From 2ec68e871038665749338da59d938a33c3248110 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Thu, 13 Dec 2018 16:12:42 +0100 Subject: Fix a typo in the documentation --- doc/man/pam_conv.3.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml index 0098ff94..5106ddf7 100644 --- a/doc/man/pam_conv.3.xml +++ b/doc/man/pam_conv.3.xml @@ -133,10 +133,10 @@ struct pam_conv { single form with many messages/prompts on at once. - In passing, it is worth noting that there is a descrepency between + In passing, it is worth noting that there is a discrepancy between the way Linux-PAM handles the const struct pam_message **msg - conversation function argument from the way that Solaris' PAM - (and derivitives, known to include HP/UX, are there others?) does. + conversation function argument and the way that Solaris' PAM + (and derivatives, known to include HP/UX, are there others?) does. Linux-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with -- cgit v1.2.3 From 8daf77a011553e160012899d29765c968c952897 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Fri, 6 Sep 2019 17:10:15 -0400 Subject: Fix a typo There is an extra space where there should not be one. --- doc/man/pam_fail_delay.3.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml index 46d89be0..d886e9e0 100644 --- a/doc/man/pam_fail_delay.3.xml +++ b/doc/man/pam_fail_delay.3.xml @@ -75,7 +75,7 @@ and - pam_set_item 3 + pam_set_item3 respectively. The value used to set it should be a function pointer of the following prototype: -- cgit v1.2.3 From 6b10b693f8e20a9d6452fe195f42bd978e9e4ee8 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Fri, 6 Sep 2019 17:11:17 -0400 Subject: Fix the man page for "pam_fail_delay()" This man page contained the incorrect statement that setting the PAM_FAIL_DELAY item to NULL would disable any form of delay on authentication failure. I removed the incorrect statement and added a paragraph explaining how an application should properly avoid delays. Closes #137. --- doc/man/pam_fail_delay.3.xml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml index d886e9e0..53c1f89e 100644 --- a/doc/man/pam_fail_delay.3.xml +++ b/doc/man/pam_fail_delay.3.xml @@ -93,8 +93,15 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); pam_set_item3 . - Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay - will be performed. + + + Note that the PAM_FAIL_DELAY item is set to NULL by default. This + indicates that PAM should perform a random delay as described + above when authentication fails and a delay has been suggested. + If an application does not want the PAM library to perform any + delay on authentication failure, then the application must define + a custom delay function that executes no statements and set + the PAM_FAIL_DELAY item to point to this function. -- cgit v1.2.3 From 65d6735c5949ec233df9813f734e918a93fa36cf Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com> Date: Mon, 16 Sep 2019 17:17:49 +0200 Subject: Add support for a vendor directory and libeconf (#136) With this, it is possible for Linux distributors to store their supplied default configuration files somewhere below /usr, while /etc only contains the changes made by the user. The new option --enable-vendordir defines where Linux-PAM should additional look for pam.d/*, login.defs and securetty if this files are not in /etc. libeconf is a key/value configuration file reading library, which handles the split of configuration files in different locations and merges them transparently for the application. --- Make.xml.rules | 10 +++---- configure.ac | 17 +++++++++++ doc/Makefile.am | 2 ++ doc/custom-html.xsl | 19 +++++++++++++ doc/custom-man.xsl | 10 +++++++ doc/man/Makefile.am | 5 ++++ doc/man/pam.8.xml | 17 +++++++++-- libpam/Makefile.am | 8 ++++-- libpam/pam_handlers.c | 47 +++++++++++++++---------------- libpam/pam_modutil_searchkey.c | 37 ++++++++++++++++++++++++ libpam/pam_private.h | 5 ++++ modules/pam_securetty/Makefile.am | 8 ++++++ modules/pam_securetty/pam_securetty.8.xml | 15 ++++++---- modules/pam_securetty/pam_securetty.c | 28 ++++++++++++++++-- 14 files changed, 185 insertions(+), 43 deletions(-) create mode 100644 doc/custom-html.xsl create mode 100644 doc/custom-man.xsl (limited to 'doc/man') diff --git a/Make.xml.rules b/Make.xml.rules index bee30cda..d19a02ef 100644 --- a/Make.xml.rules +++ b/Make.xml.rules @@ -3,22 +3,22 @@ # README: README.xml - $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" --nonet http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $(srcdir)/$@ + $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@ %.1: %.1.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< %.3: %.3.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< %.5: %.5.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< %.8: %.8.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude --nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< #CLEANFILES += $(man_MANS) README diff --git a/configure.ac b/configure.ac index e4995fc9..62b98c73 100644 --- a/configure.ac +++ b/configure.ac @@ -504,6 +504,23 @@ if test ! -z "$LIBSELINUX" ; then LIBS=$BACKUP_LIBS fi +AC_ARG_ENABLE([econf], + AS_HELP_STRING([--disable-econf], [do not use libeconf]), + [WITH_ECONF=$enableval], WITH_ECONF=yes) +if test "$WITH_ECONF" = "yes" ; then + PKG_CHECK_MODULES([ECONF], [libeconf], [], + [AC_CHECK_LIB([econf],[econf_readDirs],[ECONF_LIBS="-leconf"],[ECONF_LIBS=""])]) + if test -n "$ECONF_LIBS" ; then + ECONF_CFLAGS="-DUSE_ECONF=1 $ECONF_CFLAGS" + fi +fi +AC_SUBST([ECONF_CFLAGS]) +AC_SUBST([ECONF_LIBS]) +AC_ARG_ENABLE([vendordir], + AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[]) +AC_SUBST([VENDORDIR], [$enable_vendordir]) +AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x]) + dnl Checks for header files. AC_HEADER_DIRENT AC_HEADER_STDC diff --git a/doc/Makefile.am b/doc/Makefile.am index f4762f2d..38319f5b 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -8,6 +8,8 @@ CLEANFILES = *~ dist_html_DATA = index.html +EXTRA_DIST = custom-html.xsl custom-man.xsl + ####################################################### releasedocs: all diff --git a/doc/custom-html.xsl b/doc/custom-html.xsl new file mode 100644 index 00000000..081beaf6 --- /dev/null +++ b/doc/custom-html.xsl @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + diff --git a/doc/custom-man.xsl b/doc/custom-man.xsl new file mode 100644 index 00000000..bf01d583 --- /dev/null +++ b/doc/custom-man.xsl @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 78c891df..8e76897e 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -59,5 +59,10 @@ pam.d.5: pam.conf.5 pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml +if HAVE_VENDORDIR +XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) +else +XSLTPROC_CUSTOM = --stringparam vendordir "" +endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml index 9839defb..464af0e5 100644 --- a/doc/man/pam.8.xml +++ b/doc/man/pam.8.xml @@ -53,11 +53,12 @@ Vendor-supplied PAM configuration files might be installed in - the system directory /usr/lib/pam.d/ instead + the system directory /usr/lib/pam.d/ or + a configurable vendor specific directory instead of the machine configuration directory /etc/pam.d/. If no machine configuration file is found, the vendor-supplied file is used. All files in /etc/pam.d/ override - files with the same name in /usr/lib/pam.d/. + files with the same name in other directories. From the point of view of the system administrator, for whom this @@ -157,6 +158,18 @@ closing hook for modules to affect the services available to a user. + + %vendordir%/pam.d + + + the Linux-PAM vendor configuration + directory. Files in /etc/pam.d and + /usr/lib/pam.d override files with the same + name in this directory. Only available if Linux-PAM was compiled + with vendordir enabled. + + + diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 875031ed..ba57b98e 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -3,10 +3,14 @@ # AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ - -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) -DPAM_VERSION=\"$(VERSION)\" + -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \ + -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\" if HAVE_LIBSELINUX AM_CFLAGS += -D"WITH_SELINUX" endif +if HAVE_VENDORDIR + AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" +endif CLEANFILES = *~ @@ -21,7 +25,7 @@ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 -libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ +libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ if HAVE_VERSIONING libpam_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libpam.map diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 106ef7c2..8e513da3 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -280,9 +280,14 @@ _pam_open_config_file(pam_handle_t *pamh , char **path , FILE **file) { + const char *pamd_dirs[] = { PAM_CONFIG_DF, PAM_CONFIG_DIST_DF +#ifdef VENDORDIR + , PAM_CONFIG_DIST2_DF +#endif + }; char *p; FILE *f; - int err = 0; + size_t i; /* Absolute path */ if (service[0] == '/') { @@ -303,33 +308,20 @@ _pam_open_config_file(pam_handle_t *pamh return PAM_ABORT; } - /* Local Machine Configuration /etc/pam.d/ */ - if (asprintf (&p, PAM_CONFIG_DF, service) < 0) { - pam_syslog(pamh, LOG_CRIT, "asprintf failed"); - return PAM_BUF_ERR; - } - D(("opening %s", p)); - f = fopen(p, "r"); - if (f != NULL) { - *path = p; - *file = f; - return PAM_SUCCESS; - } - - /* System Configuration /usr/lib/pam.d/ */ - _pam_drop(p); - if (asprintf (&p, PAM_CONFIG_DIST_DF, service) < 0) { - pam_syslog(pamh, LOG_CRIT, "asprintf failed"); - return PAM_BUF_ERR; - } - D(("opening %s", p)); - f = fopen(p, "r"); - if (f != NULL) { + for (i = 0; i < sizeof (pamd_dirs)/sizeof (char *); i++) { + if (asprintf (&p, pamd_dirs[i], service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + D(("opening %s", p)); + f = fopen(p, "r"); + if (f != NULL) { *path = p; *file = f; return PAM_SUCCESS; + } + _pam_drop(p); } - _pam_drop(p); return PAM_ABORT; } @@ -447,7 +439,12 @@ int _pam_init_handlers(pam_handle_t *pamh) /* Is there a PAM_CONFIG_D directory? */ if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || - (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) { + (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) +#ifdef PAM_CONFIG_DIST2_D + || (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 + && S_ISDIR(test_d.st_mode)) +#endif + ) { char *path = NULL; int read_something=0; diff --git a/libpam/pam_modutil_searchkey.c b/libpam/pam_modutil_searchkey.c index 338b44fd..4e565974 100644 --- a/libpam/pam_modutil_searchkey.c +++ b/libpam/pam_modutil_searchkey.c @@ -13,9 +13,41 @@ #include #include #include +#ifdef USE_ECONF +#include +#endif #define BUF_SIZE 8192 +#ifdef USE_ECONF +#define LOGIN_DEFS "/etc/login.defs" + +#ifndef VENDORDIR +#define VENDORDIR NULL +#endif + +static char * +econf_search_key (const char *name, const char *suffix, const char *key) +{ + econf_file *key_file = NULL; + char *val; + + if (econf_readDirs (&key_file, VENDORDIR, SYSCONFDIR, name, suffix, + " \t", "#")) + return NULL; + + if (econf_getStringValue (key_file, NULL, key, &val)) { + econf_free (key_file); + return NULL; + } + + econf_free (key_file); + + return val; +} + +#endif + /* lookup a value for key in login.defs file or similar key value format */ char * pam_modutil_search_key(pam_handle_t *pamh UNUSED, @@ -27,6 +59,11 @@ pam_modutil_search_key(pam_handle_t *pamh UNUSED, size_t buflen = 0; char *retval = NULL; +#ifdef USE_ECONF + if (strcmp (file_name, LOGIN_DEFS) == 0) + return econf_search_key ("login", ".defs", key); +#endif + fp = fopen(file_name, "r"); if (NULL == fp) return NULL; diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 58a26f58..8cb77528 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -29,6 +29,11 @@ #define PAM_CONFIG_DF "/etc/pam.d/%s" #define PAM_CONFIG_DIST_D "/usr/lib/pam.d" #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s" +#ifdef VENDORDIR +#define PAM_CONFIG_DIST2_D VENDORDIR"/pam.d" +#define PAM_CONFIG_DIST2_DF VENDORDIR"/pam.d/%s" +#endif + #define PAM_DEFAULT_SERVICE "other" /* lower case */ diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 30cc879a..9bcbbd95 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -20,6 +20,9 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif +if HAVE_VENDORDIR + AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" +endif securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la @@ -27,5 +30,10 @@ pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_securetty.8.xml +if HAVE_VENDORDIR +XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) +else +XSLTPROC_CUSTOM = --stringparam vendordir "" +endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml index 48215f5f..b5e83691 100644 --- a/modules/pam_securetty/pam_securetty.8.xml +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -31,9 +31,12 @@ pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing - in /etc/securetty. pam_securetty also checks - to make sure that /etc/securetty is a plain - file and not world writable. It will also allow root logins on + in the securetty file. pam_securetty checks at + first, if /etc/securetty exists. If not and + it was built with vendordir support, it will use + %vendordir%/securetty. pam_securetty also + checks that the securetty files are plain + files and not world writable. It will also allow root logins on the tty specified with switch on the kernel command line and on ttys from the /sys/class/tty/console/active. @@ -73,7 +76,7 @@ Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the - /etc/securetty file. + securetty file. @@ -106,7 +109,7 @@ Authentication is rejected. Either root is attempting to log in via an unacceptable device, or the - /etc/securetty file is world writable or + securetty file is world writable or not a normal file. @@ -127,7 +130,7 @@ An error occurred while the module was determining the user's name or tty, or the module could not open - /etc/securetty. + the securetty file. diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index cb1da252..e8a9273b 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,6 +1,9 @@ /* pam_securetty module */ #define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif #define TTY_PREFIX "/dev/" #define CMDLINE_FILE "/proc/cmdline" #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" @@ -25,6 +28,7 @@ #include #include #include +#include /* * here, we make a definition for the externally accessible function @@ -70,6 +74,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *function_name) { int retval = PAM_AUTH_ERR; + const char *securettyfile; const char *username; const char *uttyname; const void *void_uttyname; @@ -111,10 +116,27 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } if (stat(SECURETTY_FILE, &ttyfileinfo)) { +#ifdef VENDORDIR + if (errno == ENOENT) { + if (stat(SECURETTY2_FILE, &ttyfileinfo)) { + pam_syslog(pamh, LOG_NOTICE, + "Couldn't open %s: %m", SECURETTY2_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + securettyfile = SECURETTY2_FILE; + } else { +#endif pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ +#ifdef VENDORDIR + } +#endif + } else { + securettyfile = SECURETTY_FILE; } if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { @@ -122,13 +144,13 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, normal file, return error */ pam_syslog(pamh, LOG_ERR, "%s is either world writable or not a normal file", - SECURETTY_FILE); + securettyfile); return PAM_AUTH_ERR; } - ttyfile = fopen(SECURETTY_FILE,"r"); + ttyfile = fopen(securettyfile,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile); return PAM_SERVICE_ERR; } -- cgit v1.2.3 From 3419569e8e469c9e9769be0f977b88f7bf4be2d5 Mon Sep 17 00:00:00 2001 From: MIZUTA Takeshi Date: Sat, 5 Oct 2019 00:18:35 +0900 Subject: doc: fix typo in manpage --- doc/man/misc_conv.3.xml | 8 ++++---- doc/man/pam_setcred.3.xml | 2 +- doc/man/pam_start.3.xml | 2 +- modules/pam_cracklib/pam_cracklib.8.xml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'doc/man') diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml index 041f4eb0..d902ba83 100644 --- a/doc/man/misc_conv.3.xml +++ b/doc/man/misc_conv.3.xml @@ -46,7 +46,7 @@ The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something. The - five variabls are as follows: + five variables are as follows: @@ -70,7 +70,7 @@ const char *pam_misc_conv_warn_line; - Used in conjuction with + Used in conjunction with pam_misc_conv_warn_time, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching. Its @@ -103,7 +103,7 @@ const char *pam_misc_conv_die_line; - Used in conjuction with + Used in conjunction with pam_misc_conv_die_time, this variable is a pointer to the string that will be displayed when the conversation times out. Its default value is a translated @@ -120,7 +120,7 @@ Following a return from the Linux-PAM - libraray, the value of this variable indicates whether the + library, the value of this variable indicates whether the conversation has timed out. A value of 1 indicates the time-out occurred. diff --git a/doc/man/pam_setcred.3.xml b/doc/man/pam_setcred.3.xml index 77e9382f..62922482 100644 --- a/doc/man/pam_setcred.3.xml +++ b/doc/man/pam_setcred.3.xml @@ -144,7 +144,7 @@ A NULL pointer was submitted as PAM handle, the function was called by a module or another system - error occured. + error occurred. diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml index 9b370f52..50a65a47 100644 --- a/doc/man/pam_start.3.xml +++ b/doc/man/pam_start.3.xml @@ -83,7 +83,7 @@ pam_get_item3 . - The PAM handle cannot be used for mulitiple authentications at the + The PAM handle cannot be used for multiple authentications at the same time as long as pam_end was not called on it before. diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 3f6e76f0..50027add 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -67,7 +67,7 @@ Case Change Only - Is the new password the the old one with only a change of case? + Is the new password the old one with only a change of case? -- cgit v1.2.3 From 375825bd5d88ee66375fd400c40af7844c1b0608 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:21:02 +0000 Subject: Miscellaneous grammar fixes --- doc/man/pam_get_item.3.xml | 4 ++-- doc/man/pam_set_item.3.xml | 4 ++-- modules/pam_lastlog/pam_lastlog.8.xml | 2 +- modules/pam_timestamp/pam_timestamp_check.8.xml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml index d07862e0..1145273c 100644 --- a/doc/man/pam_get_item.3.xml +++ b/doc/man/pam_get_item.3.xml @@ -19,7 +19,7 @@ pam_get_item - getting PAM informations + getting PAM information @@ -45,7 +45,7 @@ DESCRIPTION The pam_get_item function allows applications - and PAM service modules to access and retrieve PAM informations + and PAM service modules to access and retrieve PAM information of item_type. Upon successful return, item contains a pointer to the value of the corresponding item. Note, this is a pointer to the diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index 39758313..7630adbd 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -19,7 +19,7 @@ pam_set_item - set and update PAM informations + set and update PAM information @@ -45,7 +45,7 @@ DESCRIPTION The pam_set_item function allows applications - and PAM service modules to access and to update PAM informations + and PAM service modules to access and to update PAM information of item_type. For this a copy of the object pointed to by the item argument is created. The following item_types are diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index f10e94a0..a2f14fc2 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -218,7 +218,7 @@ MODULE TYPES PROVIDED The and module type - allows to lock out users which did not login recently enough. + allows one to lock out users who did not login recently enough. The module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files. diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml index 06432e09..8ca5a755 100644 --- a/modules/pam_timestamp/pam_timestamp_check.8.xml +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -78,7 +78,7 @@ see if the default timestamp is valid, or optionally remove it. the user authenticates as herself. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this. target_user allows - to specify this user name. + one to specify this user name. -- cgit v1.2.3 From 7e15186e3e9720c1415ca301222e66c994fc0529 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:26:37 +0000 Subject: Miscellaneous spelling fixes --- doc/man/pam_prompt.3.xml | 2 +- doc/man/pam_set_item.3.xml | 2 +- modules/pam_cracklib/pam_cracklib.8.xml | 2 +- modules/pam_env/pam_env.8.xml | 2 +- modules/pam_exec/pam_exec.8.xml | 2 +- modules/pam_filter/pam_filter.c | 2 +- modules/pam_namespace/pam_namespace.c | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml index 8b502a9d..bf0c9bf6 100644 --- a/doc/man/pam_prompt.3.xml +++ b/doc/man/pam_prompt.3.xml @@ -75,7 +75,7 @@ PAM_SUCCESS - Conversation succeded, response is set. + Conversation succeeded, response is set. diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index 7630adbd..30ab92b9 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -74,7 +74,7 @@ - Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before + Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reset before returning to the application. Which means an application is not able to access the authentication tokens. diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 50027add..75e44e2d 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -402,7 +402,7 @@ - Check whether the words from the GECOS field (usualy full name + Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password. If any such word is found the new password is rejected. diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index d6e20a2e..105f923f 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -62,7 +62,7 @@ Second a file (/etc/environment by default) with simple KEY=VAL pairs on separate lines will be read. With the envfile option an alternate file can be specified. - And with the readenv option this can be completly disabled. + And with the readenv option this can be completely disabled. Third it will read a user configuration file diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml index d1b00a21..edc3c41e 100644 --- a/modules/pam_exec/pam_exec.8.xml +++ b/modules/pam_exec/pam_exec.8.xml @@ -75,7 +75,7 @@ Commands called by pam_exec need to be aware of that the user - can have controll over the environment. + can have control over the environment. diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index de8c35ad..b818bb8b 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -376,7 +376,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, /* grant slave terminal */ if (grantpt (fd[0]) < 0) { - pam_syslog(pamh, LOG_ERR, "Cannot grant acccess to slave terminal"); + pam_syslog(pamh, LOG_ERR, "Cannot grant access to slave terminal"); return PAM_ABORT; } diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 660c7a1e..6d2a125d 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -2217,7 +2217,7 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - successful"); return PAM_SUCCESS; } -- cgit v1.2.3 From aea5d57019696554a1235fad872e6abec1fe1369 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 13 Feb 2019 08:28:25 +0000 Subject: Further grammar fixes Signed-off-by: Russ Allbery Bug-Debian: https://bugs.debian.org/651560 --- doc/man/pam_putenv.3.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/man') diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml index 619b218a..2d4afbc5 100644 --- a/doc/man/pam_putenv.3.xml +++ b/doc/man/pam_putenv.3.xml @@ -79,7 +79,7 @@ name_value, which means in contrast to putenv3 - , the application is responsible to free the data. + , the application is responsible for freeing the data. -- cgit v1.2.3 From 7a84910896d5579bd9c016696224d7d69a307bd9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 24 Feb 2020 18:19:57 +0100 Subject: New API call pam_start_confdir() To load PAM stack configurations from specified directory --- NEWS | 4 +- doc/man/pam_start.3.xml | 22 ++++++++- libpam/Makefile.am | 2 +- libpam/include/security/pam_appl.h | 5 ++ libpam/libpam.map | 5 ++ libpam/pam_handlers.c | 20 ++++++-- libpam/pam_private.h | 1 + libpam/pam_start.c | 36 +++++++++++++- tests/Makefile.am | 2 +- tests/confdir | 1 + tests/tst-pam_start_confdir.c | 99 ++++++++++++++++++++++++++++++++++++++ 11 files changed, 187 insertions(+), 10 deletions(-) create mode 100644 tests/confdir create mode 100644 tests/tst-pam_start_confdir.c (limited to 'doc/man') diff --git a/NEWS b/NEWS index c00a75a1..23e606b4 100644 --- a/NEWS +++ b/NEWS @@ -29,7 +29,9 @@ Release 1.4.0 * pam_unix: Support for (gost-)yescrypt hashing methods * pam_unix: Use bcrypt b-variant when it bcrypt is chosen * pam_usertype: New module to tell if uid is in login.defs ranges - +* Added new API call pam_start_confdir() for special applications that + cannot use the system-default PAM configuration paths and need to + explicitly specify another path Release 1.3.1 * pam_motd: add support for a motd.d directory diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml index 50a65a47..1d544e64 100644 --- a/doc/man/pam_start.3.xml +++ b/doc/man/pam_start.3.xml @@ -12,6 +12,7 @@ pam_start + pam_start_confdir initialization of PAM transaction @@ -27,6 +28,14 @@ const struct pam_conv *pam_conversation pam_handle_t **pamh + + int pam_start_confdir + const char *service_name + const char *user + const struct pam_conv *pam_conversation + const char *confdir + pam_handle_t **pamh + @@ -87,6 +96,17 @@ same time as long as pam_end was not called on it before. + + + The pam_start_confdir function behaves + like the pam_start function but it also + allows setting confdir argument with + a path to a directory to override the default + (/etc/pam.d) path for service policy + files. If the confdir is NULL, the function + works exactly the same as pam_start. + + RETURN VALUES @@ -111,7 +131,7 @@ PAM_SUCCESS - Transaction was successful created. + Transaction was successfully started. diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 9d5c844d..bd3dc5d3 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -25,7 +25,7 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h include/pam_cc_compat.h -libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84 +libpam_la_LDFLAGS = -no-undefined -version-info 85:1:85 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) $(ECONF_LIBS) @LIBDL@ if HAVE_VERSIONING diff --git a/libpam/include/security/pam_appl.h b/libpam/include/security/pam_appl.h index d4172c69..cf97a493 100644 --- a/libpam/include/security/pam_appl.h +++ b/libpam/include/security/pam_appl.h @@ -24,6 +24,11 @@ pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh); +extern int PAM_NONNULL((1,3,5)) +pam_start_confdir(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + const char *confdir, pam_handle_t **pamh); + extern int PAM_NONNULL((1)) pam_end(pam_handle_t *pamh, int pam_status); diff --git a/libpam/libpam.map b/libpam/libpam.map index 74fb55b2..c9690a91 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -77,3 +77,8 @@ LIBPAM_MODUTIL_1.3.2 { global: pam_modutil_search_key; } LIBPAM_MODUTIL_1.1.9; + +LIBPAM_1.4 { + global: + pam_start_confdir; +} LIBPAM_1.0; diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 8e513da3..5dff58c2 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -285,7 +285,7 @@ _pam_open_config_file(pam_handle_t *pamh , PAM_CONFIG_DIST2_DF #endif }; - char *p; + char *p = NULL; FILE *f; size_t i; @@ -296,14 +296,21 @@ _pam_open_config_file(pam_handle_t *pamh pam_syslog(pamh, LOG_CRIT, "strdup failed"); return PAM_BUF_ERR; } + } else if (pamh->confdir != NULL) { + if (asprintf (&p, "%s/%s", pamh->confdir, service) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + } - f = fopen(service, "r"); + if (p != NULL) { + D(("opening %s", p)); + f = fopen(p, "r"); if (f != NULL) { *path = p; *file = f; return PAM_SUCCESS; } - _pam_drop(p); return PAM_ABORT; } @@ -313,6 +320,7 @@ _pam_open_config_file(pam_handle_t *pamh pam_syslog(pamh, LOG_CRIT, "asprintf failed"); return PAM_BUF_ERR; } + D(("opening %s", p)); f = fopen(p, "r"); if (f != NULL) { @@ -438,7 +446,8 @@ int _pam_init_handlers(pam_handle_t *pamh) struct stat test_d; /* Is there a PAM_CONFIG_D directory? */ - if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || + if (pamh->confdir != NULL || + (stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) #ifdef PAM_CONFIG_DIST2_D || (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 @@ -471,7 +480,8 @@ int _pam_init_handlers(pam_handle_t *pamh) #ifdef PAM_READ_BOTH_CONFS D(("checking %s", PAM_CONFIG)); - if ((f = fopen(PAM_CONFIG,"r")) != NULL) { + if (pamh->confdir == NULL + && (f = fopen(PAM_CONFIG,"r")) != NULL) { retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 0, 1); fclose(f); } else diff --git a/libpam/pam_private.h b/libpam/pam_private.h index ed02bb02..69d2ef44 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -178,6 +178,7 @@ struct pam_handle { int audit_state; /* keep track of reported audit messages */ #endif int authtok_verified; + char *confdir; }; /* Values for select arg to _pam_dispatch() */ diff --git a/libpam/pam_start.c b/libpam/pam_start.c index e27c64bb..59d06224 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -15,10 +15,11 @@ #include #include -int pam_start ( +static int _pam_start_internal ( const char *service_name, const char *user, const struct pam_conv *pam_conversation, + const char *confdir, pam_handle_t **pamh) { D(("called pam_start: [%s] [%s] [%p] [%p]" @@ -80,6 +81,18 @@ int pam_start ( } else (*pamh)->user = NULL; + if (confdir) { + if (((*pamh)->confdir = _pam_strdup(confdir)) == NULL) { + pam_syslog(*pamh, LOG_CRIT, + "pam_start: _pam_strdup failed for confdir"); + _pam_drop((*pamh)->service_name); + _pam_drop((*pamh)->user); + _pam_drop(*pamh); + return (PAM_BUF_ERR); + } + } else + (*pamh)->confdir = NULL; + (*pamh)->tty = NULL; (*pamh)->prompt = NULL; /* prompt for pam_get_user() */ (*pamh)->ruser = NULL; @@ -140,3 +153,24 @@ int pam_start ( return PAM_SUCCESS; } + +int pam_start_confdir ( + const char *service_name, + const char *user, + const struct pam_conv *pam_conversation, + const char *confdir, + pam_handle_t **pamh) +{ + return _pam_start_internal(service_name, user, pam_conversation, + confdir, pamh); +} + +int pam_start ( + const char *service_name, + const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh) +{ + return _pam_start_internal(service_name, user, pam_conversation, + NULL, pamh); +} diff --git a/tests/Makefile.am b/tests/Makefile.am index c44a2ee7..5b0e78d7 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -12,7 +12,7 @@ TESTS = tst-pam_start tst-pam_end tst-pam_fail_delay tst-pam_open_session \ tst-pam_close_session tst-pam_acct_mgmt tst-pam_authenticate \ tst-pam_chauthtok tst-pam_setcred tst-pam_get_item tst-pam_set_item \ tst-pam_getenvlist tst-pam_get_user tst-pam_set_data \ - tst-pam_mkargv + tst-pam_mkargv tst-pam_start_confdir check_PROGRAMS = ${TESTS} tst-dlopen diff --git a/tests/confdir b/tests/confdir new file mode 100644 index 00000000..3883c869 --- /dev/null +++ b/tests/confdir @@ -0,0 +1 @@ +# This is an empty pam service file for tst-pam_start_confdir diff --git a/tests/tst-pam_start_confdir.c b/tests/tst-pam_start_confdir.c new file mode 100644 index 00000000..e40b6e70 --- /dev/null +++ b/tests/tst-pam_start_confdir.c @@ -0,0 +1,99 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +#include + + +int +main (void) +{ + const char *service = "confdir"; + const char *xservice = "nonexistent-service"; + const char *user = "root"; + const char *confdir; + const char *xconfdir = "/nonexistent-confdir"; + struct pam_conv conv; + pam_handle_t *pamh; + int retval; + + confdir = getenv("srcdir"); + + if (confdir == NULL) + { + fprintf (stderr, "Error: srcdir not set\n"); + return 1; + } + + /* 1: check with valid arguments */ + retval = pam_start_confdir (service, user, &conv, confdir, &pamh); + if (retval != PAM_SUCCESS) + { + fprintf (stderr, "pam_start_confdir (%s, %s, &conv, %s, &pamh) returned %d\n", + service, user, confdir, retval); + return 1; + } + else if (pamh == NULL) + { + fprintf (stderr, "pam_start_confdir (%s, %s, &conv, %s, &pamh) returned NULL for pamh\n", + service, user, confdir); + return 1; + } + + /* 2: check with invalid service */ + retval = pam_start_confdir (xservice, user, &conv, confdir, &pamh); + if (retval == PAM_SUCCESS) + { + fprintf (stderr, "pam_start_confdir (%s, %s, &conv, %s, &pamh) incorrectly succeeded\n", + xservice, user, confdir); + return 1; + } + + /* 3: check with invalid confdir */ + retval = pam_start_confdir (service, user, &conv, xconfdir, &pamh); + if (retval == PAM_SUCCESS) + { + fprintf (stderr, "pam_start_confdir (%s, %s, &conv, %s, &pamh) incorrectly succeeded\n", + service, user, xconfdir); + return 1; + } + + return 0; +} -- cgit v1.2.3 From 897c7412b26ca618af6822dcaa7e6be68772dc52 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 28 Mar 2020 18:19:41 +0000 Subject: Fix various typos found using codespell tool --- NEWS | 8 ++++---- conf/pam_conv1/README | 2 +- configure.ac | 4 ++-- doc/man/pam.3.xml | 2 +- doc/sag/pam_time.xml | 2 +- doc/specs/draft-morgan-pam.raw | 4 ++-- libpam/include/security/_pam_types.h | 4 ++-- libpam/pam_delay.c | 4 ++-- libpam/pam_handlers.c | 4 ++-- libpam/pam_private.h | 2 +- libpam_misc/misc_conv.c | 2 +- libpamc/pamc_load.c | 2 +- m4/libprelude.m4 | 6 +++--- modules/pam_access/pam_access.c | 8 ++++---- modules/pam_cracklib/pam_cracklib.c | 4 ++-- modules/pam_env/pam_env.c | 4 ++-- modules/pam_filter/pam_filter.c | 4 ++-- modules/pam_ftp/pam_ftp.c | 4 ++-- modules/pam_issue/pam_issue.c | 2 +- modules/pam_keyinit/pam_keyinit.c | 4 ++-- modules/pam_lastlog/pam_lastlog.c | 6 +++--- modules/pam_limits/pam_limits.c | 2 +- modules/pam_mkhomedir/pam_mkhomedir.c | 2 +- modules/pam_namespace/pam_namespace.c | 4 ++-- modules/pam_namespace/pam_namespace.h | 4 ++-- modules/pam_sepermit/pam_sepermit.c | 2 +- modules/pam_stress/README | 2 +- modules/pam_tally/faillog.h | 4 ++-- modules/pam_tally/pam_tally.c | 2 +- modules/pam_tally2/pam_tally2.c | 2 +- modules/pam_unix/bigcrypt.c | 2 +- modules/pam_unix/unix_chkpwd.c | 2 +- tests/tst-pam_set_data.c | 2 +- xtests/run-xtests.sh | 8 ++++---- 34 files changed, 60 insertions(+), 60 deletions(-) (limited to 'doc/man') diff --git a/NEWS b/NEWS index 23e606b4..d0b18bbc 100644 --- a/NEWS +++ b/NEWS @@ -115,8 +115,8 @@ Release 1.1.4 Release 1.1.3 -* pam_namespace: Clean environment for childs (CVE-2010-3853) -* libpam: New interface to drop/regain privilegs +* pam_namespace: Clean environment for child processes (CVE-2010-3853) +* libpam: New interface to drop/regain privileges * Drop root privilegs in pam_env, pam_mail and pam_xauth before accessing user files (CVE-2010-3430, CVE-2010-3431) * pam_unix: Add minlen option, change default from 6 to 0 @@ -222,7 +222,7 @@ Release 0.99.10.0 SELinux mode. * Improved functionality of pam_namespace.so module (method flags, namespace.d configuration directory, new options). -* Finaly removed deprecated pam_rhosts_auth module. +* Finally removed deprecated pam_rhosts_auth module. Release 0.99.9.0 @@ -316,7 +316,7 @@ Release 0.99.4.0 * Add test suite * Fix building of static variants of libpam, libpamc and libpam_misc * pam_listfile: Add support for password and session management -* pam_exec: New PAM module to execute arbitary commands +* pam_exec: New PAM module to execute arbitrary commands * Fix building of a static libpam including all PAM modules * New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr * pam_access: Add network(address) / netmask and IPv6 support diff --git a/conf/pam_conv1/README b/conf/pam_conv1/README index 8c748ba8..753d71f3 100644 --- a/conf/pam_conv1/README +++ b/conf/pam_conv1/README @@ -1,5 +1,5 @@ -This directory contains a untility to convert pam.conf files to a pam.d/ +This directory contains a utility to convert pam.conf files to a pam.d/ tree. The conversion program takes pam.conf from the standard input and creates the pam.d/ directory in the current directory. diff --git a/configure.ac b/configure.ac index 57886415..d8bedb8c 100644 --- a/configure.ac +++ b/configure.ac @@ -230,7 +230,7 @@ dnl dnl icc handles -fpie as -fp without error, so blacklist icc dnl AC_ARG_ENABLE(pie,AS_HELP_STRING([--disable-pie], - [disable position-independent executeables (PIE)]), + [disable position-independent executables (PIE)]), USE_PIE=$enableval, USE_PIE=yes) AC_CACHE_CHECK(for -fpie, libc_cv_fpie, [dnl @@ -438,7 +438,7 @@ if test -n "$opt_randomdev"; then fi dnl check for libdb or libndbm as fallback. Some libndbm compat -dnl libraries are unuseable, so try libdb first. +dnl libraries are unusable, so try libdb first. AC_ARG_ENABLE([db], AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]), WITH_DB=$enableval, WITH_DB=yes) diff --git a/doc/man/pam.3.xml b/doc/man/pam.3.xml index 3efffd95..0b1efccf 100644 --- a/doc/man/pam.3.xml +++ b/doc/man/pam.3.xml @@ -153,7 +153,7 @@ pam_get_item3 functions allows applications and PAM service modules to set and - retrieve PAM informations. + retrieve PAM information. The diff --git a/doc/sag/pam_time.xml b/doc/sag/pam_time.xml index dd9bba4c..74e9e02a 100644 --- a/doc/sag/pam_time.xml +++ b/doc/sag/pam_time.xml @@ -2,7 +2,7 @@
- pam_time - time controled access + pam_time - time controlled access diff --git a/doc/specs/draft-morgan-pam.raw b/doc/specs/draft-morgan-pam.raw index ec5bba49..8fdb0502 100644 --- a/doc/specs/draft-morgan-pam.raw +++ b/doc/specs/draft-morgan-pam.raw @@ -130,11 +130,11 @@ Here is a diagram to help orient the reader: ## +---------+ +--------+ +----------+ ## Solid lines connecting the boxes represent two-way interaction. The -dotted-directed lines indicate an optional connection beteween the +dotted-directed lines indicate an optional connection between the plugin module (agent) and the server (applicant). In the case of the module, this represents the module invoking the 'conversation' callback function provided to libpam by the server application when it -inititializes the libpam library. In the case of the agent, this may +initializes the libpam library. In the case of the agent, this may be some out-of-PAM API interaction (for example directly displaying a dialog box under X). diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h index 2d684bce..2abb7ee5 100644 --- a/libpam/include/security/_pam_types.h +++ b/libpam/include/security/_pam_types.h @@ -41,7 +41,7 @@ typedef struct pam_handle pam_handle_t; /* can not retrieve authentication */ /* information */ #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ - /* authenticaiton module */ + /* authentication module */ #define PAM_MAXTRIES 11 /* An authentication service has */ /* maintained a retry count which has */ /* been reached. No further retries */ @@ -50,7 +50,7 @@ typedef struct pam_handle pam_handle_t; /* This is normally returned if the */ /* machine security policies require */ /* that the password should be changed */ - /* beccause the password is NULL or it */ + /* because the password is NULL or it */ /* has aged */ #define PAM_ACCT_EXPIRED 13 /* User account has expired */ #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */ diff --git a/libpam/pam_delay.c b/libpam/pam_delay.c index 8a2be7aa..549da896 100644 --- a/libpam/pam_delay.c +++ b/libpam/pam_delay.c @@ -44,10 +44,10 @@ void _pam_start_timer(pam_handle_t *pamh) /* ******************************************************************* * Compute a pseudo random time. The value is base*(1 +/- 1/5) where - * the distribution is pseudo gausian (the sum of three evenly + * the distribution is pseudo gaussian (the sum of three evenly * distributed random numbers -- central limit theorem and all ;^) The * linear random numbers are based on a formulae given in Knuth's - * Seminumerical recipies that was reproduced in `Numerical Recipies + * Seminumerical recipes that was reproduced in `Numerical Recipes * in C'. It is *not* a cryptographically strong generator, but it is * probably "good enough" for our purposes here. * diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 79961ed2..ffa5e4ae 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -559,7 +559,7 @@ int _pam_init_handlers(pam_handle_t *pamh) /* * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" + * preceded by lines of comments and also extended with "\\\n" */ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len) @@ -1034,7 +1034,7 @@ void _pam_free_handlers_aux(struct handler **hp) D(("called.")); while (h) { last = h; - _pam_drop(h->argv); /* This is all alocated in a single chunk */ + _pam_drop(h->argv); /* This is all allocated in a single chunk */ _pam_drop(h->mod_name); h = h->next; memset(last, 0, sizeof(*last)); diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 69d2ef44..508527cf 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -220,7 +220,7 @@ int _pam_free_handlers(pam_handle_t *pamh); /* Parse config file, allocate handler structures, dlopen() */ int _pam_init_handlers(pam_handle_t *pamh); -/* Set all hander stuff to 0/NULL - called once from pam_start() */ +/* Set all handler stuff to 0/NULL - called once from pam_start() */ void _pam_start_handlers(pam_handle_t *pamh); /* environment helper functions */ diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c index e29ce59e..f6397af1 100644 --- a/libpam_misc/misc_conv.c +++ b/libpam_misc/misc_conv.c @@ -23,7 +23,7 @@ #define CONV_ECHO_OFF 0 /* - * external timeout definitions - these can be overriden by the + * external timeout definitions - these can be overridden by the * application. */ diff --git a/libpamc/pamc_load.c b/libpamc/pamc_load.c index 5155e0ae..24a65dfd 100644 --- a/libpamc/pamc_load.c +++ b/libpamc/pamc_load.c @@ -113,7 +113,7 @@ static int __pamc_exec_agent(pamc_handle_t pch, pamc_agent_t *agent) pamc_converse) to make sure no privilege will leak into an (untrusted) agent. */ - /* we propogate no environment - future versions of this + /* we propagate no environment - future versions of this library may have the ability to audit all agent transactions. */ diff --git a/m4/libprelude.m4 b/m4/libprelude.m4 index f78527f6..a9ea404c 100644 --- a/m4/libprelude.m4 +++ b/m4/libprelude.m4 @@ -69,7 +69,7 @@ main () "$libprelude_config_version", prelude_check_version(NULL) ); printf("*** was found! If libprelude-config was correct, then it is best\n"); printf("*** to remove the old version of LIBPRELUDE. You may also be able to fix the error\n"); - printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); + printf("*** by modifying your LD_LIBRARY_PATH environment variable, or by editing\n"); printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); printf("*** required on your system.\n"); printf("*** If libprelude-config was wrong, set the environment variable LIBPRELUDE_CONFIG\n"); @@ -100,7 +100,7 @@ main () printf("*** being found. The easiest way to fix this is to remove the old version\n"); printf("*** of LIBPRELUDE, but you can also set the LIBPRELUDE_CONFIG environment to point to the\n"); printf("*** correct copy of libprelude-config. (In this case, you will have to\n"); - printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); + printf("*** modify your LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf\n"); printf("*** so that the correct libraries are found at run-time))\n"); } } @@ -151,7 +151,7 @@ main () echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" echo "***" ], [ echo "*** The test program failed to compile or link. See the file config.log for the" - echo "*** exact error that occured. This usually means LIBPRELUDE was incorrectly installed" + echo "*** exact error that occurred. This usually means LIBPRELUDE was incorrectly installed" echo "*** or that you have moved LIBPRELUDE since it was installed. In the latter case, you" echo "*** may want to edit the libprelude-config script: $LIBPRELUDE_CONFIG" ]) CFLAGS="$ac_save_CFLAGS" diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 680b5860..4d4339a4 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -21,7 +21,7 @@ * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of - * merchantibility and fitness for any particular purpose. + * merchantability and fitness for any particular purpose. ************************************************************************* */ @@ -220,7 +220,7 @@ isipaddr (const char *string, int *addr_type, /* are_addresses_equal - translate IP address strings to real IP * addresses and compare them to find out if they are equal. - * If netmask was provided it will be used to focus comparation to + * If netmask was provided it will be used to focus comparison to * relevant bits. */ static int @@ -377,7 +377,7 @@ login_access (pam_handle_t *pamh, struct login_info *item) if (line[0] == 0) /* skip blank lines */ continue; - /* Allow field seperator in last field of froms */ + /* Allow field separator in last field of froms */ if (!(perm = strtok_r(line, item->fs, &sptr)) || !(users = strtok_r(NULL, item->fs, &sptr)) || !(froms = strtok_r(NULL, "\n", &sptr))) { @@ -584,7 +584,7 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr, if (strlen(tok) < 3) return NO; - /* token is recieved under the format '(...)' */ + /* token is received under the format '(...)' */ memset(grptok, 0, BUFSIZ); strncpy(grptok, tok + 1, strlen(tok) - 2); diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index e87ff7d8..f89f33da 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -13,7 +13,7 @@ * 0.5. supports retries - 'retry=N' argument * 0.4. added argument 'type=XXX' for 'New XXX password' prompt * 0.3. Added argument 'debug' - * 0.2. new password is feeded to cracklib for verify after typed once + * 0.2. new password is fed to cracklib for verify after typed once * 0.1. First release */ @@ -317,7 +317,7 @@ static int similar(struct cracklib_options *opt, } /* - * enough classes of charecters + * enough classes of characters */ static int minclass (struct cracklib_options *opt, diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index e514b2c2..1bdc119d 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -230,7 +230,7 @@ _parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) mark[0] = '\0'; /* - * sanity check, the key must be alpha-numeric + * sanity check, the key must be alphanumeric */ if (key[0] == '=') { @@ -291,7 +291,7 @@ _parse_env_file(pam_handle_t *pamh, int ctrl, const char *file) /* * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" + * preceded by lines of comments and also extended with "\\\n" */ static int _assemble_line(FILE *f, char *buffer, int buf_len) diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index febb274f..b9274e83 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -296,7 +296,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, struct termios t_mode = stored_mode; t_mode.c_iflag = 0; /* no input control */ - t_mode.c_oflag &= ~OPOST; /* no ouput post processing */ + t_mode.c_oflag &= ~OPOST; /* no output post processing */ /* no signals, canonical input, echoing, upper/lower output */ #ifdef XCASE @@ -444,7 +444,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, close(fd[1]); - /* the current process is now aparently working with filtered + /* the current process is now apparently working with filtered stdio/stdout/stderr --- success! */ return PAM_SUCCESS; diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 30806f28..ce6ead9a 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -123,7 +123,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *users = NULL; /* - * this module checks if the user name is ftp or annonymous. If + * this module checks if the user name is ftp or anonymous. If * this is the case, it can set the PAM_RUSER to the entered email * address and SUCCEEDS, otherwise it FAILS. */ @@ -186,7 +186,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } } - /* we are happy to grant annonymous access to the user */ + /* we are happy to grant anonymous access to the user */ retval = PAM_SUCCESS; } else { diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c index ea8e2a06..0fd1a117 100644 --- a/modules/pam_issue/pam_issue.c +++ b/modules/pam_issue/pam_issue.c @@ -58,7 +58,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, if(_user_prompt_set) return PAM_IGNORE; - /* We set this here so if we fail below, we wont get further + /* We set this here so if we fail below, we won't get further than this next time around (only one real failure) */ _user_prompt_set = 1; diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 611c06dc..d58744d7 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -155,7 +155,7 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret) ret = error_ret; } - /* return to the orignal UID and GID (probably root) */ + /* return to the original UID and GID (probably root) */ if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); ret = error_ret; @@ -227,7 +227,7 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error ret = init_keyrings(pamh, force, error_ret); - /* return to the orignal UID and GID (probably root) */ + /* return to the original UID and GID (probably root) */ if (uid != old_uid && setreuid(old_uid, -1) < 0) { error(pamh, "Unable to change UID back to %d\n", old_uid); ret = error_ret; diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 2edac5bf..1f707d93 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -104,7 +104,7 @@ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, *inactive = DEFAULT_INACTIVE_DAYS; - /* does the appliction require quiet? */ + /* does the application require quiet? */ if (flags & PAM_SILENT) { ctrl |= LASTLOG_QUIET; } @@ -170,7 +170,7 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) } } - /* does the appliction require quiet? */ + /* does the application require quiet? */ if (flags & PAM_SILENT) { ctrl |= LASTLOG_QUIET; ctrl &= ~LASTLOG_BTMP; @@ -449,7 +449,7 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, */ D(("setting limit for 'fsize'")); - if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */ + if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimited */ setrlimit_res = -1; } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) { if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */ diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index a88fed28..c8a03ae4 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -1048,7 +1048,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_SUCCESS; } if (retval != PAM_SUCCESS || pl->conf_file != NULL) - /* skip reading limits.d if config file explicitely specified */ + /* skip reading limits.d if config file explicitly specified */ goto out; /* Read subsequent *.conf files, if they exist. */ diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c index 077e6171..6e035f70 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/modules/pam_mkhomedir/pam_mkhomedir.c @@ -80,7 +80,7 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv, opt->umask = "0022"; opt->skeldir = "/etc/skel"; - /* does the appliction require quiet? */ + /* does the application require quiet? */ if ((flags & PAM_SILENT) == PAM_SILENT) opt->ctrl |= MKHOMEDIR_QUIET; diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d1010daf..63b5c665 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -740,7 +740,7 @@ static int parse_config_file(struct instance_data *idata) /* - * This funtion returns true if a given uid is present in the polyinstantiated + * This function returns true if a given uid is present in the polyinstantiated * directory's list of override uids. If the uid is one of the override * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. @@ -880,7 +880,7 @@ static int form_context(const struct polydir_s *polyptr, goto fail; } if (context_range_set(fcontext, context_range_get(scontext)) != 0) { - pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Component of context"); goto fail; } *i_context=strdup(context_str(fcontext)); diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h index 1522386a..3a1e4ba3 100644 --- a/modules/pam_namespace/pam_namespace.h +++ b/modules/pam_namespace/pam_namespace.h @@ -138,12 +138,12 @@ enum polymethod { /* * Depending on the application using this namespace module, we - * may need to unmount priviously bind mounted instance directory. + * may need to unmount previously bind mounted instance directory. * Applications such as login and sshd, that establish a new * session unmount of instance directory is not needed. For applications * such as su and newrole, that switch the identity, this module * has to unmount previous instance directory first and re-mount - * based on the new indentity. For other trusted applications that + * based on the new identity. For other trusted applications that * just want to undo polyinstantiation, only unmount of previous * instance directory is needed. */ diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 14965a2f..442703d3 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -1,5 +1,5 @@ /****************************************************************************** - * A module for Linux-PAM that allows/denies acces based on SELinux state. + * A module for Linux-PAM that allows/denies access based on SELinux state. * * Copyright (c) 2007, 2008, 2009 Red Hat, Inc. * Originally written by Tomas Mraz diff --git a/modules/pam_stress/README b/modules/pam_stress/README index e64bf2d3..ed56ae58 100644 --- a/modules/pam_stress/README +++ b/modules/pam_stress/README @@ -2,7 +2,7 @@ # This describes the behavior of this module with respect to the # /etc/pam.conf file. # -# writen by Andrew Morgan +# written by Andrew Morgan # This module recognizes the following arguments. diff --git a/modules/pam_tally/faillog.h b/modules/pam_tally/faillog.h index 7f704713..90756394 100644 --- a/modules/pam_tally/faillog.h +++ b/modules/pam_tally/faillog.h @@ -43,8 +43,8 @@ struct faillog { short fail_cnt; /* failures since last success */ short fail_max; /* failures before turning account off */ - char fail_line[12]; /* last failure occured here */ - time_t fail_time; /* last failure occured then */ + char fail_line[12]; /* last failure occurred here */ + time_t fail_time; /* last failure occurred then */ /* * If nonzero, the account will be re-enabled if there are no * failures for fail_locktime seconds since last failure. diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index cc221b87..6f578988 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -694,7 +694,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, #ifdef PAM_SM_ACCOUNT -/* To reset failcount of user on successfull login */ +/* To reset failcount of user on successful login */ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index 6543991f..e8c74eb9 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -806,7 +806,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, /* --- authentication management functions (only) --- */ -/* To reset failcount of user on successfull login */ +/* To reset failcount of user on successful login */ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c index e1d57a07..e08e4098 100644 --- a/modules/pam_unix/bigcrypt.c +++ b/modules/pam_unix/bigcrypt.c @@ -13,7 +13,7 @@ * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 * characters or less. Each block is encrypted using the standard UNIX * libc crypt function. The result of the encryption for one block - * provides the salt for the suceeding block. + * provides the salt for the succeeding block. * * Restrictions: The buffer used to hold the encrypted result is * statically allocated. (see MAX_PASS_LEN below). This is necessary, diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 39c84dbf..6aaf81a4 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -2,7 +2,7 @@ * This program is designed to run setuid(root) or with sufficient * privilege to read all of the unix password databases. It is designed * to provide a mechanism for the current user (defined by this - * process' uid) to verify their own password. + * process's uid) to verify their own password. * * The password is read from the standard input. The exit status of * this program indicates whether the user is authenticated or not. diff --git a/tests/tst-pam_set_data.c b/tests/tst-pam_set_data.c index 3b30dcc1..9acab6a6 100644 --- a/tests/tst-pam_set_data.c +++ b/tests/tst-pam_set_data.c @@ -331,7 +331,7 @@ main (void) if (retval == PAM_SUCCESS) { fprintf (stderr, - "pam_set_data with NULL as module_data_name succeded!\n"); + "pam_set_data with NULL as module_data_name succeeded!\n"); return 1; } free (dataptr); diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh index 1cf8684b..14f585d9 100755 --- a/xtests/run-xtests.sh +++ b/xtests/run-xtests.sh @@ -13,7 +13,7 @@ XTESTS="$@" failed=0 pass=0 -skiped=0 +skipped=0 all=0 mkdir -p /etc/security @@ -36,7 +36,7 @@ for testname in $XTESTS ; do RETVAL=$? if test $RETVAL -eq 77 ; then echo "SKIP: $testname" - skiped=`expr $skiped + 1` + skipped=`expr $skipped + 1` elif test $RETVAL -ne 0 ; then echo "FAIL: $testname" failed=`expr $failed + 1` @@ -55,13 +55,13 @@ mv /etc/security/opasswd-pam-xtests /etc/security/opasswd if test "$failed" -ne 0; then echo "===================" echo "$failed of $all tests failed" - echo "$skiped tests not run" + echo "$skipped tests not run" echo "===================" exit 1 else echo "==================" echo "$all tests passed" - echo "$skiped tests not run" + echo "$skipped tests not run" echo "==================" fi exit 0 -- cgit v1.2.3 From ea951fdc8682146f7f03216a7839441678d45657 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 28 Apr 2020 10:10:08 +0000 Subject: build: rework vendordir substitution Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used, remove stereotypic definitions from other Makefiles, this way we no longer have to worry about vendordir being used somewhere else in documentation files. Likewise, define VENDORDIR in config.h and remove stereotypic -DVENDORDIR= additions from other Makefiles, this way we no longer have to worry about VENDORDIR being used somewhere else in the code. * configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR. (AC_DEFINE_UNQUOTED): Add VENDORDIR. (AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR. * Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with @STRINGPARAM_VENDORDIR@. * doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove. * libpam/Makefile.am [HAVE_VENDORDIR]: Remove. * modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove. (XSLTPROC_CUSTOM): Remove. * modules/pam_securetty/pam_securetty.c: Move definitions of local macros after config.h to benefit from macros defined there. --- Make.xml.rules.in | 10 +++++----- configure.ac | 10 ++++++++-- doc/man/Makefile.am | 5 ----- libpam/Makefile.am | 3 --- modules/pam_securetty/Makefile.am | 8 -------- modules/pam_securetty/pam_securetty.c | 16 ++++++++-------- 6 files changed, 21 insertions(+), 31 deletions(-) (limited to 'doc/man') diff --git a/Make.xml.rules.in b/Make.xml.rules.in index 9bda445f..daa1b97b 100644 --- a/Make.xml.rules.in +++ b/Make.xml.rules.in @@ -5,22 +5,22 @@ README: $(XMLS) README: README.xml - $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@ + $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@ %.1: %.1.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.3: %.3.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.5: %.5.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.8: %.8.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< #CLEANFILES += $(man_MANS) README diff --git a/configure.ac b/configure.ac index 43e95e51..3d641db9 100644 --- a/configure.ac +++ b/configure.ac @@ -544,8 +544,14 @@ AC_SUBST([ECONF_CFLAGS]) AC_SUBST([ECONF_LIBS]) AC_ARG_ENABLE([vendordir], AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[]) -AC_SUBST([VENDORDIR], [$enable_vendordir]) -AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x]) +if test -n "$enable_vendordir"; then + AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"], + [Directory for distribution provided configuration files]) + STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir'" +else + STRINGPARAM_VENDORDIR="--stringparam vendordir ''" +fi +AC_SUBST([STRINGPARAM_VENDORDIR]) dnl Checks for header files. AC_HEADER_DIRENT diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 8e76897e..78c891df 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -59,10 +59,5 @@ pam.d.5: pam.conf.5 pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml -if HAVE_VENDORDIR -XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) -else -XSLTPROC_CUSTOM = --stringparam vendordir "" -endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 67048702..41ac9845 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -6,9 +6,6 @@ AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \ -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\" \ $(WARN_CFLAGS) -if HAVE_VENDORDIR - AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" -endif CLEANFILES = *~ diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 093da829..1b11d953 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -22,19 +22,11 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_VENDORDIR - AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" -endif securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README -if HAVE_VENDORDIR -XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) -else -XSLTPROC_CUSTOM = --stringparam vendordir "" -endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 51249a9c..e594fb6a 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,13 +1,5 @@ /* pam_securetty module */ -#define SECURETTY_FILE "/etc/securetty" -#ifdef VENDORDIR -#define SECURETTY2_FILE VENDORDIR"/securetty" -#endif -#define TTY_PREFIX "/dev/" -#define CMDLINE_FILE "/proc/cmdline" -#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" - /* * by Elliot Lee , Red Hat Software. * July 25, 1996. @@ -48,6 +40,14 @@ #define PAM_DEBUG_ARG 0x0001 #define PAM_NOCONSOLE_ARG 0x0002 +#define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif +#define TTY_PREFIX "/dev/" +#define CMDLINE_FILE "/proc/cmdline" +#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { -- cgit v1.2.3 From 3c10a035c9b996add3ca4d409ad5b22d2141f09f Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: doc: remove references to PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- doc/man/pam_sm_acct_mgmt.3.xml | 1 - doc/man/pam_sm_authenticate.3.xml | 1 - doc/man/pam_sm_chauthtok.3.xml | 1 - doc/man/pam_sm_close_session.3.xml | 1 - doc/man/pam_sm_open_session.3.xml | 1 - doc/man/pam_sm_setcred.3.xml | 1 - doc/mwg/Linux-PAM_MWG.xml | 24 ------------------------ 7 files changed, 30 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam_sm_acct_mgmt.3.xml b/doc/man/pam_sm_acct_mgmt.3.xml index ff998676..b37dc306 100644 --- a/doc/man/pam_sm_acct_mgmt.3.xml +++ b/doc/man/pam_sm_acct_mgmt.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_ACCOUNT #include <security/pam_modules.h> int pam_sm_acct_mgmt diff --git a/doc/man/pam_sm_authenticate.3.xml b/doc/man/pam_sm_authenticate.3.xml index 42997265..ef3a8f15 100644 --- a/doc/man/pam_sm_authenticate.3.xml +++ b/doc/man/pam_sm_authenticate.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_AUTH #include <security/pam_modules.h> int pam_sm_authenticate diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml index d8f36d69..25e17d02 100644 --- a/doc/man/pam_sm_chauthtok.3.xml +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_PASSWORD #include <security/pam_modules.h> int pam_sm_chauthtok diff --git a/doc/man/pam_sm_close_session.3.xml b/doc/man/pam_sm_close_session.3.xml index db579ffa..6d8278ec 100644 --- a/doc/man/pam_sm_close_session.3.xml +++ b/doc/man/pam_sm_close_session.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_SESSION #include <security/pam_modules.h> int pam_sm_close_session diff --git a/doc/man/pam_sm_open_session.3.xml b/doc/man/pam_sm_open_session.3.xml index 0c9ec77f..ead7ca77 100644 --- a/doc/man/pam_sm_open_session.3.xml +++ b/doc/man/pam_sm_open_session.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_SESSION #include <security/pam_modules.h> int pam_sm_open_session diff --git a/doc/man/pam_sm_setcred.3.xml b/doc/man/pam_sm_setcred.3.xml index 5cfe899f..bb04a2df 100644 --- a/doc/man/pam_sm_setcred.3.xml +++ b/doc/man/pam_sm_setcred.3.xml @@ -17,7 +17,6 @@ - #define PAM_SM_AUTH #include <security/pam_modules.h> int pam_sm_setcred diff --git a/doc/mwg/Linux-PAM_MWG.xml b/doc/mwg/Linux-PAM_MWG.xml index 9274593d..3022538c 100644 --- a/doc/mwg/Linux-PAM_MWG.xml +++ b/doc/mwg/Linux-PAM_MWG.xml @@ -216,12 +216,6 @@ gcc -shared -o pam_module.so pam_module.o -lpam
Authentication management - - To be correctly initialized, PAM_SM_AUTH - must be #define'd prior to including - <security/pam_modules.h>. This will - ensure that the prototypes for static modules are properly declared. -
Account management - - To be correctly initialized, PAM_SM_ACCOUNT - must be #define'd prior to including - <security/pam_modules.h>. This will - ensure that the prototypes for static modules are properly declared. -
Session management - - To be correctly initialized, PAM_SM_SESSION - must be #define'd prior to including - <security/pam_modules.h>. This will - ensure that the prototypes for static modules are properly declared. -
Authentication token management - - To be correctly initialized, PAM_SM_PASSWORD - must be #define'd prior to including - <security/pam_modules.h>. This will - ensure that the prototypes for static modules are properly declared. -
-- cgit v1.2.3 From ee296a1093f879b6447769d29f0850bba0491e93 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 2 May 2020 00:09:48 +0000 Subject: man: document other valid pam_get_user return values * doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN. --- doc/man/pam_get_user.3.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'doc/man') diff --git a/doc/man/pam_get_user.3.xml b/doc/man/pam_get_user.3.xml index 16ef5483..8bb176e4 100644 --- a/doc/man/pam_get_user.3.xml +++ b/doc/man/pam_get_user.3.xml @@ -115,6 +115,31 @@ + + PAM_BUF_ERR + + + Memory buffer error. + + + + + PAM_ABORT + + + Error resuming an old conversation. + + + + + PAM_CONV_AGAIN + + + The conversation method supplied by the application + is waiting for an event. + + + -- cgit v1.2.3 From 2e16ac35a0a535d394931711186b4f90e67b91ed Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sun, 17 May 2020 08:00:00 +0000 Subject: doc: fix the description of stack jump effects Every stack jump, besides the jump itself, has a side effect which is one of 'ignore', 'ok', or 'bad'. Unfortunately, the side effect is far from obvious because it depends on the PAM function call, and the documentation that contradicts the implementation does not help either. * doc/man/pam.conf-syntax.xml (actionN): Rewrite the description of stack jump effects to match the implementation. Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56 --- doc/man/pam.conf-syntax.xml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index da7cfb70..7b4edbf2 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -306,9 +306,19 @@ N (an unsigned integer) - equivalent to ok with the side effect of jumping over the - next N modules in the stack. Note that N equal to 0 is not - allowed (and it would be identical to ok in such case). + jump over the next N modules in the stack. + Note that N equal to 0 is not allowed, + it would be treated as ignore in such case. + The side effect depends on the PAM function call: + for pam_authenticate, + pam_acct_mgmt, + pam_chauthtok, and + pam_open_session + it is ignore; + for pam_setcred and + pam_close_session it is + one of ignore, ok, + or bad depending on the module's return value. -- cgit v1.2.3