| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An array of strings is allocated (into a pointer) so the single array
element to be allocated is char*.
Since sizeof(char**) should be always equal to sizeof(char*) this caused
no issues so far.
Reported by Clang analyzer:
pam_env.c:391:14: warning: Result of 'malloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'char **' [unix.MallocSizeof]
391 | *lines = malloc((i + 1)* sizeof(char**));
| ^~~~~~ ~~~~~~~~~~~~~~
pam_env.c:401:13: warning: Result of 'realloc' is converted to a pointer of type 'char *', which is incompatible with sizeof operand type 'char **' [unix.MallocSizeof]
401 | tmp = realloc(*lines, (++i + 1) * sizeof(char**));
| ^~~~~~~ ~~~~~~~~~~~~~~
|
| |
|
|
| |
Closes: #575
|
| |
|
|
| |
The padding block is only read from via memcpy(3).
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| | |
|
| |
|
|
|
|
|
| |
pam_selinux uses audit_log_user_message to write to the audit system.
It does not take an op argument, so you have to add one yourself. Otherwise
the pam_selinux part of the message is lost because it's not in key=value
format.
|
| |
|
|
|
|
|
|
|
|
|
| |
pam_faillock uses audit_log_user_message to write to the audit system.
It does not take an op argument, so you have to add one yourself. Otherwise
the pam_faillock part of the message is lost because it's not in key=value
format.
Also, we can't use uid in that event because the kernel already adds that
field. What we normally do is use 'suid' (meaning sender uid) as the
field name.
|
| |
|
|
|
|
| |
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
an error if a string is not resolveable, only a debug message in debug
mode. We even don't know if that entry is for remote logins or not.
|
| |
|
|
|
|
|
| |
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
link-local addresses
* modules/pam_access/access.conf: Add example for IPv6 link-local
addresses
|
| |
|
|
|
|
|
|
| |
This change improves the fallback values for the "rounds" parameter for
yescrypt and blowfish by using the smallest reasonable value if the
user sets a too low value and by using the highest reasonable value
if the user sets a too high value. This better realizes user intent
and is consistent with the approach taken for SHA256.
|
| |
|
|
|
|
|
|
| |
* configure.ac: add `gdbm` option to `enable-db`
* modules/pam_userdb/pam_userdb.c: conditionally provide database access
depending on the database technology
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
retval was being defined only in #ifdef HAVE_CRYPT_R, but used
unconditionally.
Signed-off-by: Bernhard Rosenkränzer <bero@lindev.ch>
Fixes: bcba17939e1b ("modules: make use of secure memory erasure")
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Until before, in this case PAM_AUTH_ERR was returned. This leads to unknown
users being logged with the unknown username.
Now it resembles the behaviour of other modules like pam_unix in this case.
|
| |
|
|
|
|
|
|
| |
Allocate the path buffer in check_acl() dynamically using asprintf(),
so there is no need to use a PATH_MAX-fixed size buffer. The fallback
PATH_MAX definition is no more needed, thus is dropped.
Make sure that paths too long still result in PAM_SESSION_ERR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support OSes without PATH_MAX (which is optional in POSIX), there are
two code paths for the 'newsource' and 'newdest' variables: one using
a PATH_MAX-sized stack buffer, and one using heap allocation. The second
is even more complicated than needed, doing manual calculations and
allocations.
To simplify the code a bit more, easing its maintenance, unify the two
using asprintf() to allocate 'newsource' and 'newdest': the extra
allocation needed should not be an issue, since this code runs in a
separate helper executable.
As additional change for this simplification, remove the reset to the
two variables to NULL right after their free(), which is not needed
since their scopes end.
|
| |
|
|
|
|
|
|
|
|
| |
Even if this module is supported officially on Linux, make sure it can
still build fine on non-Linux OSes, to ease its testing/fixing a bit:
- build parse_kernel_limits() and stuff needed for it only on Linux,
as it is called already only on Linux
- limit the code needed to apply the 'nonewprivs' options to Linux only,
as it uses a Linux-specific way to set it; add a syslog message for
other OSes
|
| |
|
|
|
|
|
| |
On some systems (e.g. GNU/Hurd), read() succeeds on the fd of a
directory; since the module assumes that read() fails (and thus
pam_modutil_read() as well), manually fail in case the open fd refers
to a directory.
|
| |
|
|
|
| |
PATH_MAX is optional in POSIX, and not defined on GNU/Hurd; hence,
in case it is not defined, define BUFLEN directly to LINE_MAX.
|
| |
|
|
|
| |
Allocate the buffers dynamically using asprintf(), so there is no need
to use PATH_MAX-fixed size buffers.
|
| |
|
|
|
|
|
|
| |
GCC and Clang only define the macro `linux` when using the GNU dialect
of C (e.g. -std=gnu11 instead of -std=c11). Since `linux` is also not
in a reserved namespace it might be target of collisions.
Use the canonical macro `__linux__` instead (already used in
pam_limits.c).
|
| |
|
|
|
|
|
| |
* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Do not use the
result of keyword substitution for keyword match.
Resolves: https://github.com/linux-pam/linux-pam/issues/560
|
| |
|
|
|
|
|
| |
* modules/pam_timestamp/Makefile.am: Only build hmacfile target when
openssl isn't enabled.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| | |
|
| |
|
|
|
|
| |
configure.ac: Disable NIS if RPC or YP header files are missing
modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence
modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too
|
| |
|
|
| |
This should fix shellcheck warning SC2004.
|
| |
|
|
|
|
|
|
|
|
| |
bcba17939e1b1a568cd4a764534cde74d37078cc started using pam_overwrite_n()
without providing the definition to this function, which causes a build
failure.
modules/pam_timestamp/hmac_openssl_wrapper.c: include pam_inline.h
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use empty initialization of structs to minimize the memset() usage, to
reduce the amount of calls which are not sensitive.
Non trivial changes:
- pam_env:
* erase environment variables where possible
- pam_exec:
* erase responce on error
* erase auth token
- pam_pwhistory:
* erase buffers containing old passwords
- pam_selinux: skip overwriting data structure consisting of only
pointers to insensitive data, which also gets free'd afterwards (so
it currently does not protect against double-free or use-after-free on
the member pointers)
- pam_unix: erase cipher data in more places
- pam_userdb: erase password hashes
|
| |
|
|
|
|
| |
Free the environment variables list via the designated helper
free_string_array() rather than free its elements in a loop, which might
skip some.
|
| |
|
|
|
| |
On failure the content of the string pointer passed to asprintf(3) is
undefined. Set to NULL before free'ing the parent array.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The struct utmp from glibc uses on many 64bit architectures a 32bit
time_t for compatibility with a 32bit userland, which means utmp will
not survive the year 2038 (32bit time_t overflow). Use the data from
logind instead of utmp.
* configure.ac: Add option --enable-logind
* modules/pam_issue/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_issue/pam_issue.c: Use sd_get_sessions instead of utmp
* modules/pam_timestamp/Makefile.am: Add CFLAGS/LIBS for logind support
* modules/pam_timestamp/pam_timestamp.c: query logind for login time
|
| |
|
|
|
|
|
|
|
| |
Otherwise the corresponding files are still installed in /etc/security.
* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
|
| |
|
|
|
|
|
| |
* modules/pam_env/tst-pam_env-retval.c: Include <errno.h> and <libgen.h>.
[VENDORDIR] (dir, dir_usr, dir_usr_etc): Remove.
[VENDORDIR] (mkdir_p, rmdir_p): New functions.
(setup, cleanup) [VENDORDIR]: Use them.
|
| |
|
|
|
|
|
|
| |
* modules/pam_env/tst-pam_env-retval.c: Replace /usr/etc/security with
VENDOR_SCONFIGDIR, /usr/etc with VENDORDIR. Do not define and use
VENDORDIR based variables unless VENDORDIR is defined.
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
| |
|
|
|
|
| |
* modules/pam_env/pam_env.conf.5.xml: Replace /usr/etc with %vendordir%.
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
| |
|
|
|
|
|
| |
* modules/pam_env/pam_env.c (VENDOR_DEFAULT_ETC_ENVFILE): Assume that
VENDORDIR already includes "/etc".
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
| |
|
|
|
|
|
|
|
| |
* configure.ac: Define HAVE_NIS if NIS is enabled.
* modules/pam_unix/Makefile.am: Don't link against yppasswd_xdr.c
if NIS is disabled.
* modules/pam_unix/pam_unix_passwd.c: Don't redefine HAVE_NIS.
Resolves: https://github.com/linux-pam/linux-pam/issues/523
|
| |
|
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c: Wrap checks for configure macros
into defined() operator.
* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wundef.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_pwhistory/pam_pwhistory.8.xml: Describe pwhistory.conf
* modules/pam_pwhistory/pwhistory_config.c [VENDOR_SCONFIGDIR]
(VENDOR_PWHISTORY_DEFAULT_CONF): New macro.
(parse_config_file) [VENDOR_PWHISTORY_DEFAULT_CONF]: Try to open
VENDOR_PWHISTORY_DEFAULT_CONF if PWHISTORY_DEFAULT_CONF file does not
exist.
|
| |
|
|
|
|
| |
* modules/pam_pwhistory/tst-pam_pwhistory-retval.c: New file.
* modules/pam_pwhistory/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_pwhistory_retval_LDADD): New variables.
|
| |
|
|
|
|
|
| |
Regenerate yppasswd.h and yppasswd_xdr.c from yppasswd.x (libnsl) to
avoid GPL code in a PAM module.
Link: https://github.com/thkukuk/libnsl/blob/master/src/rpcsvc/yppasswd.x
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
security_getenforce(3) can return -1 on error; either because the
selinuxfs is not mounted or reading from /sys/fs/selinux/enforce failed.
Since security_getenforce(3) is either called after an approving call to
is_selinux_enabled(3) in create_context() or with populated module
data in restore_context(), which requires a previous pass of
create_context(), the selinuxfs should be mounted.
Reading from /sys/fs/selinux/enforce should never fail (except being
prohibited by the SElinux policy itself) since it is a public interface.
In the unlikely case of security_getenforce(3) nevertheless failing
continue execution as if the result was enforcing (likewise to
pam_sepermit and pam_rootok).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang-14 insists on issuing the following warning:
In file included from md5_good.c:4:
md5.c:92:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:101:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:136:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:145:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 14);
^
md5.c:151:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->buf.c, 4);
^
* modules/pam_unix/md5.c (byteReverse): Use uint32 instead of
uint8_aligned, update all users.
(uint8_aligned): Remove unused type.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-12 insists on issuing the following warning:
In file included from /usr/include/string.h:535,
from pam_limits.c:24:
In function 'strncat',
inlined from 'check_logins' at pam_limits.c:287:6,
inlined from 'setup_limits' at pam_limits.c:1066:13,
inlined from 'pam_sm_open_session' at pam_limits.c:1267:14:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:138:10: error: '__builtin___strncat_chk' argument 2 declared attribute 'nonstring' [-Werror=stringop-overread]
138 | return __builtin___strncat_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/utmp.h:29,
from pam_limits.c:37:
/usr/include/x86_64-linux-gnu/bits/utmp.h: In function 'pam_sm_open_session':
/usr/include/x86_64-linux-gnu/bits/utmp.h:66:8: note: argument 'ut_user' declared here
66 | char ut_user[UT_NAMESIZE]
| ^~~~~~~
* modules/pam_limits/pam_limits.c (check_logins): Use memcpy instead of
strncat to pacify the compiler.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_listfile assumes the group being tested will be written at the end
of the argument list by carrying only a pointer to the value being
examined in 'myval'.
Therefore example
'''
auth required pam_listfile.so \
onerr=succeed apply=ftp item=user sense=deny file=/etc/ftpusers
'''
modified from https://linux.die.net/man/8/pam_listfile is not working because
'apply_val' will point to the latest value of 'myval', which in this case will
be "/etc/ftpusers" instead of "ftp".
Fix this issue by copying the value of 'myval' instead of just taking
a reference pointer.
Signed-off-by: Cyril Duval <cyril.duval@diabolocom.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no one in /etc.
* Makefile.am: Add libeconf setting.
* pam_env.c: Take care about the fallback configuration in the vendor directory.
* pam_env.8.xml: Add description for the vendor directory.
* pam_env.conf.5.xml: Add description for the vendor directory.
* tst-pam_env-retval.c: Add tests for libeconf.
* configure.ac: Add ECONF settings for building man pages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
default config if there is no one in /etc.
If pam will be compiled with the option --enable-vendordir=<vendor_dir> and
NOT defined --disable-econf, the files which define valid login shells will
be parsed in following order:
- <vendor_dir>/shells
- <vendor_dir>/shells.d/*
- /etc/shells.d/shells
But all files in <vendor_dir> will be ingnored if the user has defined his
own file /etc/shells.
This commit solves issue: https://github.com/linux-pam/linux-pam/issues/498
|
| |
|
|
|
|
|
|
| |
Check if quote flag is positive before decrementing it. Otherwise, for
some use case, it could become negative, and have an unwanted empty string
instead of an undefined variable.
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
| |
|
|
|
|
|
|
|
|
| |
Wording of no new mail message should be significantly different from
new mail so that it does not align in length or similar words.
* modules/pam_mail/pam_mail.c (report_mail): Change the wording of
no new mail message.
Resolves: https://github.com/linux-pam/linux-pam/issues/465
|
