| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
* modules/pam_issue/pam_issue.c (pam_sm_authenticate): Free issue_prompt
before assigning a new string.
|
| |
|
|
|
|
|
|
|
| |
The case in which protect_dir() returns an error and the flag
POLYDIR_CREATE (flag "create" in namespace.conf) is not set was
not handled. Therefore, the program continued without a polydir
and returned later on failed mount(2) or stat(2) calls.
Signed-off-by: Olivier Bal-Petre <olivier.bal-petre@ssi.gouv.fr>
|
| |
|
|
|
|
|
|
|
| |
Given that the crypt_data storage passed to crypt_r is cleared
afterwards, there is no point in clearing the string returned by
crypt_r. This also fixes the issue with those crypt_r implementations
that can return a pointer to read-only memory.
Resolves: https://github.com/linux-pam/linux-pam/issues/866
|
| |
|
|
|
|
|
|
| |
When configured using -Dpam-debug=true, _pam_unix_approve_pass prints
a diagnostic message with addresses of password strings. Apparently,
since the times predating the git history of the project in this
diagnostic message the addresses of the old and new passwords were
mixed up.
|
| |
|
|
|
|
|
| |
* modules/pam_access/pam_access.c (group_match): Fix the order
of arguments passed to group_name_or_gid_match.
Resolves: https://github.com/linux-pam/linux-pam/issues/860
|
| |
|
|
|
|
|
|
|
|
| |
The systemd functionality used here is also supported by elogind.
Introduce elogind meson option that could be used to enable logind
support in pam_issue, pam_limits, and pam_timestamp via elogind.
When elogind support is enabled, search for libelogind as well
and use the appropriate headers.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_access/pam_access.c: separate resolving of IP addresses
from hostnames. Don't resolve TTYs or display variables as hostname
(#834).
Add "nodns" option to disallow resolving of tokens as hostname.
* modules/pam_access/pam_access.8.xml: document nodns option
* modules/pam_access/access.conf.5.xml: document that hostnames should
be written as FQHN.
|
| |
|
|
| |
There is no point in supporting two different build systems.
|
| |
|
|
|
|
|
|
|
| |
* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour
explanation was focused on the development internals. Let's clarify it
by rephrasing it to something a sysadmin can understand.
Resolves: https://issues.redhat.com/browse/RHEL-39943
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_access/pam_access.c: match the local address regardless of
the IP version in use.
In some circumstances the `localhost` may be translated to IPv4 or IPv6,
but the configuration file only indicated the address for one of the two
versions. Since the originating value is set in `PAM_RHOST` and PAM has
no control over it, let's match the local addresses regardless of the IP
version in use.
Resolves: https://issues.redhat.com/browse/RHEL-23018
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
gdbm_close() used to return void, later it was changed to return int.
We cannot assume either way and have to check whether gdbm_close()
returns int.
Fixes: 45c2c496dcf8 ("pam_userdb: enable GDBM support")
|
| |
|
|
|
|
| |
When creating a socket pipe for communication between the parent and the
child process, each of these two processes should keep just one of these
socket pipe descriptors.
|
| |
|
|
| |
Resolves: https://github.com/linux-pam/linux-pam/issues/829
|
| |
|
|
|
| |
If vendordir is enabled, the distribution provided configuration files
should be below this directory and not in /etc.
|
| |
|
|
|
|
|
|
|
|
| |
On my non-representative hardware, the full build using autotools
(./autogen.sh && CFLAGS=-O2 ./configure && make -j`nproc` && make -j`nproc` install)
takes about 45 seconds.
On the same hardware, the full build using meson
(meson setup -Doptimization=2 dir && meson compile -C dir && meson install -C dir)
takes just about 7.5 seconds.
|
| |
|
|
|
|
|
|
| |
As crypt_r is expected to return a pointer into a provided crypt_data
struct, callers should not modify the string returned by crypt_r after
freeing the corresponding crypt_data struct.
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
|
| |
|
|
|
|
|
| |
The utmp database is unreliable for counting logged in users, since
there is no standard which defines who should create an entry at which
time for which reason. And it has a Y2038 problem with glibc/x86-64.
Query systemd-logind for the number of user sessions instead.
|
| |
|
|
|
|
|
|
| |
Since systemd added new types of classes (e.g. manager*), we cannot
use the count of all sessions anymore, but have to check which class
this is.
This is backward compatible, systemd v209 or newer is required.
|
| |
|
|
|
|
|
|
|
|
|
| |
Following the recent news about the latest change of the FSF postal address,
replace the FSF postal address in the GNU GPL license notice with the URL.
Apparently, "Information for maintainers of GNU Software" for quite
a long time suggests using the URL instead of the postal address.
Link: https://lists.gnu.org/archive/html/info-gnu/2024-09/msg00000.html
Link: https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Code.html
|
| |
|
|
| |
Make sure that config.h is included before any system header.
|
| |
|
|
|
| |
Given that pam_fail_delay is always provided by libpam, checking for
HAVE_PAM_FAIL_DELAY may have any sense only in third-party modules.
|
| |
|
|
|
|
|
|
| |
Given that in most places config.h is included unconditionally,
there is no point in keeping remaining HAVE_CONFIG_H checks.
Public header files do not use config.h and therefore
are not affected by this change anyway.
|
| |
|
|
|
| |
... for the same reason SCONFIGDIR config.h macro was renamed to
SCONFIG_DIR.
|
| |
|
|
|
|
|
| |
This way it is visibly different from the configure variable SCONFIGDIR,
which is helpful, because their values are slightly different:
the macro is quoted while the configure variable is not quoted,
and this difference may cause problems with other build systems.
|
| |
|
|
|
| |
* modules/pam_env/Makefile.am (AM_CFLAGS): Remove second
-I$(top_srcdir)/libpam_internal/include.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unhardcode ".libs" subdirectory where libtool stores shared objects,
as other build systems doesn't necessarily use it.
* configure.ac (AC_DEFINE_UNQUOTED): Add LTDIR.
* modules/pam_canonicalize_user/tst-pam_canonicalize_user-retval.c:
Replace ".libs/" with LTDIR.
* modules/pam_debug/tst-pam_debug-retval.c: Likewise.
* modules/pam_deny/tst-pam_deny-retval.c: Likewise.
* modules/pam_echo/tst-pam_echo-retval.c: Likewise.
* modules/pam_env/tst-pam_env-retval.c: Likewise.
* modules/pam_faildelay/tst-pam_faildelay-retval.c: Likewise.
* modules/pam_faillock/tst-pam_faillock-retval.c: Likewise.
* modules/pam_listfile/tst-pam_listfile-retval.c: Likewise.
* modules/pam_localuser/tst-pam_localuser-retval.c: Likewise.
* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: Likewise.
* modules/pam_nologin/tst-pam_nologin-retval.c: Likewise.
* modules/pam_permit/tst-pam_permit-retval.c: Likewise.
* modules/pam_pwhistory/tst-pam_pwhistory-retval.c: Likewise.
* modules/pam_rootok/tst-pam_rootok-retval.c: Likewise.
* modules/pam_sepermit/tst-pam_sepermit-retval.c: Likewise.
* modules/pam_succeed_if/tst-pam_succeed_if-retval.c: Likewise.
* modules/pam_time/tst-pam_time-retval.c: Likewise.
* modules/pam_warn/tst-pam_warn-retval.c: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not include <libintl.h> and other i18n stuff via config.h which is
included into every compilation unit, include "pam_i18n.h" explicitly
where necessary.
* configure.ac (AH_BOTTOM): Remove.
* libpam/pam_get_authtok.c: Include "pam_i18n.h".
* libpam/pam_item.c: Likewise.
* libpam/pam_strerror.c: Likewise.
* libpam_misc/misc_conv.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faillock/main.c: Likewise.
* modules/pam_faillock/pam_faillock.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_selinux/pam_selinux_check.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_unix/pam_unix_acct.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
|
| |
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (log_callback) [HAVE_LIBAUDIT]:
Silence compilation warning.
|
| |
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally, write_tally)
[HAVE_LIBAUDIT]: Check audit_log_user_message() return value.
|
| |
|
|
|
|
|
|
|
| |
Given that utmp.h is included unconditionally in other modules,
and neither utmpx.h nor lastlog.h is used nowadays, remove obsolete
checks.
* configure.ac (AC_CHECK_HEADERS): Remove lastlog.h, utmp.h, and utmpx.h.
* modules/pam_lastlog/pam_lastlog.c: Include <utmp.h> unconditionally.
|
| |
|
|
|
|
|
|
|
|
|
| |
Extend access.conf(5) syntax to support UID and GID in addition to
user and group names.
Co-authored-by: blueskycs2c <lili.ding@cs2c.com>
Signed-off-by: Dmitry V. Levin <ldv@strace.io>
Resolves: https://github.com/linux-pam/linux-pam/issues/114
Resolves: https://github.com/linux-pam/linux-pam/pull/186
Resolves: https://github.com/linux-pam/linux-pam/pull/601
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since audit_log_acct_message() was decorated with warn_unused_result
attribute, compilation of faillock helper produces the following
diagnostics:
main.c: In function 'do_user':
main.c:250:25: warning: ignoring return value of 'audit_log_acct_message' declared with attribute 'warn_unused_result' [-Wunused-result]
Given that this helper has never been picky about audit, e.g.
audit_open() errors do not affect its exit status, just silence this
new warning.
* modules/pam_faillock/main.c [HAVE_LIBAUDIT] (do_user): Silence
compilation warning.
|
| |
|
|
|
|
|
| |
Use this new function instead of econf_readDirs() and
econf_readDirsWithCallback().
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
|
| |
|
|
|
|
| |
Log in case the database could not be initialized.
Include the errno on lookup failure.
|
| |
|
|
| |
Log in case the current fscreate context could not be retrieved.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]:
Free SELinux context in case of an error.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to.
1460| pam_syslog(idata->pamh, LOG_ERR,
1461| "Error creating directory %s: %m", dir);
1462|-> return PAM_SESSION_ERR;
1463| }
1464|
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context):
Free SELinux context before returning.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to.
1002| }
1003| /* Should never get here */
1004|-> return PAM_SUCCESS;
1005| }
1006| #endif
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate)
[WITH_OPENSSL]: Close the timestamp file if hmac_size returned
an error.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: var_assign: Assigning: "fd" = handle returned from "open(path, 131072)".
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:460: noescape: Resource "fd" is not freed or pointed-to in "fstat".
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:484: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
482| #ifdef WITH_OPENSSL
483| if (hmac_size(pamh, debug, &maclen)) {
484|-> return PAM_AUTH_ERR;
485| }
486| #else
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket
if vasprintf returned an error.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
67| va_end(ap);
68| if (ret < 0) {
69|-> return 0;
70| }
71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257| rhost, NULL, tty, 1);
258|-> }
259| #endif
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
| |
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure
the returned array of strings is properly initialized
when econf_getStringValue() fails to return a value.
|
| |
|
|
|
|
|
| |
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL
value returned by econf_getStringValue().
Resolves: https://github.com/linux-pam/linux-pam/issues/796
|
| |
|
|
| |
Move all historic changelog files away to avoid confusion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since 2011, ChangeLog file is generated from git log history.
ChangeLog-CVS is a historic changelog file that was maintained before
the project was migrated from cvs to git.
CHANGELOG is another historic changelog file that was replaced by
ChangeLog in 2005.
modules/pam_unix/CHANGELOG is the oldest of historic changelog files,
it is not maintained since 1999.
All these historic changelog files are no longer relevant, so they are
no longer included into release tarballs.
|
| |
|
|
| |
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
|
| |
|
|
|
|
| |
The previous sentence was strange to read.
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
|
| |
|
|
|
| |
Compare the hashes in constant time as a defense-in-depth mechanism,
since performance is not a priority.
|
| | |
|
| |
|
|
|
|
|
|
| |
Document that pam_env.so is only called by pam_setcred() and
not by pam_authenticate() when added to the auth stack.
Resolves: https://github.com/linux-pam/linux-pam/issues/680
Signed-off-by: Thorsten Kukuk <kukuk@suse.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before the change pam_unix has different behaviours for a user with
empty password for these two `/etc/shadow` entries:
nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
nulloktest::1::::::
The entry with a hash was rejected and the entry without was accepted.
The rejection happened because 9e74e90147c "pam_unix: avoid determining
if user exists" introduced the following rejection check (slightly
simplified):
...
} else if (p[0] == '\0' && nullok) {
if (hash[0] != '\0') {
retval = PAM_AUTH_ERR;
}
We should not reject the user with a hash assuming it's non-empty.
The change does that by pushing empty password check into
`verify_pwd_hash()`.
`NixOS` generates such hashed entries for empty passwords as if they
were non-empty using the following perl code:
sub hashPassword {
my ($password) = @_;
my $salt = "";
my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
$salt .= $chars[rand 64] for (1..8);
return crypt($password, '$6$' . $salt . '$');
}
Resolves: https://github.com/linux-pam/linux-pam/issues/758
Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
|
