aboutsummaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAgeFilesLines
* pam_namespace: use sed instead of awk in namespace.initDmitry V. Levin2024-01-201-1/+1
| | | | | | | | | Given that sed is considered a more lightweight dependency than awk, and since sed is used by pam_namespace_helper anyway, use sed instead of awk in namespace.init as well. * modules/pam_namespace/namespace.init: Use sed instead of awk to obtain the UMASK value from /etc/login.defs.
* pam_unix: do not warn if password aging is disabledTobias Stoeckmann2024-01-191-1/+0
| | | | | | | | | Later checks will print a warning if daysleft is 0. If password aging is disabled, leave daysleft at -1. Resolves: https://github.com/linux-pam/linux-pam/issues/743 Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: remove escaped newlines from econf linesTobias Stoeckmann2024-01-181-0/+23
| | | | | | | | | The libeconf routines do not remove escaped newlines the way we want to process them later on. Manually remove them from values. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Resolves: https://github.com/linux-pam/linux-pam/issues/738 Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
* pam_env: fix --enable-vendordir fallback logicDmitry V. Levin2024-01-181-11/+11
| | | | | | | | | * modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF && VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file if the config file is specified via module arguments. Link: https://github.com/linux-pam/linux-pam/issues/738 Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
* pam_env: check VENDORDIR after config.h inclusionTobias Stoeckmann2024-01-181-9/+9
| | | | | | | | | The VENDORDIR define has to be checked after config.h inclusion, otherwise the ifdef test always yields false. Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: include stdint.hJacob Heider2024-01-171-0/+2
| | | | | | | | | | | | | | | | | | | | pam_namespace.c makes use of SIZE_MAX but doesn't include stdint.h, resulting in the following build failures on 1.6.0: pam_namespace.c: In function 'process_line': pam_namespace.c:649:41: error: 'SIZE_MAX' undeclared (first use in this function) 649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) { | ^~~~~~~~ pam_namespace.c:41:1: note: 'SIZE_MAX' is defined in header '<stdint.h>'; did you forget to '#include <stdint.h>'? 40 | #include "argv_parse.h" +++ |+#include <stdint.h> 41 | pam_namespace.c:649:41: note: each undeclared identifier is reported only once for each function it appears in 649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) { | ^~~~~~~~ Fixes: v1.6.0~100 ("pam_namespace: validate amount of uids in config") Resolves: https://github.com/linux-pam/linux-pam/issues/733
* pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situationsMatthias Gerstner2024-01-171-17/+1
| | | | | | | | | | | | Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs being placed in user controlled directories, causing the PAM module to block indefinitely during `openat()`. Pass O_DIRECTORY to cause the `openat()` to fail if the path does not refer to a directory. With this the check whether the final path element is a directory becomes unnecessary, drop it.
* pam_pwhistory: fix typo in example configurationTobias Stoeckmann2024-01-161-1/+1
| | | | | | The option file points to a file, not a directory. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in commentsChristian Göttsche2024-01-162-2/+2
|
* pam_pwhistory: use cp variable only when neededTobias Stoeckmann2024-01-161-17/+13
| | | | | | | Removes its usage from check_old_pass and reduces its visibility in save_old_pass. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_pwhistory: parse opasswd lines verbatimTobias Stoeckmann2024-01-161-16/+4
| | | | | | | | Users may have a hash character in their name, which would be removed. This in turn effectively defeats the purpose of pam_pwhistory for the user. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: do not allow comma as a field separatorTobias Stoeckmann2024-01-162-9/+8
| | | | | | | | | | | The opasswd file shall not use comma as a separator. Enforce colon just like pam_pwhistory does as well. A comma can be part of a user name, although its usage is discouraged. If such a user exists, it could happen that stored passwords of another user are checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: do not invoke getline(3) unnecessarilyDmitry V. Levin2024-01-162-3/+2
| | | | | | | | | | | | Replace while (getline(...) != -1 && retval) with while (retval && getline(...) != -1) * modules/pam_listfile/pam_listfile.c (pam_listfile): Do not invoke getline(3) when its result is going to be ignored. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Likewise.
* pam_unix: declare read-only data array constChristian Göttsche2024-01-151-1/+1
|
* pam_unix: log about failure to execute unix_chkpwd(8)Christian Göttsche2024-01-151-1/+1
|
* pam_unix: clean additional possible sensitive buffersChristian Göttsche2024-01-153-2/+7
|
* pam_unix: use more appropriate typesChristian Göttsche2024-01-152-5/+5
|
* pam_unix: retain const qualifierChristian Göttsche2024-01-151-6/+6
|
* pam_unix: enclose macro argumentsChristian Göttsche2024-01-151-3/+3
|
* pam_unix: set close-on-execChristian Göttsche2024-01-154-24/+13
| | | | | | | | | Since the module operates on sensitive files set the close-on-exec flag, to avoid file descriptor leaks if there is ever any sibling thread. The fopen(3) mode "e" is supported in glibc since version 2.7 (released in 2007), and ignored prior, see: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10
* pam_unix: support setgid version of unix_chkpwd(8)Christian Göttsche2024-01-151-2/+7
| | | | | | | | | | | In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the real group as well. Also check the privileges are permanently lost, see: https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful See also the current Debian patch: https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/
* pam_unix: reject unix_update(8) running on different unprivileged userChristian Göttsche2024-01-151-3/+13
| | | | | | In case unix_update(8) is installed as a setuid binary, which Fedora and Debian does not do, prevent unprivileged users to probe (and eventually change) passwords of other users (including root).
* pam_unix: add audit support to unix_update(8)Christian Göttsche2024-01-152-1/+18
| | | | | | | Emit audit reports in the helper unix_update(8) about abnormal executions, unprivileged authentications, and password updates. Also log unprivileged authentication failures to syslog.
* pam_unix: refactor audit loggingChristian Göttsche2024-01-155-36/+61
| | | | | Split the audit logging code into a separate file, to be reused by unix_update(8).
* pam_unix: fix regressionsTobias Stoeckmann2024-01-152-2/+1
| | | | | | | | | | | | The returned value stored in pwd from _unix_getpwnam is inserted into pam handler through pam_set_data. Do not manually free the value. Also check getline return value for != -1 instead of == -1. Fixes 8f2ca5919b26843ef774ef0aeb9bf261dec943a0 and 73d009e9ea8edafc18c7fe3650b25dd6bdce88c1. No release affected. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_pwhistory: disable SELinux code if not usedTobias Stoeckmann2024-01-151-0/+6
| | | | | | Disable code to run helper binary if SELinux is not enabled. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_pwhistory: build pwhistory_helper only with SELinux enabledTobias Stoeckmann2024-01-151-3/+12
| | | | | | | | | | | Apply the same logic of pam_unix Makefile adjustment for pw_history as well. Reference commit is cb9f88ba944d56c0b6c65be18500f7d56c9f514c. The helper pwhistory_helper(8) is only called from code enabled when SELinux support is enabled. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_pwhistory: annotate declaration with format attributeChristian Göttsche2024-01-152-1/+1
| | | | | Instead of annotating the function definition with the format attribute annotate the declaration, so the annotation is visible at call sites.
* pam_unix: annotate declaration with format attributeChristian Göttsche2024-01-152-1/+1
| | | | | Instead of annotating the function definition with the format attribute annotate the declaration, so the annotation is visible at call sites.
* pam_succeed_if: add unit testTobias Stoeckmann2024-01-142-1/+91
| | | | | | Cover previous changes with unit test. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_succeed_if: empty strings are no numberTobias Stoeckmann2024-01-141-2/+2
| | | | | | | If an empty string is encountered, do not treat it as 0. Instead, return PAM_SERVICE_ERR as specified in comment. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_succeed_if: allow very long field valuesTobias Stoeckmann2024-01-141-23/+16
| | | | | | | | | | | | | Fields are currently written to stack buffer, even if they already exist in heap. Just reference them in this case. If numbers have to be stored as a string, use a stack buffer sufficiently large for the long long conversion (64 bit). Also adjust the "left != buf" check to allow this change. It is simply the else-statement to previous if-else-if-block, because in every other case left is set to buf. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: remove unused definesTobias Stoeckmann2024-01-133-6/+0
| | | | | | These are leftovers from fgets usages. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_usertype: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Rename to pam_usertype, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_usertype.
* pam_succeed_if: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Rename to pam_succeed_if, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_succeed_if.
* pam_sepermit: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-6/+12
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Rename to pam_sepermit, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_sepermit.
* pam_localuser: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-11/+21
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename to pam_localuser, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_localuser.
* pam_listfile: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-17/+23
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Rename to pam_listfile, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_listfile.
* pam_lastlog: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-4/+10
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Rename to pam_auth, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_auth.
* pam_access: do not call pam_sm_authenticateDmitry V. Levin2024-01-131-12/+18
| | | | | | | | | | | Calling an exported function from the module is unsafe as there is no guarantee that the function that will be actually called is the one that is provided by the module. * modules/pam_access/pam_access.c (pam_sm_authenticate): Rename to pam_access, add static qualifier, remove "flags" argument. Update all callers. Add a new pam_sm_authenticate as a thin wrapper around pam_access.
* pam_listfile: log all option errorsDmitry V. Levin2024-01-131-15/+38
| | | | | | | | | The parser of module options used to bail out after the first option error without checking other options. With this change, while the return code semantics remains unchanged, all option errors are logged. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log all option errors.
* pam_listfile: consistently log unknown optionsDmitry V. Levin2024-01-131-2/+6
| | | | | | | | In most cases the parser of module options already logs unknown options before returning, but in two cases it didn't. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log unknown onerr= and sense= options.
* pam_access: add quiet_log optionAndreas Vögele2024-01-132-3/+24
| | | | | | | | | | | If quiet_log option is specified, no "access denied" message is logged. * modules/pam_access/pam_access.c (struct login_info): Add quiet_log. (parse_args): Initialize it. (pam_sm_authenticate): Use it. * modules/pam_access/pam_access.8.xml: Document quiet_log option. Closes: https://github.com/linux-pam/linux-pam/issues/706
* pam_listfile: treat \r like \nTobias Stoeckmann2024-01-121-7/+2
| | | | | | | | The characters \r and \n are replaced by NUL byte. Treat a line which is empty after removal of \r just like lines which are empty after the removal of \n. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow escaping of escape characterTobias Stoeckmann2024-01-122-3/+3
| | | | | | Otherwise it is not possible to add \ into an environment variable. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: simplify newline removalTobias Stoeckmann2024-01-123-17/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_debug: simplify state functionTobias Stoeckmann2024-01-121-8/+2
| | | | | | The return value of function state is never checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: fix Makefile.am dependenciesTobias Stoeckmann2024-01-121-1/+1
| | | | | | Comply with doc/man and enforce that pam_env.conf.5 does exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-1245-45/+45
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: build unix_update only with SELinux enabledChristian Göttsche2024-01-081-3/+16
| | | | | The helper unix_update(8) is only called from code enabled when SELinux support is enabled.
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-03 14:22:56 +0000