aboutsummaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAgeFilesLines
...
* Make maxclassrepeat=1 behavior consistent with docs (#9)Saul Johnson2017-03-101-1/+1
| | | * modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
* Properly test for strtol() failure to find any digits.Josef Moellers2017-02-091-1/+1
| | | | | * modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set to beginning and not NULL.
* pam_exec: fix a potential null pointer dereferenceDaniel Abrecht2017-01-191-3/+6
| | | | | | | | | | Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS but the response is set to NULL. * modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa with a null pointer. Closes: https://github.com/linux-pam/linux-pam/pull/2
* Add missing comma in the limits.conf.5 manpage.Antonio Ospite2016-12-071-1/+1
| | | | * modules/pam_limits/limits.conf.5.xml: add a missing comma
* pam_access: First check for the (group) match.Tomas Mraz2016-11-011-4/+4
| | | | | | | The (group) match is performed first to allow for groups containing '@'. * modules/pam_access/pam_access.c (user_match): First check for the (group) match.
* pam_ftp: Properly use the first name from the supplied listTomas Mraz2016-10-171-9/+12
| | | | | | * modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list of anonymous users if user name matches. (pam_sm_authenticate): Free the returned value allocated in lookup().
* pam_issue: Fix no prompting in parse escape codes mode.Bartos-Elekes Zsolt2016-09-121-1/+1
| | | | * modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
* Unification and cleanup of syslog log levels.Tomas Mraz2016-06-3024-78/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT. * libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT. * modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT. * modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT. * modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT. * modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR. * modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT. * modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT. * modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors with LOG_ERR. * modules/pam_limits/pam_limits.c: User login limit messages are syslogged with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with LOG_ERR. * modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged with LOG_NOTICE. * modules/pam_namespace/pam_namespace.c: Make memory allocation failures LOG_CRIT. * modules/pam_nologin/pam_nologin.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged with LOG_NOTICE, non-memory errors with LOG_ERR. * modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT. * modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors LOG_ERR. * modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT. * modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures LOG_CRIT. * modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT, other errors LOG_ERR. * modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR. * modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE. * modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and max retries ignorance by application likewise. * modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR. * modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged with LOG_NOTICE. * modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
* pam_timestamp: fix typo in strncmp usageDmitry V. Levin2016-06-141-1/+1
| | | | | | | | | | | | Before this fix, a typo in check_login_time resulted to ruser and struct utmp.ut_user being compared by the first character only, which in turn could lead to a too low timestamp value being assigned to oldest_login, effectively causing bypass of check_login_time. * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo in strncmp usage. Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
* Remove spaces in examples for access.conf.Tomas Mraz2016-05-112-25/+25
| | | | | | | | The spaces are ignored only with the default listsep. To remove confusion if non-default listsep is used they are removed from the examples. * modules/pam_access/access.conf: Remove all spaces around ':' in examples. * modules/pam_access/access.conf.5.xml: Likewise.
* pam_wheel: Correct the documentation of the root_only option.Tomas Mraz2016-04-191-1/+2
| | | | | * modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the root_only option.
* pam_unix: Document that MD5 password hash is used to store old passwords.Tomas Mraz2016-04-191-0/+2
| | | | | modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used to store the old passwords when remember option is set.
* pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.Tomas Mraz2016-04-065-208/+23
| | | | | | | | | | | | | | | | We have to drop support for not_set_pass option which is not much useful anyway. Instead we get proper support for authtok_type option. * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty pe option. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas sword() call with equivalent pam_get_authtok() call. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop support for not_set_pass. * modules/pam_unix/support.c (_unix_read_password): Remove. * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
* pam_unix: Make password expiration messages more user-friendly.Tomas Mraz2016-04-041-2/+2
| | | | | * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password expiration messages more user-friendly.
* innetgr may not be there so make sure that when innetgr is not presentThorsten Kukuk2016-04-043-4/+21
| | | | | | | | | | | then we inform about it and not use it. [ticket#46] * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto Signed-off-by: Khem Raj <raj.khem at gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* Fix whitespace issuesDmitry V. Levin2016-04-017-7/+0
| | | | | | | | | | | | | | | | Remove blank lines at EOF introduced by commit a684595c0bbd88df71285f43fb27630e3829121e, making the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD * libpam/pam_dynamic.c: Remove blank line at EOF. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise.
* Use TI-RPC functions if we compile and link against libtirpc.Thorsten Kukuk2016-04-011-1/+72
| | | | | | | | The old SunRPC functions don't work with IPv6. * configure.ac: Set and restore CPPFLAGS * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with rpcb_getaddr if available.
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-2950-871/+128
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* Fix check for libtirpc and enhance check for libnsl to includeThorsten Kukuk2016-03-241-2/+2
| | | | | | | new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
* Remove YP dependencies from pam_access, they were never usedThorsten Kukuk2016-03-232-10/+2
| | | | | | | | and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used.
* Add checks for localtime() returning NULL.Tomas Mraz2016-03-042-10/+11
| | | | | | | * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL.
* pam_unix: Silence warnings and fix a minor bug.Tomas Mraz2016-03-042-8/+2
| | | | | | | | | Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
* pam_env: Document the /etc/environment file.Tomas Mraz2016-02-173-3/+17
| | | | | | | * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference.
* pam_unix: Add no_pass_expiry option to ignore password expiration.Tomas Mraz2016-02-174-11/+47
| | | | | | | | | | | | * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option.
* pam_unix: Change the salt length for new hashes to 16 charactersTomas Mraz2016-01-251-5/+2
| | | | | * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
* pam_tally2: Optionally log the tally count when checking.Tomas Mraz2015-12-162-5/+24
| | | | | * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option.
* pam_loginuid: Add syslog message if required auditd is not detected.Tomas Mraz2015-09-241-0/+2
| | | | | * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected.
* pam_rootok: use rootok permission instead of passwd permission in SELinux check.Tomas Mraz2015-08-121-1/+1
| | | | | * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission.
* pam_timestamp: Avoid leaking file descriptor.Amarnath Valluri2015-08-051-0/+1
| | | | | | | * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
* Release version 1.2.1Thorsten Kukuk2015-06-227-14/+37
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
* Fix some grammatical errors in documentation.Thorsten Kukuk2015-04-277-8/+8
| | | | | | | | | | | | | | | | | Patch by Louis Sautier * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise.
* Add "quiet" option to pam_unix to suppress informential infoThorsten Kukuk2015-04-233-6/+25
| | | | | | | | | messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set.
* Use crypt_r if available in pam_userdb and in pam_unix.Tomas Mraz2015-04-072-7/+35
| | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available.
* pam_env: expand @{HOME} and @{SHELL} and enhance documentationThorsten Kukuk2015-03-253-19/+46
| | | | | | | | (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation
* Clarify pam_access docs re PAM service names and X $DISPLAY value testing.Thorsten Kukuk2015-03-242-10/+35
| | | | | | | | | (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc <kop at meme.com>
* Don't use sudo directory, the timestamp format is different (Ticket#32)Thorsten Kukuk2015-03-241-1/+2
| | | | * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
* Enhance group.conf examples (Ticket#35)Thorsten Kukuk2015-03-241-3/+3
| | | | * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
* Document timestampdir option (Ticket#33)Thorsten Kukuk2015-03-241-2/+17
| | | | * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
* pam_succeed_if: Fix copy&paste error in rhost and tty values.Tomas Mraz2014-10-171-2/+2
| | | | | modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST and PAM_TTY properly for the rhost and tty values.
* pam_succeed_if: Use long long type for numeric valuesTomas Mraz2014-10-171-10/+10
| | | | | | | | | The currently used long with additional conversion to int is too small for uids and gids. modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace strtol() with strtoll() and int with long long in the parameters of comparison functions.
* pam_mkhomedir: Drop superfluous stat() call.Tomas Mraz2014-08-261-15/+1
| | | | | modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous stat() call.
* pam_exec: Do not depend on open() returning STDOUT_FILENO.Tomas Mraz2014-08-261-1/+11
| | | | | modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to STDOUT_FILENO if needed.
* pam_keyinit: Check return value of setregid.Robin Hack2014-08-251-1/+2
| | | | modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
* pam_filter: Avoid leaking descriptors when fork() fails.Robin Hack2014-08-251-0/+5
| | | | modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
* pam_echo: Avoid leaking file descriptor.Robin Hack2014-08-141-2/+9
| | | | modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
* pam_tty_audit: Silence Coverity reporting uninitialized use.Robin Hack2014-08-131-0/+1
| | | | | modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also msg_flags.
* pam_tally2: Avoid uninitialized use of fileinfo.Tomas Mraz2014-08-131-4/+1
| | | | | | Problem found by Robin Hack <rhack@redhat.com>. modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size just try to read it.
* pam_access: Avoid uninitialized access of line.Tomas Mraz2014-08-131-2/+2
| | | | | * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized.
* pam_lastlog: Properly clean up last_login structure before use.Tomas Mraz2014-08-051-2/+2
| | | | | modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login structure before use.
* Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.Tomas Mraz2014-07-212-2/+19
| | | | | | | * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields in opasswd entry and return error. * modules/pam_unix/passverify.c (save_old_password): Test for missing fields in opasswd entry and skip it.
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-10 15:28:48 +0000