From 65d6735c5949ec233df9813f734e918a93fa36cf Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com> Date: Mon, 16 Sep 2019 17:17:49 +0200 Subject: Add support for a vendor directory and libeconf (#136) With this, it is possible for Linux distributors to store their supplied default configuration files somewhere below /usr, while /etc only contains the changes made by the user. The new option --enable-vendordir defines where Linux-PAM should additional look for pam.d/*, login.defs and securetty if this files are not in /etc. libeconf is a key/value configuration file reading library, which handles the split of configuration files in different locations and merges them transparently for the application. --- modules/pam_securetty/pam_securetty.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index cb1da252..e8a9273b 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,6 +1,9 @@ /* pam_securetty module */ #define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif #define TTY_PREFIX "/dev/" #define CMDLINE_FILE "/proc/cmdline" #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" @@ -25,6 +28,7 @@ #include #include #include +#include /* * here, we make a definition for the externally accessible function @@ -70,6 +74,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *function_name) { int retval = PAM_AUTH_ERR; + const char *securettyfile; const char *username; const char *uttyname; const void *void_uttyname; @@ -111,10 +116,27 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } if (stat(SECURETTY_FILE, &ttyfileinfo)) { +#ifdef VENDORDIR + if (errno == ENOENT) { + if (stat(SECURETTY2_FILE, &ttyfileinfo)) { + pam_syslog(pamh, LOG_NOTICE, + "Couldn't open %s: %m", SECURETTY2_FILE); + return PAM_SUCCESS; /* for compatibility with old securetty handling, + this needs to succeed. But we still log the + error. */ + } + securettyfile = SECURETTY2_FILE; + } else { +#endif pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); return PAM_SUCCESS; /* for compatibility with old securetty handling, this needs to succeed. But we still log the error. */ +#ifdef VENDORDIR + } +#endif + } else { + securettyfile = SECURETTY_FILE; } if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { @@ -122,13 +144,13 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, normal file, return error */ pam_syslog(pamh, LOG_ERR, "%s is either world writable or not a normal file", - SECURETTY_FILE); + securettyfile); return PAM_AUTH_ERR; } - ttyfile = fopen(SECURETTY_FILE,"r"); + ttyfile = fopen(securettyfile,"r"); if (ttyfile == NULL) { /* Check that we opened it successfully */ - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", securettyfile); return PAM_SERVICE_ERR; } -- cgit v1.2.3 From a9781a918441666a25636879801f45538422d475 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 16 Mar 2020 21:02:18 +0000 Subject: modules/pam_securetty: use pam_str_skip_prefix and pam_str_skip_prefix_len * modules/pam_securetty/pam_securetty.c: Include "pam_inline.h". (securetty_perform_check): Use pam_str_skip_prefix and pam_str_skip_prefix_len instead of ugly strncmp invocations. --- modules/pam_securetty/pam_securetty.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index e8a9273b..51249a9c 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -43,6 +43,7 @@ #include #include #include +#include "pam_inline.h" #define PAM_DEBUG_ARG 0x0001 #define PAM_NOCONSOLE_ARG 0x0002 @@ -77,6 +78,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, const char *securettyfile; const char *username; const char *uttyname; + const char *str; const void *void_uttyname; char ttyfileline[256]; char ptname[256]; @@ -111,9 +113,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { - uttyname += sizeof(TTY_PREFIX)-1; - } + if ((str = pam_str_skip_prefix(uttyname, TTY_PREFIX)) != NULL) + uttyname = str; if (stat(SECURETTY_FILE, &ttyfileinfo)) { #ifdef VENDORDIR @@ -185,18 +186,17 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, fclose(cmdlinefile); for (; p; p = strstr(p+1, "console=")) { - char *e; + const char *e; /* Test whether this is a beginning of a word? */ if (p > line && p[-1] != ' ') continue; /* Is this our console? */ - if (strncmp(p + 8, uttyname, strlen(uttyname))) + if ((e = pam_str_skip_prefix_len(p + 8, uttyname, strlen(uttyname))) == NULL) continue; /* Is there any garbage after the TTY name? */ - e = p + 8 + strlen(uttyname); if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { retval = 0; break; -- cgit v1.2.3 From ea951fdc8682146f7f03216a7839441678d45657 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 28 Apr 2020 10:10:08 +0000 Subject: build: rework vendordir substitution Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used, remove stereotypic definitions from other Makefiles, this way we no longer have to worry about vendordir being used somewhere else in documentation files. Likewise, define VENDORDIR in config.h and remove stereotypic -DVENDORDIR= additions from other Makefiles, this way we no longer have to worry about VENDORDIR being used somewhere else in the code. * configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR. (AC_DEFINE_UNQUOTED): Add VENDORDIR. (AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR. * Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with @STRINGPARAM_VENDORDIR@. * doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove. * libpam/Makefile.am [HAVE_VENDORDIR]: Remove. * modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove. (XSLTPROC_CUSTOM): Remove. * modules/pam_securetty/pam_securetty.c: Move definitions of local macros after config.h to benefit from macros defined there. --- Make.xml.rules.in | 10 +++++----- configure.ac | 10 ++++++++-- doc/man/Makefile.am | 5 ----- libpam/Makefile.am | 3 --- modules/pam_securetty/Makefile.am | 8 -------- modules/pam_securetty/pam_securetty.c | 16 ++++++++-------- 6 files changed, 21 insertions(+), 31 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/Make.xml.rules.in b/Make.xml.rules.in index 9bda445f..daa1b97b 100644 --- a/Make.xml.rules.in +++ b/Make.xml.rules.in @@ -5,22 +5,22 @@ README: $(XMLS) README: README.xml - $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@ + $(XSLTPROC) --path $(srcdir) --xinclude --stringparam generate.toc "none" @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-html.xsl $< | $(BROWSER) > $(srcdir)/$@ %.1: %.1.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.3: %.3.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.5: %.5.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< %.8: %.8.xml $(XMLLINT) --nonet --xinclude --postvalid --noout $< - $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude $(XSLTPROC_CUSTOM) --nonet $(top_srcdir)/doc/custom-man.xsl $< + $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< #CLEANFILES += $(man_MANS) README diff --git a/configure.ac b/configure.ac index 43e95e51..3d641db9 100644 --- a/configure.ac +++ b/configure.ac @@ -544,8 +544,14 @@ AC_SUBST([ECONF_CFLAGS]) AC_SUBST([ECONF_LIBS]) AC_ARG_ENABLE([vendordir], AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[]) -AC_SUBST([VENDORDIR], [$enable_vendordir]) -AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x]) +if test -n "$enable_vendordir"; then + AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"], + [Directory for distribution provided configuration files]) + STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir'" +else + STRINGPARAM_VENDORDIR="--stringparam vendordir ''" +fi +AC_SUBST([STRINGPARAM_VENDORDIR]) dnl Checks for header files. AC_HEADER_DIRENT diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 8e76897e..78c891df 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -59,10 +59,5 @@ pam.d.5: pam.conf.5 pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml -if HAVE_VENDORDIR -XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) -else -XSLTPROC_CUSTOM = --stringparam vendordir "" -endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 67048702..41ac9845 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -6,9 +6,6 @@ AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ -I$(srcdir)/include $(LIBPRELUDE_CFLAGS) $(ECONF_CFLAGS) \ -DPAM_VERSION=\"$(VERSION)\" -DSYSCONFDIR=\"$(sysconfdir)\" \ $(WARN_CFLAGS) -if HAVE_VENDORDIR - AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" -endif CLEANFILES = *~ diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am index 093da829..1b11d953 100644 --- a/modules/pam_securetty/Makefile.am +++ b/modules/pam_securetty/Makefile.am @@ -22,19 +22,11 @@ AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -if HAVE_VENDORDIR - AM_CFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" -endif securelib_LTLIBRARIES = pam_securetty.la pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la if ENABLE_REGENERATE_MAN noinst_DATA = README -if HAVE_VENDORDIR -XSLTPROC_CUSTOM = --stringparam vendordir $(VENDORDIR) -else -XSLTPROC_CUSTOM = --stringparam vendordir "" -endif -include $(top_srcdir)/Make.xml.rules endif diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 51249a9c..e594fb6a 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,13 +1,5 @@ /* pam_securetty module */ -#define SECURETTY_FILE "/etc/securetty" -#ifdef VENDORDIR -#define SECURETTY2_FILE VENDORDIR"/securetty" -#endif -#define TTY_PREFIX "/dev/" -#define CMDLINE_FILE "/proc/cmdline" -#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" - /* * by Elliot Lee , Red Hat Software. * July 25, 1996. @@ -48,6 +40,14 @@ #define PAM_DEBUG_ARG 0x0001 #define PAM_NOCONSOLE_ARG 0x0002 +#define SECURETTY_FILE "/etc/securetty" +#ifdef VENDORDIR +#define SECURETTY2_FILE VENDORDIR"/securetty" +#endif +#define TTY_PREFIX "/dev/" +#define CMDLINE_FILE "/proc/cmdline" +#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) { -- cgit v1.2.3 From 37b5259298be9137f5b40eef16027152ddb803ff Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: modules: remove PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- modules/pam_access/pam_access.c | 16 ++-------------- modules/pam_cracklib/pam_cracklib.c | 17 ++--------------- modules/pam_debug/pam_debug.c | 26 +++++--------------------- modules/pam_deny/pam_deny.c | 18 +----------------- modules/pam_echo/pam_echo.c | 5 ----- modules/pam_env/pam_env.c | 16 ++-------------- modules/pam_exec/pam_exec.c | 6 ------ modules/pam_faildelay/pam_faildelay.c | 7 ++----- modules/pam_faillock/pam_faillock.c | 4 ---- modules/pam_filter/pam_filter.c | 7 +------ modules/pam_ftp/pam_ftp.c | 14 +------------- modules/pam_group/pam_group.c | 13 ++----------- modules/pam_issue/pam_issue.c | 5 ++--- modules/pam_keyinit/pam_keyinit.c | 3 ++- modules/pam_lastlog/pam_lastlog.c | 15 ++------------- modules/pam_limits/pam_limits.c | 2 -- modules/pam_listfile/pam_listfile.c | 14 ++------------ modules/pam_localuser/pam_localuser.c | 4 ++-- modules/pam_loginuid/pam_loginuid.c | 4 +++- modules/pam_mail/pam_mail.c | 14 ++------------ modules/pam_mkhomedir/pam_mkhomedir.c | 9 --------- modules/pam_motd/pam_motd.c | 23 +++++------------------ modules/pam_nologin/pam_nologin.c | 15 +-------------- modules/pam_permit/pam_permit.c | 22 +++------------------- modules/pam_pwhistory/pam_pwhistory.c | 4 ++-- modules/pam_rhosts/pam_rhosts.c | 4 ++-- modules/pam_rootok/pam_rootok.c | 13 +------------ modules/pam_securetty/pam_securetty.c | 14 ++------------ modules/pam_selinux/pam_selinux.c | 4 ---- modules/pam_sepermit/pam_sepermit.c | 4 ---- modules/pam_setquota/pam_setquota.c | 3 --- modules/pam_shells/pam_shells.c | 22 ++++++---------------- modules/pam_stress/pam_stress.c | 12 ------------ modules/pam_succeed_if/pam_succeed_if.c | 6 ------ modules/pam_tally/pam_tally.c | 27 ++------------------------- modules/pam_tally2/pam_tally2.c | 19 ++----------------- modules/pam_time/pam_time.c | 25 ++++++++----------------- modules/pam_timestamp/pam_timestamp.c | 3 --- modules/pam_tty_audit/pam_tty_audit.c | 2 -- modules/pam_umask/pam_umask.c | 4 ++-- modules/pam_unix/pam_unix_acct.c | 6 ++---- modules/pam_unix/pam_unix_auth.c | 7 ++----- modules/pam_unix/pam_unix_passwd.c | 7 ++----- modules/pam_unix/pam_unix_sess.c | 6 +----- modules/pam_userdb/pam_userdb.c | 14 ++------------ modules/pam_usertype/pam_usertype.c | 5 ----- modules/pam_warn/pam_warn.c | 14 +------------- modules/pam_wheel/pam_wheel.c | 7 ++----- modules/pam_xauth/pam_xauth.c | 4 ++-- 49 files changed, 83 insertions(+), 432 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 4c11418d..be726180 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -1,6 +1,6 @@ -/* pam_access module */ - /* + * pam_access module + * * Written by Alexei Nogin 1997/06/15 * (I took login_access from logdaemon-5.6 and converted it to PAM * using parts of pam_time code.) @@ -49,18 +49,6 @@ #include #endif -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index f89f33da..a6ce9395 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -1,8 +1,6 @@ /* * pam_cracklib module - */ - -/* + * * 0.9. switch to using a distance algorithm in similar() * 0.86. added support for setting minimum numbers of digits, uppers, * lowers, and others @@ -15,9 +13,7 @@ * 0.3. Added argument 'debug' * 0.2. new password is fed to cracklib for verify after typed once * 0.1. First release - */ - -/* + * * Written by Cristian Gafton 1996/09/10 * Long password support by Philip W. Dalrymple 1997/07/18 * See the end of the file for Copyright Information @@ -69,15 +65,6 @@ extern char *FascistCheck(char *pw, const char *dictpath); #endif #define MIN(_a, _b) (((_a) < (_b)) ? (_a) : (_b)) -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c index 9b68d382..75d475f0 100644 --- a/modules/pam_debug/pam_debug.c +++ b/modules/pam_debug/pam_debug.c @@ -1,32 +1,14 @@ -/* pam_permit module */ - /* - * $Id$ + * pam_debug module * * Written by Andrew Morgan 2001/02/04 * - */ - -#define DEFAULT_USER "nobody" - -#include "config.h" - -#include - -/* * This module is intended as a debugging aide for determining how * the PAM stack is operating. - * - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. */ -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD +#include "config.h" +#include #include #include @@ -35,6 +17,8 @@ #define _PAM_ACTION_UNDEF (-10) #include "../../libpam/pam_tokens.h" +#define DEFAULT_USER "nobody" + /* --- authentication management functions --- */ static int state(pam_handle_t *pamh, const char *text) diff --git a/modules/pam_deny/pam_deny.c b/modules/pam_deny/pam_deny.c index 155a1f5d..a2fe0c23 100644 --- a/modules/pam_deny/pam_deny.c +++ b/modules/pam_deny/pam_deny.c @@ -1,26 +1,10 @@ -/* pam_deny module */ - /* - * $Id$ + * pam_deny module * * Written by Andrew Morgan 1996/3/11 - * - */ - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. */ #include "config.h" - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include /* --- authentication management functions --- */ diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c index bd5910b9..181aeb4c 100644 --- a/modules/pam_echo/pam_echo.c +++ b/modules/pam_echo/pam_echo.c @@ -52,11 +52,6 @@ #define HOST_NAME_MAX 255 #endif -#define PAM_SM_ACCOUNT -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 1bdc119d..79d43722 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -1,6 +1,6 @@ -/* pam_env module */ - /* + * pam_env module + * * Written by Dave Kinchlea 1997/01/31 * Inspired by Andrew Morgan , who also supplied the * template for this file (via pam_mail) @@ -26,18 +26,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */ -#define PAM_SM_SESSION /* But I like to be friendly */ -#define PAM_SM_PASSWORD /* "" */ -#define PAM_SM_ACCOUNT /* "" */ - #include #include #include diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 918422cf..5ca85ab3 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -49,12 +49,6 @@ #include #include - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c index 215074b2..02c5fafd 100644 --- a/modules/pam_faildelay/pam_faildelay.c +++ b/modules/pam_faildelay/pam_faildelay.c @@ -1,6 +1,6 @@ -/* pam_faildelay module */ - /* + * pam_faildelay module + * * Allows an admin to set the delay on failure per-application. * Provides "auth" interface only. * @@ -70,9 +70,6 @@ #include #include - -#define PAM_SM_AUTH - #include #include #include diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c index 94c175b4..e340a83c 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c @@ -55,12 +55,8 @@ #include #include "pam_inline.h" - #include "faillock.h" -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #define FAILLOCK_ACTION_PREAUTH 0 #define FAILLOCK_ACTION_AUTHSUCC 1 #define FAILLOCK_ACTION_AUTHFAIL 2 diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 4f75486d..9b523da2 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -1,5 +1,5 @@ /* - * $Id$ + * pam_filter module * * written by Andrew Morgan with much help from * Richard Stevens' UNIX Network Programming book. @@ -25,11 +25,6 @@ #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include "pam_filter.h" diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index ce6ead9a..0d53e5a5 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -1,10 +1,7 @@ -/* pam_ftp module */ - /* - * $Id$ + * pam_ftp module * * Written by Andrew Morgan 1996/3/11 - * */ #define PLEASE_ENTER_PASSWORD "Password required for %s." @@ -23,15 +20,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - #include #include #include diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 2172a0b5..b5532b81 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -1,6 +1,6 @@ -/* pam_group module */ - /* + * pam_group module + * * Written by Andrew Morgan 1996/7/6 * Field parsing rewritten by Tomas Mraz */ @@ -35,15 +35,6 @@ typedef enum { AND, OR } operator; -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH - #include #include #include diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c index 8a74ce03..5b6a4669 100644 --- a/modules/pam_issue/pam_issue.c +++ b/modules/pam_issue/pam_issue.c @@ -1,4 +1,5 @@ -/* pam_issue module - a simple /etc/issue parser to set PAM_USER_PROMPT +/* + * pam_issue module - a simple /etc/issue parser to set PAM_USER_PROMPT * * Copyright 1999 by Ben Collins * @@ -28,8 +29,6 @@ #include #include -#define PAM_SM_AUTH - #include #include #include diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index d58744d7..b3aec483 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -1,4 +1,5 @@ -/* pam_keyinit.c: Initialise the session keyring on login through a PAM module +/* + * pam_keyinit: Initialise the session keyring on login through a PAM module * * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1f707d93..1c46d03a 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -1,6 +1,6 @@ -/* pam_lastlog module */ - /* + * pam_lastlog module + * * Written by Andrew Morgan 1996/3/11 * * This module does the necessary work to display the last login @@ -66,17 +66,6 @@ struct lastlog { #define DEFAULT_INACTIVE_DAYS 90 #define MAX_INACTIVE_DAYS 100000 -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index c8a03ae4..b791cdce 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -102,8 +102,6 @@ struct pam_limit_s { #define LIMIT_SOFT 1 #define LIMIT_HARD 2 -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 44e0655c..74ebae1a 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -1,4 +1,6 @@ /* + * pam_listfile module + * * by Elliot Lee , Red Hat Software. July 25, 1996. * log refused access error christopher mccrory 1998/7/11 * @@ -22,18 +24,6 @@ #include #endif -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_PASSWORD -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index ac51e4ef..3633b535 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -1,4 +1,6 @@ /* + * pam_localuser module + * * Copyright 2001, 2004 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without @@ -47,8 +49,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT #include #include #include diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c index 03c0e3a3..31181789 100644 --- a/modules/pam_loginuid/pam_loginuid.c +++ b/modules/pam_loginuid/pam_loginuid.c @@ -1,4 +1,6 @@ -/* pam_loginuid.c -- +/* + * pam_loginuid module + * * Copyright 2005 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index 2439ae75..c923817d 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -1,6 +1,6 @@ -/* pam_mail module */ - /* + * pam_mail module + * * Written by Andrew Morgan 1996/3/11 * $HOME additions by David Kinchlea 1997/1/7 * mailhash additions by Chris Adams 1998/7/11 @@ -30,16 +30,6 @@ #define MAIL_ENV_NAME "MAIL" #define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s" -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define PAM_SM_AUTH - #include #include #include diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c index 6e035f70..5f9b1661 100644 --- a/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/modules/pam_mkhomedir/pam_mkhomedir.c @@ -44,15 +44,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index 8147c6fd..46f4fe61 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -1,13 +1,8 @@ -/* pam_motd module */ - /* - * Modified for pam_motd by Ben Collins - * - * Based off of: - * $Id$ + * pam_motd module * + * Modified for pam_motd by Ben Collins * Written by Michael K. Johnson 1996/10/24 - * */ #include "config.h" @@ -26,21 +21,13 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION -#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd" -#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d" - #include #include #include "pam_inline.h" +#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd" +#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d" + /* --- session management functions (only) --- */ int diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 775dda87..8666251a 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -1,10 +1,7 @@ -/* pam_nologin module */ - /* - * $Id$ + * pam_nologin module * * Written by Michael K. Johnson 1996/10/24 - * */ #include "config.h" @@ -19,16 +16,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_permit/pam_permit.c b/modules/pam_permit/pam_permit.c index c773087a..9e2aedf4 100644 --- a/modules/pam_permit/pam_permit.c +++ b/modules/pam_permit/pam_permit.c @@ -1,33 +1,17 @@ -/* pam_permit module */ - /* - * $Id$ + * pam_permit module * * Written by Andrew Morgan 1996/3/11 - * */ #include "config.h" - -#define DEFAULT_USER "nobody" - #include -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include +#define DEFAULT_USER "nobody" + /* --- authentication management functions --- */ int diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 2d4507d5..c77eb3ea 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -1,4 +1,6 @@ /* + * pam_pwhistory module + * * Copyright (c) 2008, 2012 Thorsten Kukuk * Author: Thorsten Kukuk * @@ -38,8 +40,6 @@ #include #endif -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c index 258a7299..ab2fbd09 100644 --- a/modules/pam_rhosts/pam_rhosts.c +++ b/modules/pam_rhosts/pam_rhosts.c @@ -1,4 +1,6 @@ /* + * pam_rhosts module + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -38,8 +40,6 @@ #include #include -#define PAM_SM_AUTH /* only defines this management group */ - #include #include #include diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index accba21a..3a00d545 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -1,7 +1,5 @@ -/* pam_rootok module */ - /* - * $Id$ + * pam_rootok module * * Written by Andrew Morgan 1996/3/11 */ @@ -14,15 +12,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - #include #include diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index e594fb6a..9a2835ef 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -1,6 +1,6 @@ -/* pam_securetty module */ - /* + * pam_securetty module + * * by Elliot Lee , Red Hat Software. * July 25, 1996. * This code shamelessly ripped from the pam_rootok module. @@ -22,16 +22,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index deae3ef1..06c3ce65 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -36,7 +36,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -53,9 +52,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 442703d3..b6fde6c5 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -35,7 +35,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -55,9 +54,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c index 3e2b9508..43c76d66 100644 --- a/modules/pam_setquota/pam_setquota.c +++ b/modules/pam_setquota/pam_setquota.c @@ -6,7 +6,6 @@ Copyright © 2010 Shane Tzen Copyright © 2012-2020 Sven Hartge Copyright © 2016 Keller Fuchs - */ #include @@ -19,8 +18,6 @@ #include #include -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index ae67a423..eec86dc4 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -1,10 +1,6 @@ -/* pam_shells module */ - -#define SHELL_FILE "/etc/shells" - -#define DEFAULT_SHELL "/bin/sh" - /* + * pam_shells module + * * by Erik Troan , Red Hat Software. * August 5, 1996. * This code shamelessly ripped from the pam_securetty module. @@ -21,20 +17,14 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include +#define SHELL_FILE "/etc/shells" + +#define DEFAULT_SHELL "/bin/sh" + static int perform_check(pam_handle_t *pamh) { int retval = PAM_AUTH_ERR; diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 024455e5..62348fab 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -15,18 +15,6 @@ #include #include -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 82de4f33..76bc9825 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -34,7 +34,6 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include "config.h" @@ -54,11 +53,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index 6f578988..08b5ace2 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -1,10 +1,7 @@ /* - * pam_tally.c + * pam_tally module * - */ - - -/* By Tim Baverstock , Multi Media Machine Ltd. + * By Tim Baverstock , Multi Media Machine Ltd. * 5 March 1997 * * Stuff stolen from pam_rootok and pam_listfile @@ -30,19 +27,7 @@ #include #include "faillog.h" -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - #ifndef MAIN -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - #include #include #endif @@ -615,8 +600,6 @@ tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) /* --- authentication management functions (only) --- */ -#ifdef PAM_SM_AUTH - int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -686,14 +669,10 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, return tally_reset(pamh, uid, opts); } -#endif - /*---------------------------------------------------------------------*/ /* --- authentication management functions (only) --- */ -#ifdef PAM_SM_ACCOUNT - /* To reset failcount of user on successful login */ int @@ -731,8 +710,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, return tally_reset(pamh, uid, opts); } -#endif /* #ifdef PAM_SM_ACCOUNT */ - /*-----------------------------------------------------------------------*/ #else /* #ifndef MAIN */ diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index e8c74eb9..8c171b68 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -1,10 +1,7 @@ /* - * pam_tally2.c + * pam_tally2 module * - */ - - -/* By Tim Baverstock , Multi Media Machine Ltd. + * By Tim Baverstock , Multi Media Machine Ltd. * 5 March 1997 * * Stuff stolen from pam_rootok and pam_listfile @@ -76,19 +73,7 @@ #define fseeko fseek #endif -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - #ifndef MAIN -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - #include #endif #include diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 0643523a..e786d0f9 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -1,6 +1,6 @@ -/* pam_time module */ - /* + * pam_time module + * * Written by Andrew Morgan 1996/6/22 * (File syntax and much other inspiration from the shadow package * shadow-960129) @@ -23,6 +23,12 @@ #include #include +#include +#include +#include +#include +#include "pam_inline.h" + #ifdef HAVE_LIBAUDIT #include #endif @@ -42,21 +48,6 @@ typedef enum { AND, OR } operator; -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include -#include -#include -#include -#include "pam_inline.h" - static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, const char **conffile) { diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 420ce9eb..249a9692 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -38,9 +38,6 @@ * */ -#define PAM_SM_AUTH -#define PAM_SM_SESSION - #include "config.h" #include diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 1d9256c3..2f04a05c 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -48,8 +48,6 @@ #include #include -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 45b048e3..1b5df4b6 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -1,4 +1,6 @@ /* + * pam_umask module + * * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk * * Redistribution and use in source and binary forms, with or without @@ -50,8 +52,6 @@ #include #include -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 0c5dff96..de8d65c1 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -1,4 +1,6 @@ /* + * pam_unix account management + * * Copyright Elliot Lee, 1996. All rights reserved. * Copyright Jan Rękorajski, 1999. All rights reserved. * @@ -51,10 +53,6 @@ #include -/* indicate that the following groups are defined */ - -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 40ff7c65..9a0cd372 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -1,4 +1,6 @@ /* + * pam_unix authentication management + * * Copyright Alexander O. Yuriev, 1996. All rights reserved. * NIS+ support by Thorsten Kukuk * Copyright Jan Rękorajski, 1999. All rights reserved. @@ -48,11 +50,6 @@ #include #include -/* indicate the following groups are defined */ - -#define PAM_SM_AUTH - -#define _PAM_EXTERN_FUNCTIONS #include #include #include diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 7985ad1b..e9c960a2 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -1,4 +1,6 @@ /* + * pam_unix password management + * * Main coding by Elliot Lee , Red Hat Software. * Copyright (C) 1996. * Copyright (c) Jan Rękorajski, 1999. @@ -60,11 +62,6 @@ #include #include - -/* indicate the following groups are defined */ - -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c index 437d1242..3f6a8fb3 100644 --- a/modules/pam_unix/pam_unix_sess.c +++ b/modules/pam_unix/pam_unix_sess.c @@ -1,5 +1,5 @@ /* - * $Id$ + * pam_unix session management * * Copyright Alexander O. Yuriev, 1996. All rights reserved. * Copyright Jan Rękorajski, 1999. All rights reserved. @@ -47,10 +47,6 @@ #include #include -/* indicate the following groups are defined */ - -#define PAM_SM_SESSION - #include #include #include diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 32e759e3..d7d41233 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -1,6 +1,6 @@ -/* pam_userdb module */ - /* + * pam_userdb module + * * Written by Cristian Gafton 1996/09/10 * See the end of the file for Copyright Information */ @@ -37,16 +37,6 @@ # endif #endif -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index 820cf693..76325063 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -48,11 +48,6 @@ #include #include -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include diff --git a/modules/pam_warn/pam_warn.c b/modules/pam_warn/pam_warn.c index 1d196ad3..d91c3e9f 100644 --- a/modules/pam_warn/pam_warn.c +++ b/modules/pam_warn/pam_warn.c @@ -1,7 +1,5 @@ -/* pam_warn module */ - /* - * $Id$ + * pam_warn module * * Written by Andrew Morgan 1996/3/11 */ @@ -13,16 +11,6 @@ #include #include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD - #include #include diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 32b6cdb0..94f8887a 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -1,6 +1,6 @@ -/* pam_wheel module */ - /* + * pam_wheel module + * * Written by Cristian Gafton 1996/09/10 * See the end of the file for Copyright Information * @@ -39,9 +39,6 @@ * modules include file to define the function prototypes. */ -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT - #include #include #include diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 7d661a45..7a9f202b 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -1,4 +1,6 @@ /* + * pam_xauth module + * * Copyright 2001-2003 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without @@ -51,8 +53,6 @@ #include #include -#define PAM_SM_SESSION - #include #include #include -- cgit v1.2.3 From 5aca62a102b7309f1d96ded01ad1e7f94310fade Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 15 May 2020 08:00:00 +0000 Subject: modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. --- modules/pam_access/pam_access.c | 2 +- modules/pam_cracklib/pam_cracklib.c | 2 +- modules/pam_debug/pam_debug.c | 2 +- modules/pam_filter/pam_filter.c | 3 +-- modules/pam_ftp/pam_ftp.c | 2 +- modules/pam_group/pam_group.c | 3 +-- modules/pam_lastlog/pam_lastlog.c | 3 +-- modules/pam_listfile/pam_listfile.c | 4 ++-- modules/pam_localuser/pam_localuser.c | 2 +- modules/pam_mail/pam_mail.c | 2 +- modules/pam_nologin/pam_nologin.c | 2 +- modules/pam_permit/pam_permit.c | 2 +- modules/pam_pwhistory/pam_pwhistory.c | 2 +- modules/pam_rhosts/pam_rhosts.c | 2 +- modules/pam_securetty/pam_securetty.c | 2 +- modules/pam_sepermit/pam_sepermit.c | 3 +-- modules/pam_shells/pam_shells.c | 4 ++-- modules/pam_stress/pam_stress.c | 4 +--- modules/pam_succeed_if/pam_succeed_if.c | 2 +- modules/pam_time/pam_time.c | 3 +-- modules/pam_timestamp/pam_timestamp.c | 5 +---- modules/pam_umask/pam_umask.c | 10 +++------- modules/pam_unix/pam_unix_auth.c | 2 +- modules/pam_unix/pam_unix_passwd.c | 2 +- modules/pam_userdb/pam_userdb.c | 4 ++-- modules/pam_usertype/pam_usertype.c | 2 +- modules/pam_wheel/pam_wheel.c | 2 +- 27 files changed, 32 insertions(+), 46 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index be726180..b0289a3a 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -819,7 +819,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index a6ce9395..f6fb0130 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -687,7 +687,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, } retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh,LOG_ERR,"Can not get username"); return PAM_AUTHTOK_ERR; diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c index 75d475f0..61b39d75 100644 --- a/modules/pam_debug/pam_debug.c +++ b/modules/pam_debug/pam_debug.c @@ -73,7 +73,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } - if (user == NULL || *user == '\0') { + if (*user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 9b523da2..2f0af4fb 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -171,8 +171,7 @@ static int process_args(pam_handle_t *pamh #define USER_NAME "USER=" #define USER_OFFSET (sizeof(USER_NAME) - 1) - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || - user == NULL) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { user = ""; } size = USER_OFFSET+strlen(user); diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 0d53e5a5..36979d57 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -119,7 +119,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, ctrl = _pam_parse(pamh, argc, argv, &users); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "no user specified"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index b5532b81..8fd8584e 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -771,8 +771,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1c46d03a..3e27b3ed 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -669,8 +669,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 74ebae1a..4d30d017 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -188,7 +188,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int rval; rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name && user_name[0]) { + if(rval==PAM_SUCCESS && user_name[0]) { /* Got it ? Valid ? */ if(apply_type==APPLY_TYPE_USER) { if(strcmp(user_name, apply_val)) { @@ -225,7 +225,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } if((citem == PAM_USER) && !citemp) { retval = pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS || !citemp) { + if (retval != PAM_SUCCESS) { free(ifname); return PAM_SERVICE_ERR; } diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 3633b535..6f4f8aea 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -100,7 +100,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SYSTEM_ERR; } - if ((user == NULL) || (strlen(user) == 0)) { + if (strlen(user) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); return PAM_SYSTEM_ERR; diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index c923817d..0dc12e1e 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -382,7 +382,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "cannot determine username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 8666251a..4ba33602 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -64,7 +64,7 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) int retval = opts->retval_when_nofile; int fd = -1; - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { + if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)) { pam_syslog(pamh, LOG_ERR, "cannot determine username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_permit/pam_permit.c b/modules/pam_permit/pam_permit.c index 9e2aedf4..4f973686 100644 --- a/modules/pam_permit/pam_permit.c +++ b/modules/pam_permit/pam_permit.c @@ -29,7 +29,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } - if (user == NULL || *user == '\0') { + if (*user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index c77eb3ea..9b44cd87 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -139,7 +139,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) return retval; - if (user == NULL || strlen (user) == 0) + if (strlen (user) == 0) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c index ab2fbd09..4dabfa13 100644 --- a/modules/pam_rhosts/pam_rhosts.c +++ b/modules/pam_rhosts/pam_rhosts.c @@ -94,7 +94,7 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, return retval; } - if (rhost == NULL || ruser == NULL || luser == NULL) + if (rhost == NULL || ruser == NULL) return PAM_AUTH_ERR; if (opt_superuser && strcmp(opt_superuser, luser) == 0) diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 9a2835ef..355a23ab 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -83,7 +83,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } retval = pam_get_user(pamh, &username, NULL); - if (retval != PAM_SUCCESS || username == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "cannot determine username"); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); } diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index b6fde6c5..b49b0097 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -384,8 +384,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index eec86dc4..9e15a566 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -40,7 +40,7 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; } - if (!userName || (userName[0] == '\0')) { + if (userName[0] == '\0') { /* Don't let them use a NULL username... */ retval = pam_get_user(pamh,&userName,NULL); @@ -48,7 +48,7 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; /* It could still be NULL the second time. */ - if (!userName || (userName[0] == '\0')) + if (userName[0] == '\0') return PAM_SERVICE_ERR; } diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 62348fab..9baba321 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -217,11 +217,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* try to get the username */ retval = pam_get_user(pamh, &username, "username: "); - if (retval != PAM_SUCCESS || !username) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "pam_sm_authenticate: failed to get username"); - if (retval == PAM_SUCCESS) - retval = PAM_USER_UNKNOWN; /* username was null */ return retval; } else if (ctrl & PAM_ST_DEBUG) { diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 76bc9825..db2c2db5 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -501,7 +501,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } else { /* Get the user's name. */ ret = pam_get_user(pamh, &user, NULL); - if ((ret != PAM_SUCCESS) || (user == NULL)) { + if (ret != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", pam_strerror(pamh, ret)); diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index e786d0f9..d965cabd 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -623,8 +623,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 249a9692..30be883c 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -296,10 +296,7 @@ get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, return i; } /* Get the name of the target user. */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - user = NULL; - } - if ((user == NULL) || (strlen(user) == 0)) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user[0] == '\0') { return PAM_AUTH_ERR; } if (debug) { diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 1b5df4b6..e17d0fc1 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -205,14 +205,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); } - if (name == NULL || name[0] == '\0') + if (name[0] == '\0') { - if (name) - { - pam_syslog (pamh, LOG_NOTICE, "bad username [%s]", name); - return PAM_USER_UNKNOWN; - } - return PAM_SERVICE_ERR; + pam_syslog (pamh, LOG_NOTICE, "bad username [%s]", name); + return PAM_USER_UNKNOWN; } pw = pam_modutil_getpwnam (pamh, name); diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 9a0cd372..4eccff8e 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -121,7 +121,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow this characters here. */ - if (name == NULL || name[0] == '-' || name[0] == '+') { + if (name[0] == '-' || name[0] == '+') { pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index e9c960a2..e988b2e3 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -631,7 +631,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow them. */ - if (user == NULL || user[0] == '-' || user[0] == '+') { + if (user[0] == '-' || user[0] == '+') { pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", user); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index d7d41233..3692465d 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -346,7 +346,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_SERVICE_ERR; } @@ -437,7 +437,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR,"can not get the username"); return PAM_SERVICE_ERR; } diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index 76325063..eb656c09 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -126,7 +126,7 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, /* Get uid of user that is being authenticated. */ ret = pam_get_user(pamh, &username, NULL); - if (ret != PAM_SUCCESS || username == NULL) { + if (ret != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", pam_strerror(pamh, ret)); return ret; diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 94f8887a..f40eafff 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -107,7 +107,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) int retval = PAM_AUTH_ERR; retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "can not get the username"); } -- cgit v1.2.3 From ab4f7c33e2d6fb64ebf2e2ee0a2f3cfb06ed3f68 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 14 May 2020 08:00:00 +0000 Subject: pam_securetty: forward error values returned by pam_get_user Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38, pam_get_user is guaranteed to return one of the following values: PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not replace non-PAM_CONV_AGAIN error values returned by pam_get_user with PAM_SERVICE_ERR. * modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document new return values. --- modules/pam_securetty/pam_securetty.8.xml | 22 +++++++++++++++++++--- modules/pam_securetty/pam_securetty.c | 2 +- 2 files changed, 20 insertions(+), 4 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml index b5e83691..e49d572b 100644 --- a/modules/pam_securetty/pam_securetty.8.xml +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -114,13 +114,29 @@ + + PAM_BUF_ERR + + + Memory buffer error. + + + + + PAM_CONV_ERR + + + The conversation method supplied by the application + failed to obtain the username. + + + PAM_INCOMPLETE - An application error occurred. pam_securetty was not able - to get information it required from the application that - called it. + The conversation method supplied by the application + returned PAM_CONV_AGAIN. diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 355a23ab..5f52d3a9 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -85,7 +85,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "cannot determine username"); - return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); + return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE : retval); } user_pwd = pam_modutil_getpwnam(pamh, username); -- cgit v1.2.3 From aac5a8fdc4aa3f7e56335a6343774cc1b63b408d Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 22 May 2020 11:00:00 +0000 Subject: modules: downgrade syslog level for pam_get_user errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session, pam_sm_close_session): Likewise. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Downgrade the syslog level for pam_get_user errors from LOG_WARNING to LOG_NOTICE. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. Suggested-by: Tomáš Mráz --- modules/pam_access/pam_access.c | 2 +- modules/pam_cracklib/pam_cracklib.c | 3 ++- modules/pam_ftp/pam_ftp.c | 3 ++- modules/pam_group/pam_group.c | 2 +- modules/pam_lastlog/pam_lastlog.c | 2 +- modules/pam_loginuid/pam_loginuid.c | 5 ++--- modules/pam_mail/pam_mail.c | 3 ++- modules/pam_nologin/pam_nologin.c | 2 +- modules/pam_rhosts/pam_rhosts.c | 3 ++- modules/pam_securetty/pam_securetty.c | 3 ++- modules/pam_sepermit/pam_sepermit.c | 2 +- modules/pam_stress/pam_stress.c | 5 +++-- modules/pam_succeed_if/pam_succeed_if.c | 4 ++-- modules/pam_tally/pam_tally.c | 2 +- modules/pam_tally2/pam_tally2.c | 2 +- modules/pam_time/pam_time.c | 2 +- modules/pam_tty_audit/pam_tty_audit.c | 2 +- modules/pam_umask/pam_umask.c | 3 ++- modules/pam_userdb/pam_userdb.c | 6 ++++-- modules/pam_usertype/pam_usertype.c | 2 +- modules/pam_wheel/pam_wheel.c | 3 ++- modules/pam_xauth/pam_xauth.c | 6 ++---- 22 files changed, 37 insertions(+), 30 deletions(-) (limited to 'modules/pam_securetty/pam_securetty.c') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 8d6cfe7e..98848c54 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -820,7 +820,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index f6fb0130..01291305 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -689,7 +689,8 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) - pam_syslog(pamh,LOG_ERR,"Can not get username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_AUTHTOK_ERR; } /* diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 36979d57..b2c32b74 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -120,7 +120,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "no user specified"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 8fd8584e..d9a35ea6 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -772,7 +772,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index e244cb71..a8686df7 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -670,7 +670,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c index 31181789..c3eca539 100644 --- a/modules/pam_loginuid/pam_loginuid.c +++ b/modules/pam_loginuid/pam_loginuid.c @@ -203,9 +203,8 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED, #endif /* get user name */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) - { - pam_syslog(pamh, LOG_ERR, "error recovering login user-name"); + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index 0dc12e1e..0e2c8f0d 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -383,7 +383,8 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "cannot determine username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 4ba33602..b7f9bab0 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -65,7 +65,7 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) int fd = -1; if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)) { - pam_syslog(pamh, LOG_ERR, "cannot determine username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c index 4dabfa13..a1b394d9 100644 --- a/modules/pam_rhosts/pam_rhosts.c +++ b/modules/pam_rhosts/pam_rhosts.c @@ -90,7 +90,8 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, retval = pam_get_user(pamh, &luser, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "could not determine name of local user"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine local user name: %s", + pam_strerror(pamh, retval)); return retval; } diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 5f52d3a9..b4d71751 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -84,7 +84,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "cannot determine username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE : retval); } diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index b49b0097..ffa06b32 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -385,7 +385,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 9baba321..6c7a6251 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -218,8 +218,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, retval = pam_get_user(pamh, &username, "username: "); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, - "pam_sm_authenticate: failed to get username"); + pam_syslog(pamh, LOG_NOTICE, + "pam_sm_authenticate: cannot determine user name: %s", + pam_strerror(pamh, retval)); return retval; } else if (ctrl & PAM_ST_DEBUG) { diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index db2c2db5..7103ae30 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -502,8 +502,8 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* Get the user's name. */ ret = pam_get_user(pamh, &user, NULL); if (ret != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "error retrieving user name: %s", + pam_syslog(pamh, LOG_NOTICE, + "cannot determine user name: %s", pam_strerror(pamh, ret)); return ret; } diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index f0a28bba..7baf2c92 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -234,7 +234,7 @@ pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_opt } #else if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "pam_get_user; user?"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_AUTH_ERR; } #endif diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index ff90af7d..246c8c10 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -262,7 +262,7 @@ pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_opt user = cline_user; if ( !user ) { - pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_AUTH_ERR; } #else diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index d965cabd..089ae22d 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -624,7 +624,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { - pam_syslog(pamh, LOG_ERR, "can not get the username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 2f04a05c..6b91bc50 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -268,7 +268,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pam_get_user (pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 3cfe5538..a6fb0299 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -201,7 +201,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* get the user name. */ if ((retval = pam_get_user (pamh, &name, NULL)) != PAM_SUCCESS) { - pam_syslog (pamh, LOG_ERR, "pam_get_user failed: return %d", retval); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); } diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 3692465d..a46cd276 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -347,7 +347,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "can not get the username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_SERVICE_ERR; } @@ -438,7 +439,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR,"can not get the username"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, retval)); return PAM_SERVICE_ERR; } diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index dd297150..2807c306 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -127,7 +127,7 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, /* Get uid of user that is being authenticated. */ ret = pam_get_user(pamh, &username, NULL); if (ret != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", pam_strerror(pamh, ret)); return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; } diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index f40eafff..a025ebaf 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -109,7 +109,8 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, "can not get the username"); + pam_syslog(pamh, LOG_DEBUG, "cannot determine user name: %s", + pam_strerror(pamh, retval)); } return PAM_SERVICE_ERR; } diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 7a9f202b..bcd0d3a9 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -425,8 +425,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Read the target user's name. */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); retval = PAM_SESSION_ERR; goto cleanup; } @@ -782,8 +781,7 @@ pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED, } if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, - "error determining target user's name"); + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); return PAM_SESSION_ERR; } if (!(tpwd = pam_modutil_getpwnam(pamh, user))) { -- cgit v1.2.3