pam/linux-pam/issues/405
|
| |
|
|
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.8.xml: Add new option to select
configuration file to read.
* modules/pam_pwhistory/pwhistory.conf.5.xml: Document configuration
options for the file.
* modules/pam_pwhistory/Makefile.am (dist_man_MANS): Add pwhistory.conf.5.
(XMLS): Add pwhistory.conf.5.xml.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.c: Load config from file and
provide new conf option to select the file.
* modules/pam_pwhistory/pwhistory_config.c: Parse config from file and
load to options structure.
* modules/pam_pwhistory/pwhistory_config.h: Move options_t structure and
define parse_config_file().
* modules/pam_pwhistory/Makefile.am (noinst_HEADERS): Add pwhistory_config.h.
(pam_pwhistory_la_SOURCES): Add pwhistory_config.c.
(dist_secureconf_DATA): Add pwhistory.conf.
* modules/pam_pwhistory/pwhistory.conf: New configuration file.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2068461
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
pam_tally2 had a simple and minimalstic output to show login failure
info, new output of faillock makes the output look a bit complex and
doesn't show failure counts in a straight manner.
This patch fixes the above issue by adding "--legacy-output" flag to
faillock which makes it possible to get output in pam_tally2 style.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
| |
Move the code to it's own function.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
|
|
|
|
| |
No need to do any further processing if a non existent username is given
to faillock.
For first time successful login, failure field should be 0 and faillock
should show something like pam_tally2 did.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using scandir() to look for MOTD files to display, we wrongly
relied on all filesystems providing a filetype. This is a fix to divert
to lstat() when we have no filetype. To maintain MT safety, it isn't
possible to use lstat() in the scandir() filter function, so all of the
filtering has been moved to an additional loop after scanning all the
motd dirs.
Also, remove superfluous alphasort from scandir(), we are doing
a qsort() later.
Resolves: https://github.com/linux-pam/linux-pam/issues/455
|
| |
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config and scripts if there is no configuration in /etc.
pam_namespace.c: Take care about the fallback configuration in vendor directory.
pam_namespace.h: Define vendor specific files and directories.
pam_namespace.8.xml: Add description for vendor directories and files.
namespace.conf.5.xml: Add description for vendor directories and files.
|
| |
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no configuration in /etc.
pam_limits.c: Take care about the fallback configuration in vendor directory.
pam_limits.8.xml: Add description for vendor directory.
|
| |
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default config if there is no configuration in /etc.
* pam_access.c: Take care about the fallback configuration in vendor directory.
* pam_access.8.xml: Added description for vendor directory.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c: Load configuration from file
* modules/pam_faillock/pam_faillock: Improve tally directory management
* modules/pam_faillock/faillock_config.c: Print errors
* modules/pam_faillock/faillock_config.h: Extend options structure and
define get_tally_dir().
* modules/pam_faillock/Makefile.am: Compile faillock_config.c for
faillock binary.
* modules/pam_faillock/faillock.8.xml: Update with the new configuration
option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configuration load can be reused by faillock.
* modules/pam_faillock/faillock_config.c: Move configuration loading
functions (read_config_file and set_conf_opt) to this file.
* modules/pam_faillock/faillock_config.h: Move configuration loading
macros and structures.
* modules/pam_faillock/Makefile.am: Add faillock_config.
* modules/pam_faillock/faillock.h: Remove configuration loading macros.
* modules/pam_faillock/pam_faillock.c: Remove configuration loading
functions, macros and structures.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
| |
* modules/pam_env/pam_env.c (_assemble_line, _parse_line, _check_var,
_clean_var, _expand_arg, _pam_get_item_byname, _define_var,
_undefine_var): Move definitions of static functions before their first
use to avoid forward declarations cluttering the code.
|
| |
|
|
|
|
| |
* modules/pam_issue/pam_issue.c (read_issue_raw, read_issue_quoted):
Move definitions of static functions before their first use to avoid
forward declarations cluttering the code.
|
| |
|
|
|
|
|
|
| |
* modules/pam_env/tst-pam_env-retval.c: New file.
* modules/pam_env/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_env_retval_LDADD): New variables.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
|
|
| |
According to the manual page, the following entry is valid but does not
work:
-:root:ALL EXCEPT localhost
See https://bugzilla.suse.com/show_bug.cgi?id=1019866
Patched is based on PR#226 from Josef Moellers
|
| |
|
|
|
|
|
|
|
| |
In the child process, freeing memory right before pam_syslog()
followed by _exit(ENOMEM) is useless.
* modules/pam_exec/pam_exec.c (call_exec): Do not call free(envlist).
Resolves: https://github.com/linux-pam/linux-pam/issues/444
|
| |
|
|
|
|
|
|
|
|
| |
In the child process, the elements of argv[] are not modified, so there
is no need to copy strings.
* modules/pam_exec/pam_exec.c (call_exec): Do not call strdup on argv[]
elements during arggv[] initialization.
Resolves: https://github.com/linux-pam/linux-pam/pull/446
|
| | |
|
| |
|
|
|
|
|
|
| |
Fix the following compilation warning reported by clang:
"result of comparison against a string literal is unspecified
(use strcmp instead)".
* pam_time.c (_pam_parse): Do not compare char* string with a constant.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
using SYS_UID_MIN to check if it is a system account, because all
accounts below the SYS_UID_MAX are system users.
* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
as it is no longer used to calculate the system accounts.
* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_keyinit/pam_keyinit.c: Bypass setre*id() C library calls
with kernel calls and change global variables definitions to be
thread-safe.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1997969
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Co-Authored-By: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_time/pam_time.8.xml: Describe this.
* modules/pam_time/time.h [VENDOR_SCONFIGDIR] (VENDOR_PAM_TIME_CONF):
New macro.
* modules/pam_time/pam_time.c (_pam_parse) [VENDOR_PAM_TIME_CONF]:
Try to open VENDOR_PAM_TIME_CONF file when no conffile= option was
specified and PAM_TIME_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/409
|
| |
|
|
|
|
|
|
| |
* modules/pam_time/tst-pam_time-retval.c: New file.
* modules/pam_time/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_time_retval_LDADD): New variables.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Sometimes, especially in embedded devices, the /etc directory can be
read-only and/or not saved over upgrades. In order to ensure password
policies are maintained across upgrades and the module functions on
read-only file systems, allow the location of the password history file
to be set in the PAM configuration.
Signed-off-by: Edward <jinzhou.zhu1@ge.com>
[Martyn Welch: Updated commit message and ported to latest version]
Signed-off-by: Martyn Welch <martyn.welch@collabora.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
| |
* modules/pam_faillock/tst-pam_faillock-retval.c: New file.
* modules/pam_faillock/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faillock_retval_LDADD): New variables.
Resolves: https://github.com/linux-pam/linux-pam/pull/431
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_group/pam_group.c: Include <errno.h>.
[VENDOR_SCONFIGDIR] (VENDOR_PAM_GROUP_CONF): New macro.
(read_field): Add conf_filename argument, use it instead of PAM_GROUP_CONF.
(check_account) <conf_filename>: New variable, initialize it to
PAM_GROUP_CONF, pass it to read_field().
[VENDOR_PAM_GROUP_CONF]: Assign VENDOR_PAM_GROUP_CONF to conf_filename
when PAM_GROUP_CONF file does not exist.
* modules/pam_group/pam_group.8.xml: Describe it.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/412
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_sepermit/pam_sepermit.c [VENDOR_SCONFIGDIR]
(SEPERMIT_VENDOR_CONF_FILE): New macro.
(pam_sm_authenticate) [SEPERMIT_VENDOR_CONF_FILE]: Use it as default
config file when conf= option is not specified and the file pointed
by SEPERMIT_CONF_FILE does not exist.
* modules/pam_sepermit/pam_sepermit.8.xml: Describe it.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/411
|
| |
|
|
|
| |
* modules/pam_limits/pam_limits.c (parse_config_file): Use
VENDOR_SCONFIGDIR macro instead of VENDORDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
source code
Since SCONFIGDIR macro is available, the is no need to define macros
based on SCONFIGDIR in Makefile.am files.
* modules/pam_access/Makefile.am (AM_CFLAGS): Move definitions of
PAM_ACCESS_CONFIG and ACCESS_CONF_GLOB macros ...
* modules/pam_access/pam_access.c: ... here.
* modules/pam_env/Makefile.am (AM_CFLAGS): Move definition of
DEFAULT_CONF_FILE macro ...
* modules/pam_env/pam_env.c: ... here.
* modules/pam_group/Makefile.am (AM_CFLAGS): Move definition of
PAM_GROUP_CONF macro ...
* modules/pam_group/pam_group.c: ... here.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move definition of
LIMITS_FILE macro ...
* modules/pam_limits/pam_limits.c: ... here.
* modules/pam_sepermit/Makefile.am (AM_CFLAGS): Move definition of
SEPERMIT_CONF_FILE macro ...
* modules/pam_sepermit/pam_sepermit.c: ... here.
* modules/pam_time/Makefile.am (AM_CFLAGS): Move definition of
PAM_TIME_CONF macro ...
* modules/pam_time/pam_time.c: ... here.
|
| |
|
|
|
|
|
|
|
| |
LIMITS_FILE_DIR used to define a glob pattern instead of a directory
name, fix that inconsistency.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move "/*.conf" ending of
LIMITS_FILE_DIR macro ...
* modules/pam_limits/pam_limits.c (LIMITS_CONF_GLOB): ... here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The parser of conf= option failed to recognize the option unless
it was specified without an argument, making it useless.
* modules/pam_sepermit/pam_sepermit.c: Include "pam_inline.h".
(pam_sm_authenticate): Fix parsing of conf= option.
* modules/pam_sepermit/tst-pam_sepermit-retval.c: Check conf= option.
Co-authored-by: Stefan Schubert <schubi@suse.de>
Resolves: https://github.com/linux-pam/linux-pam/pull/429
|
| |
|
|
|
|
| |
* modules/pam_sepermit/tst-pam_sepermit-retval.c: New file.
* modules/pam_sepermit/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_sepermit_retval_LDADD): New variables.
|
| |
|
|
| |
This adjustes the documentation for the changes from PR#418
We no longer fail if the config file does not exist.
|
| |
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (log_callback): Move audit_fd
definition under HAVE_LIBAUDIT guard.
|
| |
|
|
| |
A config with only comments or an empty one is completely fine for
pam_limits. So don't complain about missing config files either.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As PR_SET_NO_NEW_PRIVS was introduced by Linux kernel commit
v3.5-rc1~161^2~37, provide a fallback definition to fix build
with older Linux kernel headers.
* modules/pam_limits/pam_limits.c [!PR_SET_NO_NEW_PRIVS]
(PR_SET_NO_NEW_PRIVS): New macro.
Resolves: https://github.com/linux-pam/linux-pam/issues/406
Fixes: dd9cf929 ("modules/pam_limits: add support for nonewprivs")
|
| |
|
| |
* Use vendor specific limits.conf as fallback
|
