1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
* Add support for credential reinitialization in pam_group, closes: #108697
* Only log unknown user at warning, not alert, closes: #95220
* By default do complete matches not substring matches for pam_time.
You can include explicit wildcard for substring, closes: #66152
Index: Linux-PAM/modules/pam_unix/support.c
===================================================================
--- Linux-PAM/modules/pam_unix/support.c.orig
+++ Linux-PAM/modules/pam_unix/support.c
@@ -714,7 +714,7 @@
if (on(UNIX_AUDIT, ctrl)) {
/* this might be a typo and the user has given a password
instead of a username. Careful with this. */
- _log_err(LOG_ALERT, pamh,
+ _log_err(LOG_WARNING, pamh,
"check pass; user (%s) unknown", name);
} else {
name = NULL;
Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c
===================================================================
--- Linux-PAM/modules/pam_unix/unix_chkpwd.c.orig
+++ Linux-PAM/modules/pam_unix/unix_chkpwd.c
@@ -154,7 +154,7 @@
}
}
if (pwd == NULL || salt == NULL) {
- _log_err(LOG_ALERT, "check pass; user unknown");
+ _log_err(LOG_WARNING, "check pass; user unknown");
p = NULL;
return retval;
}
Index: Linux-PAM/modules/pam_time/pam_time.c
===================================================================
--- Linux-PAM/modules/pam_time/pam_time.c.orig
+++ Linux-PAM/modules/pam_time/pam_time.c
@@ -336,7 +336,11 @@
return FALSE;
}
}
- return ( !len );
+ /* By this point we know that we didn't treat a * in b as a wildcard.
+ the only way we got done with the loop is if we consumed every
+ character in b. Thus the strings are equal if their
+ lengths are the same otherwise not equal. */
+ return (strlen (a) == strlen (b));
}
typedef struct {
Index: Linux-PAM/modules/pam_group/pam_group.c
===================================================================
--- Linux-PAM/modules/pam_group/pam_group.c.orig
+++ Linux-PAM/modules/pam_group/pam_group.c
@@ -776,9 +776,12 @@
unsigned setting;
/* only interested in establishing credentials */
+ /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
+ Some people just pass PAM_SILENT, so cope with it, too. */
setting = flags;
- if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
+ if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
+ && (setting != 0) && (setting != PAM_SILENT)) {
D(("ignoring call - not for establishing credentials"));
return PAM_SUCCESS; /* don't fail because of this */
}
|
