From a10774c48223737de31a941f9de53f250db232fc Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 26 Jun 2009 12:23:28 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2009-06-26 Thorsten Kukuk * modules/pam_unix/pam_unix_passwd.c: Remove dead SELinux code. --- modules/pam_unix/pam_unix_passwd.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'modules/pam_unix/pam_unix_passwd.c') diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 30ea6687..29b9c67d 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -1,7 +1,7 @@ /* * Main coding by Elliot Lee , Red Hat Software. * Copyright (C) 1996. - * Copyright (c) Jan Rkorajski, 1999. + * Copyright (c) Jan Rêkorajski, 1999. * Copyright (c) Red Hat, Inc., 2007, 2008. * * Redistribution and use in source and binary forms, with or without @@ -61,11 +61,6 @@ #include #include #include -#ifdef WITH_SELINUX -static int selinux_enabled=-1; -#include -#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) -#endif #include @@ -196,7 +191,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const snprintf(buffer, sizeof(buffer), "%d", remember); args[4] = x_strdup(buffer); - + execve(UPDATE_HELPER, args, envp); /* should not get here: exit with error */ @@ -698,7 +693,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, pass_new = NULL; } retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); - + if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) { pam_set_item(pamh, PAM_AUTHTOK, NULL); } -- cgit v1.2.3 From 2037cd51a2b787c492d60c9235b85868f03ed9ba Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 30 Jun 2009 10:28:53 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- This makes Linux-PAM compile able with uClibc or on embedded systems without full libc/libnsl. 2009-06-29 Thorsten Kukuk * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files. * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS support if all necessary functions exist. * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug option, handle correct if OS has no NIS support. * modules/pam_access/pam_access.c (netgroup_match): Check if yp_get_default_domain and innetgr are available at compile time. * configure.in: Check for functions: innetgr, getdomainname check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h. --- ChangeLog | 21 +++++++++++++++++++++ configure.in | 4 ++-- modules/pam_access/pam_access.c | 26 ++++++++++++++++++++++---- modules/pam_unix/pam_unix_passwd.c | 36 ++++++++++++++++++++++++++++++++++-- modules/pam_unix/support.c | 7 +++++++ modules/pam_unix/yppasswd_xdr.c | 2 -- 6 files changed, 86 insertions(+), 10 deletions(-) (limited to 'modules/pam_unix/pam_unix_passwd.c') diff --git a/ChangeLog b/ChangeLog index 8b82adbb..9ee58687 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +2009-06-29 Thorsten Kukuk + + * modules/pam_unix/yppasswd_xdr.c: Remove unnecessary header files. + + * modules/pam_unix/support.c (_unix_getpwnam): Only compile in NIS + support if all necessary functions exist. + + * modules/pam_unix/pam_unix_passwd.c (getNISserver): Add debug + option, handle correct if OS has no NIS support. + + * modules/pam_access/pam_access.c (netgroup_match): Check if + yp_get_default_domain and innetgr are available at compile time. + + * configure.in: Check for functions: innetgr, getdomainname + check for headers: rpcsvc/ypclnt.h, rpcsvc/yp_prot.h. + +2009-06-29 Thorsten Kukuk + + * modules/pam_unix/pam_unix.8.xml: Fix blowfish description. + Reported by Diego E. “Flameeyes” Pettenò. + 2009-06-26 Thorsten Kukuk * modules/pam_namespace/Makefile.am: Fix make maintainer-clean, diff --git a/configure.in b/configure.in index b7d88003..3cc05ed4 100644 --- a/configure.in +++ b/configure.in @@ -409,7 +409,7 @@ AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"]) AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="") BACKUP_LIBS=$LIBS LIBS="$LIBS $LIBNSL" -AC_CHECK_FUNCS(yp_get_default_domain) +AC_CHECK_FUNCS(yp_get_default_domain getdomainname innetgr yperr_string yp_master yp_bind yp_match yp_unbind) LIBS=$BACKUP_LIBS AC_SUBST(LIBNSL) @@ -436,7 +436,7 @@ dnl Checks for header files. AC_HEADER_DIRENT AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h) +AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h) dnl For module/pam_lastlog AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h) diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index ba8effe3..963ce528 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -41,11 +41,12 @@ #include #include #include -#include #include #include #include - +#ifdef HAVE_RPCSVC_YPCLNT_H +#include +#endif #ifdef HAVE_LIBAUDIT #include #endif @@ -465,13 +466,31 @@ static int netgroup_match (pam_handle_t *pamh, const char *netgroup, const char *machine, const char *user, int debug) { - char *mydomain = NULL; int retval; + char *mydomain = NULL; +#ifdef HAVE_YP_GET_DEFAUTL_DOMAIN yp_get_default_domain(&mydomain); +#elif defined(HAVE_GETDOMAINNAME) + char domainname_res[256]; + if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) + { + if (strcmp (domainname_res, "(none)") == 0) + { + /* If domainname is not set, some systems will return "(none)" */ + domainname_res[0] = '\0'; + } + mydomain = domainname_res; + } +#endif +#ifdef HAVE_INNETGR retval = innetgr (netgroup, machine, user, mydomain); +#else + retval = 0; + pam_syslog (pamh, LOG_ERR, "pam_access does not have netgroup support"); +#endif if (debug == YES) pam_syslog (pamh, LOG_DEBUG, "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", @@ -479,7 +498,6 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup, machine ? machine : "NULL", user ? user : "NULL", mydomain ? mydomain : "NULL"); return retval; - } /* user_match - match a username against one token */ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 29b9c67d..2792a4d5 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -55,8 +55,12 @@ #include #include #include +#ifdef HAVE_RPCSVC_YP_PROT_H #include +#endif +#ifdef HAVE_RPCSVC_YPCLNT_H #include +#endif #include #include @@ -98,17 +102,34 @@ extern int getrpcport(const char *host, unsigned long prognum, #define MAX_PASSWD_TRIES 3 -static char *getNISserver(pam_handle_t *pamh) +static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) { +#if (defined(HAVE_YP_GET_DEFAULT_DOMAIN) || defined(HAVE_GETDOMAINNAME)) && defined(HAVE_YP_MASTER) char *master; char *domainname; int port, err; +#ifdef HAVE_YP_GET_DEFAULT_DOMAIN if ((err = yp_get_default_domain(&domainname)) != 0) { pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s", yperr_string(err)); return NULL; } +#elif defined(HAVE_GETDOMAINNAME) + char domainname_res[256]; + + if (getdomainname (domainname_res, sizeof (domainname_res)) == 0) + { + if (strcmp (domainname_res, "(none)") == 0) + { + /* If domainname is not set, some systems will return "(none)" */ + domainname_res[0] = '\0'; + } + domainname = domainname_res; + } + else domainname = NULL; +#endif + if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s", yperr_string(err)); @@ -125,7 +146,18 @@ static char *getNISserver(pam_handle_t *pamh) "yppasswd daemon running on illegal port"); return NULL; } + if (on(UNIX_DEBUG, ctrl)) { + pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d", + master, port); + } return master; +#else + if (on(UNIX_DEBUG, ctrl)) { + pam_syslog(pamh, LOG_DEBUG, "getNISserver: No NIS support available"); + } + + return NULL; +#endif } #ifdef WITH_SELINUX @@ -294,7 +326,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, } if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { - if ((master=getNISserver(pamh)) != NULL) { + if ((master=getNISserver(pamh, ctrl)) != NULL) { struct timeval timeout; struct yppasswd yppwd; CLIENT *clnt; diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 050e0dc1..2a47d157 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -19,7 +19,9 @@ #include #include #include +#ifdef HAVE_RPCSVC_YPCLNT_H #include +#endif #include #include @@ -275,6 +277,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, } } +#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) if (!matched && nis) { char *userinfo = NULL, *domain = NULL; int len = 0, i; @@ -293,6 +296,10 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, } } } +#else + /* we don't have NIS support, make compiler happy. */ + nis = 0; +#endif if (matched && (ret != NULL)) { *ret = NULL; diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c index 0b7cfac6..0b95b82b 100644 --- a/modules/pam_unix/yppasswd_xdr.c +++ b/modules/pam_unix/yppasswd_xdr.c @@ -13,8 +13,6 @@ #include "config.h" #include -#include -#include #include "yppasswd.h" bool_t -- cgit v1.2.3 From a728c0f63e15c18ef599e599e4e46456b624abda Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 8 Dec 2009 14:41:40 +0000 Subject: Relevant BUGIDs: 2892529 Purpose of commit: bugfix Commit summary: --------------- 2009-12-08 Thorsten Kukuk * configure.in: Rename DEBUG to PAM_DEBUG. * libpam/pam_env.c: Likewise * libpam/pam_handlers.c: Likewise * libpam/pam_miscc.c: Likewise * libpam/pam_password.c: Likewise * libpam/include/security/_pam_macros.h: Likewise * libpamc/test/modules/pam_secret.c: Likewise * modules/pam_group/pam_group.c: Likewise * modules/pam_listfile/pam_listfile.c: Likewise * modules/pam_unix/pam_unix_auth.c: Likewise * modules/pam_unix/pam_unix_passwd.c: Likewise --- ChangeLog | 14 ++++++++++++++ configure.in | 2 +- libpam/include/security/_pam_macros.h | 4 ++-- libpam/pam_env.c | 2 +- libpam/pam_handlers.c | 2 +- libpam/pam_misc.c | 2 +- libpam/pam_password.c | 2 -- libpamc/test/modules/pam_secret.c | 4 +--- modules/pam_group/pam_group.c | 6 +++--- modules/pam_listfile/pam_listfile.c | 18 +++++++++--------- modules/pam_unix/pam_unix_auth.c | 2 -- modules/pam_unix/pam_unix_passwd.c | 2 +- 12 files changed, 34 insertions(+), 26 deletions(-) (limited to 'modules/pam_unix/pam_unix_passwd.c') diff --git a/ChangeLog b/ChangeLog index 547b2d58..80e00631 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2009-12-08 Thorsten Kukuk + + * configure.in: Rename DEBUG to PAM_DEBUG. + * libpam/pam_env.c: Likewise + * libpam/pam_handlers.c: Likewise + * libpam/pam_miscc.c: Likewise + * libpam/pam_password.c: Likewise + * libpam/include/security/_pam_macros.h: Likewise + * libpamc/test/modules/pam_secret.c: Likewise + * modules/pam_group/pam_group.c: Likewise + * modules/pam_listfile/pam_listfile.c: Likewise + * modules/pam_unix/pam_unix_auth.c: Likewise + * modules/pam_unix/pam_unix_passwd.c: Likewise + 2009-12-08 Tomas Mraz * modules/pam_unix/passverify.c(unix_update_shadow): Create a shadow diff --git a/configure.in b/configure.in index 3cc05ed4..96cf572b 100644 --- a/configure.in +++ b/configure.in @@ -234,7 +234,7 @@ AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug],[specify you are building with debugging on])) if test x"$enable_debug" = x"yes" ; then - AC_DEFINE([DEBUG],, + AC_DEFINE([PAM_DEBUG],, [lots of stuff gets written to /var/run/pam-debug.log]) fi diff --git a/libpam/include/security/_pam_macros.h b/libpam/include/security/_pam_macros.h index bd107cfb..e891e226 100644 --- a/libpam/include/security/_pam_macros.h +++ b/libpam/include/security/_pam_macros.h @@ -62,7 +62,7 @@ do { \ /* some debugging code */ -#ifdef DEBUG +#ifdef PAM_DEBUG /* * This provides the necessary function to do debugging in PAM. @@ -191,6 +191,6 @@ do { \ #define _pam_show_mem(X,XS) do { } while (0) #define _pam_show_reply(reply, replies) do { } while (0) -#endif /* DEBUG */ +#endif /* PAM_DEBUG */ #endif /* PAM_MACROS_H */ diff --git a/libpam/pam_env.c b/libpam/pam_env.c index dcdac7ab..1c8403d6 100644 --- a/libpam/pam_env.c +++ b/libpam/pam_env.c @@ -21,7 +21,7 @@ /* helper functions */ -#ifdef DEBUG +#ifdef PAM_DEBUG static void _pam_dump_env(pam_handle_t *pamh) { int i; diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index bca3dd31..59a1929f 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -239,7 +239,7 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f argv = NULL; } -#ifdef DEBUG +#ifdef PAM_DEBUG { int y; diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index b690fd3e..0e607276 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -171,7 +171,7 @@ int _pam_mkargv(char *s, char ***argv, int *argc) char **our_argv = NULL; char **argvbuf; char *argvbufp; -#ifdef DEBUG +#ifdef PAM_DEBUG int count=0; #endif diff --git a/libpam/pam_password.c b/libpam/pam_password.c index 70917c58..75db5e50 100644 --- a/libpam/pam_password.c +++ b/libpam/pam_password.c @@ -4,8 +4,6 @@ * $Id$ */ -/* #define DEBUG */ - #include "pam_private.h" #include diff --git a/libpamc/test/modules/pam_secret.c b/libpamc/test/modules/pam_secret.c index 830f1a78..6316f7f5 100644 --- a/libpamc/test/modules/pam_secret.c +++ b/libpamc/test/modules/pam_secret.c @@ -9,8 +9,6 @@ * NEEDS TO BE INTEGRATED MORE NATIVELY. */ -/* #define DEBUG */ - #include #include #include @@ -178,7 +176,7 @@ static int converse(pam_handle_t *pamh, struct ps_state_s *new) } } -#ifdef DEBUG +#ifdef PAM_DEBUG if (retval == PAM_SUCCESS) { D(("reply has length=%d and control=%u", PAM_BP_LENGTH(new->current_reply), diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index 4a931c4f..3dc7f78e 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -605,7 +605,7 @@ static int check_account(pam_handle_t *pamh, const char *service, no_grps = 0; _pam_drop(grps); } -#ifdef DEBUG +#ifdef PAM_DEBUG { int z; for (z=0; z 0) { -#ifdef DEBUG +#ifdef PAM_DEBUG int err; #endif D(("trying to set %d groups", no_grps)); -#ifdef DEBUG +#ifdef PAM_DEBUG for (err=0; err #include -#ifdef DEBUG +#ifdef PAM_DEBUG #include #endif @@ -199,23 +199,23 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, if(apply_type==APPLY_TYPE_USER) { if(strcmp(user_name, apply_val)) { /* Does not apply to this user */ -#ifdef DEBUG +#ifdef PAM_DEBUG pam_syslog(pamh,LOG_DEBUG, "don't apply: apply=%s, user=%s", apply_val,user_name); -#endif /* DEBUG */ +#endif /* PAM_DEBUG */ free(ifname); return PAM_IGNORE; } } else if(apply_type==APPLY_TYPE_GROUP) { if(!pam_modutil_user_in_group_nam_nam(pamh,user_name,apply_val)) { /* Not a member of apply= group */ -#ifdef DEBUG +#ifdef PAM_DEBUG pam_syslog(pamh,LOG_DEBUG, "don't apply: %s not a member of group %s", user_name,apply_val); -#endif /* DEBUG */ +#endif /* PAM_DEBUG */ free(ifname); return PAM_IGNORE; } @@ -276,7 +276,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return onerr; } } -#ifdef DEBUG +#ifdef PAM_DEBUG pam_syslog(pamh,LOG_INFO, "Got file = %s, item = %d, value = %s, sense = %d", @@ -312,7 +312,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, retval=PAM_AUTH_ERR; /* This loop assumes that PAM_SUCCESS == 0 and PAM_AUTH_ERR != 0 */ -#ifdef DEBUG +#ifdef PAM_DEBUG assert(PAM_SUCCESS == 0); assert(PAM_AUTH_ERR != 0); #endif @@ -343,7 +343,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, fclose(inf); free(ifname); if ((sense && retval) || (!sense && !retval)) { -#ifdef DEBUG +#ifdef PAM_DEBUG pam_syslog(pamh,LOG_INFO, "Returning PAM_SUCCESS, retval = %d", retval); #endif @@ -352,7 +352,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, else { const void *service; const char *user_name; -#ifdef DEBUG +#ifdef PAM_DEBUG pam_syslog(pamh,LOG_INFO, "Returning PAM_AUTH_ERR, retval = %d", retval); #endif diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 05b5ec6c..c2f79b10 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -35,8 +35,6 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* #define DEBUG */ - #include "config.h" #include diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 2792a4d5..1d70a7c2 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -385,7 +385,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, _("NIS password could not be changed.")); retval = PAM_TRY_AGAIN; } -#ifdef DEBUG +#ifdef PAM_DEBUG sleep(5); #endif } else { -- cgit v1.2.3