commit
501aa94635
@ -0,0 +1,2 @@
|
||||
SOURCES/Linux-PAM-1.3.1.tar.xz
|
||||
SOURCES/pam-redhat-0.99.11.tar.bz2
|
@ -0,0 +1,2 @@
|
||||
e89b6d279c9bf8cb495dfc0b3f3931eb50f818e9 SOURCES/Linux-PAM-1.3.1.tar.xz
|
||||
42206fe8319723ef23ab646b2eab496c86de3f5b SOURCES/pam-redhat-0.99.11.tar.bz2
|
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg
|
||||
+DaNc8W13E4Z2ZEUSsgUGe4=
|
||||
=aSTW
|
||||
-----END PGP SIGNATURE-----
|
@ -0,0 +1,36 @@
|
||||
.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
config-util \- Common PAM configuration file for configuration utilities
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/config-util
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this configuration file is to provide common
|
||||
configuration file for all configuration utilities which must be run
|
||||
from the supervisor account and use the userhelper wrapper application.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR config-util
|
||||
configuration file is included from all individual configuration
|
||||
files of such utilities with the help of the
|
||||
.BR include
|
||||
directive.
|
||||
There are not usually any other modules in the individual configuration
|
||||
files of these utilities.
|
||||
|
||||
.sp
|
||||
It is possible for example to modify duration of the validity of the
|
||||
authentication timestamp there. See
|
||||
.BR pam_timestamp(8)
|
||||
for details.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), pam_timestamp(8)
|
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth sufficient pam_timestamp.so
|
||||
auth include system-auth
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
session optional pam_xauth.so
|
||||
session optional pam_timestamp.so
|
@ -0,0 +1,75 @@
|
||||
#!/bin/sh
|
||||
|
||||
tempdir=`mktemp -d /tmp/dlopenXXXXXX`
|
||||
test -n "$tempdir" || exit 1
|
||||
cat >> $tempdir/dlopen.c << _EOF
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <sys/stat.h>
|
||||
/* Simple program to see if dlopen() would succeed. */
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int i;
|
||||
struct stat st;
|
||||
char buf[PATH_MAX];
|
||||
for (i = 1; i < argc; i++) {
|
||||
if (dlopen(argv[i], RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
|
||||
argv[i]);
|
||||
} else {
|
||||
snprintf(buf, sizeof(buf), "./%s", argv[i]);
|
||||
if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"./%s\" "
|
||||
"succeeded.\n", argv[i]);
|
||||
} else {
|
||||
fprintf(stdout, "dlopen() of \"%s\" failed: "
|
||||
"%s\n", argv[i], dlerror());
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
_EOF
|
||||
|
||||
for arg in $@ ; do
|
||||
case "$arg" in
|
||||
"")
|
||||
;;
|
||||
-I*|-D*|-f*|-m*|-g*|-O*|-W*)
|
||||
cflags="$cflags $arg"
|
||||
;;
|
||||
-l*|-L*)
|
||||
ldflags="$ldflags $arg"
|
||||
;;
|
||||
/*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
|
||||
|
||||
retval=0
|
||||
for module in $modules ; do
|
||||
case "$module" in
|
||||
"")
|
||||
;;
|
||||
/*)
|
||||
$tempdir/dlopen "$module"
|
||||
retval=$?
|
||||
;;
|
||||
*)
|
||||
$tempdir/dlopen ./"$module"
|
||||
retval=$?
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
rm -f $tempdir/dlopen $tempdir/dlopen.c
|
||||
rmdir $tempdir
|
||||
exit $retval
|
@ -0,0 +1,19 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_fprintd.so
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
@ -0,0 +1,339 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License.
|
@ -0,0 +1,5 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_deny.so
|
||||
account required pam_deny.so
|
||||
password required pam_deny.so
|
||||
session required pam_deny.so
|
@ -0,0 +1,26 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
|
||||
--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200
|
||||
@@ -15,5 +15,3 @@
|
||||
# touch unlock wait /var/run/console-unlocked
|
||||
|
||||
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
||||
-/sbin/pam_console_apply lock logfail wait -t tty -s
|
||||
-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
|
||||
--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200
|
||||
@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
|
||||
|
||||
|
||||
secureconf_DATA = console.perms console.handlers
|
||||
-permsd_DATA = 50-default.perms
|
||||
|
||||
FLEX_OPTS = -Cr
|
||||
BISON_OPTS = -d
|
||||
@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
|
||||
|
||||
install-data-local:
|
||||
mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
|
||||
+ mkdir -p $(DESTDIR)$(permsddir)
|
||||
mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)
|
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
|
||||
--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200
|
||||
+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200
|
||||
@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
|
||||
pam_mkhomedir pam_motd pam_namespace pam_nologin \
|
||||
pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
|
||||
pam_selinux pam_sepermit pam_shells pam_stress \
|
||||
- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
|
||||
+ pam_succeed_if pam_time pam_timestamp \
|
||||
pam_tty_audit pam_umask \
|
||||
pam_unix pam_userdb pam_warn pam_wheel pam_xauth
|
||||
|
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
|
||||
@@ -65,7 +65,7 @@ parse_files(void)
|
||||
on system locale */
|
||||
oldlocale = setlocale(LC_COLLATE, "C");
|
||||
|
||||
- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
|
||||
+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
|
||||
setlocale(LC_COLLATE, oldlocale);
|
||||
if (rc)
|
||||
return;
|
@ -0,0 +1,27 @@
|
||||
diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
|
||||
--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||
+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
|
||||
@@ -10,7 +10,7 @@
|
||||
#define DEFAULT_READ_ENVFILE 1
|
||||
|
||||
#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||
-#define DEFAULT_USER_READ_ENVFILE 1
|
||||
+#define DEFAULT_USER_READ_ENVFILE 0
|
||||
|
||||
#include "config.h"
|
||||
|
||||
diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
|
||||
--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||
+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
|
||||
@@ -147,7 +147,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Turns on or off the reading of the user specific environment
|
||||
- file. 0 is off, 1 is on. By default this option is on.
|
||||
+ file. 0 is off, 1 is on. By default this option is off as user
|
||||
+ supplied environment variables in the PAM environment could affect
|
||||
+ behavior of subsequent modules in the stack without the consent
|
||||
+ of the system administrator.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
@ -0,0 +1,20 @@
|
||||
diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
|
||||
--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
|
||||
+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
|
||||
@@ -1,5 +1,16 @@
|
||||
# /etc/security/limits.conf
|
||||
#
|
||||
+#This file sets the resource limits for the users logged in via PAM.
|
||||
+#It does not affect resource limits of the system services.
|
||||
+#
|
||||
+#Also note that configuration files in /etc/security/limits.d directory,
|
||||
+#which are read in alphabetical order, override the settings in this
|
||||
+#file in case the domain is the same or more specific.
|
||||
+#That means for example that setting a limit for wildcard domain here
|
||||
+#can be overriden with a wildcard setting in a config file in the
|
||||
+#subdirectory, but a user specific setting here can be overriden only
|
||||
+#with a user specific setting in the subdirectory.
|
||||
+#
|
||||
#Each line describes a limit for a user in the form:
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
@ -0,0 +1,31 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
|
||||
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
|
||||
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
char buf[64];
|
||||
int audit_fd = audit_open();
|
||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
|
||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
|
||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
||||
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
if (audit_fd >=0)
|
||||
close(audit_fd);
|
||||
#endif
|
||||
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
|
||||
}
|
||||
else if ( !cline_reset ) {
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
- char buf[64];
|
||||
int audit_fd = audit_open();
|
||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
|
||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
||||
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
|
||||
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
if (audit_fd >=0)
|
||||
close(audit_fd);
|
||||
#endif
|
@ -0,0 +1,88 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
|
||||
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
|
||||
|
||||
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
|
||||
|
||||
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+
|
||||
securelib_LTLIBRARIES = pam_console.la
|
||||
sbin_PROGRAMS = pam_console_apply
|
||||
|
||||
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
|
||||
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
|
||||
|
||||
pam_console_la_CFLAGS = $(AM_CFLAGS)
|
||||
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
|
||||
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
|
||||
configfile.tab.c: configfile.y
|
||||
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
|
||||
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
-I$(srcdir)/.. @PIE_CFLAGS@
|
||||
-AM_LDFLAGS = @PIE_LDFLAGS@
|
||||
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
securelibfilter_PROGRAMS = upperLOWER
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
|
||||
@@ -30,6 +30,8 @@ endif
|
||||
|
||||
sbin_PROGRAMS = mkhomedir_helper
|
||||
mkhomedir_helper_SOURCES = mkhomedir_helper.c
|
||||
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
|
||||
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
|
||||
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
|
||||
|
||||
securelib_LTLIBRARIES = pam_tally2.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
|
||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||||
|
||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
@ -0,0 +1,23 @@
|
||||
diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
|
||||
--- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100
|
||||
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200
|
||||
@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
||||
po/Makefile.in \
|
||||
modules/Makefile \
|
||||
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
||||
+ modules/pam_postgresok/Makefile \
|
||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||
diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
|
||||
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100
|
||||
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200
|
||||
@@ -3,6 +3,7 @@
|
||||
#
|
||||
|
||||
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
|
||||
+ pam_chroot pam_console pam_postgresok \
|
||||
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
@ -0,0 +1,73 @@
|
||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
|
||||
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200
|
||||
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200
|
||||
@@ -284,11 +284,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the SHA256 algorithm. If the
|
||||
- SHA256 algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the SHA256 algorithm. The
|
||||
+ SHA256 algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -299,11 +298,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the SHA512 algorithm. If the
|
||||
- SHA512 algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the SHA512 algorithm. The
|
||||
+ SHA512 algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -314,11 +312,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the blowfish algorithm. If the
|
||||
- blowfish algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the blowfish algorithm. The
|
||||
+ blowfish algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
|
||||
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200
|
||||
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200
|
||||
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
|
||||
sp = crypt(password, salt);
|
||||
#endif
|
||||
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
|
||||
- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
|
||||
+ /* libxcrypt/libc doesn't know the algorithm, error out */
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
- "Algo %s not supported by the crypto backend, "
|
||||
- "falling back to MD5\n",
|
||||
+ "Algo %s not supported by the crypto backend.\n",
|
||||
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
||||
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
||||
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
||||
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
|
||||
#ifdef HAVE_CRYPT_R
|
||||
free(cdata);
|
||||
#endif
|
||||
- return crypt_md5_wrapper(password);
|
||||
+ return NULL;
|
||||
}
|
||||
sp = x_strdup(sp);
|
||||
#ifdef HAVE_CRYPT_R
|
@ -0,0 +1,9 @@
|
||||
diff -up Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname Linux-PAM-1.2.1/modules/pam_console/console.handlers
|
||||
--- Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname 2015-10-16 14:15:48.000000000 +0200
|
||||
+++ Linux-PAM-1.2.1/modules/pam_console/console.handlers 2016-02-05 17:47:26.056787517 +0100
|
||||
@@ -14,4 +14,4 @@
|
||||
# echo lock wait Locking console for user on tty
|
||||
# touch unlock wait /var/run/console-unlocked
|
||||
|
||||
-console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
||||
+console consoledevs /dev/tty[0-9][0-9]* tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
@ -0,0 +1,133 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -78,9 +78,11 @@ struct options {
|
||||
unsigned int root_unlock_time;
|
||||
const char *dir;
|
||||
const char *user;
|
||||
+ const char *admin_group;
|
||||
int failures;
|
||||
uint64_t latest_time;
|
||||
uid_t uid;
|
||||
+ int is_admin;
|
||||
uint64_t now;
|
||||
};
|
||||
|
||||
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
|
||||
opts->root_unlock_time = temp;
|
||||
}
|
||||
}
|
||||
+ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
|
||||
+ opts->admin_group = argv[i] + 12;
|
||||
+ }
|
||||
else if (strcmp(argv[i], "preauth") == 0) {
|
||||
opts->action = FAILLOCK_ACTION_PREAUTH;
|
||||
}
|
||||
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
|
||||
}
|
||||
opts->user = user;
|
||||
opts->uid = pwd->pw_uid;
|
||||
+
|
||||
+ if (pwd->pw_uid == 0) {
|
||||
+ opts->is_admin = 1;
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ if (opts->admin_group && *opts->admin_group) {
|
||||
+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
|
||||
+ pwd->pw_uid, opts->admin_group);
|
||||
+ }
|
||||
+
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
|
||||
|
||||
opts->failures = failures;
|
||||
|
||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
- return PAM_SUCCESS;
|
||||
- }
|
||||
-
|
||||
if (opts->deny && failures >= opts->deny) {
|
||||
- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
||||
- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
||||
+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
||||
+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
||||
char buf[64];
|
||||
@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
|
||||
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
||||
NULL, NULL, NULL, 1);
|
||||
|
||||
- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
+ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
||||
NULL, NULL, NULL, 1);
|
||||
}
|
||||
@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
|
||||
int64_t left;
|
||||
|
||||
if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
|
||||
- if (opts->uid) {
|
||||
- left = opts->latest_time + opts->unlock_time - opts->now;
|
||||
+ if (opts->is_admin) {
|
||||
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
|
||||
}
|
||||
else {
|
||||
- left = opts->latest_time + opts->root_unlock_time - opts->now;
|
||||
+ left = opts->latest_time + opts->unlock_time - opts->now;
|
||||
}
|
||||
|
||||
if (left > 0) {
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
|
||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200
|
||||
@@ -40,6 +40,9 @@
|
||||
root_unlock_time=<replaceable>n</replaceable>
|
||||
</arg>
|
||||
<arg choice="opt">
|
||||
+ admin_group=<replaceable>name</replaceable>
|
||||
+ </arg>
|
||||
+ <arg choice="opt">
|
||||
audit
|
||||
</arg>
|
||||
<arg choice="opt">
|
||||
@@ -243,6 +246,20 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>admin_group=<replaceable>name</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If a group name is specified with this option, members
|
||||
+ of the group will be handled by this module the same as
|
||||
+ the root account (the options <option>even_deny_root></option>
|
||||
+ and <option>root_unlock_time</option> will apply to them.
|
||||
+ By default the option is not set.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,806 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
#
|
||||
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
||||
+# Copyright (c) 2013 Red Hat, Inc.
|
||||
#
|
||||
|
||||
CLEANFILES = *~
|
||||
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
||||
|
||||
TESTS = tst-pam_pwhistory
|
||||
|
||||
-man_MANS = pam_pwhistory.8
|
||||
+man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
||||
|
||||
-XMLS = README.xml pam_pwhistory.8.xml
|
||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
||||
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
||||
-AM_LDFLAGS = -no-undefined -avoid-version -module
|
||||
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
+ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
|
||||
+
|
||||
+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
|
||||
if HAVE_VERSIONING
|
||||
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
noinst_HEADERS = opasswd.h
|
||||
|
||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
||||
-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
||||
+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
||||
+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
||||
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
||||
|
||||
+sbin_PROGRAMS = pwhistory_helper
|
||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
||||
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
|
||||
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
||||
+
|
||||
if ENABLE_REGENERATE_MAN
|
||||
noinst_DATA = README
|
||||
README: pam_pwhistory.8.xml
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -38,6 +39,7 @@
|
||||
#endif
|
||||
|
||||
#include <pwd.h>
|
||||
+#include <shadow.h>
|
||||
#include <time.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
@@ -47,6 +49,7 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <syslog.h>
|
||||
+#include <stdarg.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#if defined (HAVE_XCRYPT_H)
|
||||
@@ -55,7 +58,14 @@
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HELPER_COMPILE
|
||||
+#define pam_modutil_getpwnam(h,n) getpwnam(n)
|
||||
+#define pam_modutil_getspnam(h,n) getspnam(n)
|
||||
+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
|
||||
+#else
|
||||
+#include <security/pam_modutil.h>
|
||||
#include <security/pam_ext.h>
|
||||
+#endif
|
||||
#include <security/pam_modules.h>
|
||||
|
||||
#include "opasswd.h"
|
||||
@@ -76,6 +86,19 @@ typedef struct {
|
||||
char *old_passwords;
|
||||
} opwd;
|
||||
|
||||
+#ifdef HELPER_COMPILE
|
||||
+void
|
||||
+helper_log_err(int err, const char *format, ...)
|
||||
+{
|
||||
+ va_list args;
|
||||
+
|
||||
+ va_start(args, format);
|
||||
+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
|
||||
+ vsyslog(err, format, args);
|
||||
+ va_end(args);
|
||||
+ closelog();
|
||||
+}
|
||||
+#endif
|
||||
|
||||
static int
|
||||
parse_entry (char *line, opwd *data)
|
||||
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
|
||||
}
|
||||
|
||||
/* Check, if the new password is already in the opasswd file. */
|
||||
-int
|
||||
-check_old_pass (pam_handle_t *pamh, const char *user,
|
||||
+PAMH_ARG_DECL(int
|
||||
+check_old_pass, const char *user,
|
||||
const char *newpass, int debug)
|
||||
{
|
||||
int retval = PAM_SUCCESS;
|
||||
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||
opwd entry;
|
||||
int found = 0;
|
||||
|
||||
+#ifndef HELPER_COMPILE
|
||||
+ if (SELINUX_ENABLED)
|
||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
||||
+#endif
|
||||
+
|
||||
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
||||
{
|
||||
if (errno != ENOENT)
|
||||
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||
return retval;
|
||||
}
|
||||
|
||||
-int
|
||||
-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
- const char *oldpass, int howmany, int debug UNUSED)
|
||||
+PAMH_ARG_DECL(int
|
||||
+save_old_pass, const char *user,
|
||||
+ int howmany, int debug UNUSED)
|
||||
{
|
||||
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
||||
struct stat opasswd_stat;
|
||||
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
|
||||
char *buf = NULL;
|
||||
size_t buflen = 0;
|
||||
int found = 0;
|
||||
+ struct passwd *pwd;
|
||||
+ const char *oldpass;
|
||||
+
|
||||
+ pwd = pam_modutil_getpwnam (pamh, user);
|
||||
+ if (pwd == NULL)
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
|
||||
if (howmany <= 0)
|
||||
return PAM_SUCCESS;
|
||||
|
||||
+#ifndef HELPER_COMPILE
|
||||
+ if (SELINUX_ENABLED)
|
||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
||||
+#endif
|
||||
+
|
||||
+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
||||
+ ((pwd->pw_passwd[0] == '#') &&
|
||||
+ (pwd->pw_passwd[1] == '#') &&
|
||||
+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
||||
+ {
|
||||
+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
||||
+
|
||||
+ if (spw == NULL)
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ oldpass = spw->sp_pwdp;
|
||||
+ }
|
||||
+ else
|
||||
+ oldpass = pwd->pw_passwd;
|
||||
+
|
||||
if (oldpass == NULL || *oldpass == '\0')
|
||||
return PAM_SUCCESS;
|
||||
|
||||
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
|
||||
{
|
||||
char *out;
|
||||
|
||||
- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
|
||||
+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
|
||||
{
|
||||
retval = PAM_AUTHTOK_ERR;
|
||||
if (oldpf)
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -36,10 +37,32 @@
|
||||
#ifndef __OPASSWD_H__
|
||||
#define __OPASSWD_H__
|
||||
|
||||
-extern int check_old_pass (pam_handle_t *pamh, const char *user,
|
||||
- const char *newpass, int debug);
|
||||
-extern int save_old_pass (pam_handle_t *pamh, const char *user,
|
||||
- uid_t uid, const char *oldpass,
|
||||
- int howmany, int debug);
|
||||
+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#define SELINUX_ENABLED is_selinux_enabled()>0
|
||||
+#else
|
||||
+#define SELINUX_ENABLED 0
|
||||
+#endif
|
||||
+
|
||||
+#ifdef HELPER_COMPILE
|
||||
+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
|
||||
+#define PAMH_ARG(...) __VA_ARGS__
|
||||
+#else
|
||||
+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
|
||||
+#define PAMH_ARG(...) pamh, __VA_ARGS__
|
||||
+#endif
|
||||
+
|
||||
+#ifdef HELPER_COMPILE
|
||||
+void
|
||||
+helper_log_err(int err, const char *format, ...);
|
||||
+#endif
|
||||
+
|
||||
+PAMH_ARG_DECL(int
|
||||
+check_old_pass, const char *user, const char *newpass, int debug);
|
||||
+
|
||||
+PAMH_ARG_DECL(int
|
||||
+save_old_pass, const char *user, int howmany, int debug);
|
||||
|
||||
#endif /* __OPASSWD_H__ */
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
|
||||
@@ -1,6 +1,7 @@
|
||||
/*
|
||||
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
||||
* Author: Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -46,10 +47,14 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
-#include <shadow.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
+#include <sys/time.h>
|
||||
+#include <sys/resource.h>
|
||||
+#include <sys/wait.h>
|
||||
+#include <signal.h>
|
||||
+#include <fcntl.h>
|
||||
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_modutil.h>
|
||||
@@ -59,6 +64,7 @@
|
||||
#include "opasswd.h"
|
||||
|
||||
#define DEFAULT_BUFLEN 2048
|
||||
+#define MAX_FD_NO 20000
|
||||
|
||||
struct options_t {
|
||||
int debug;
|
||||
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
|
||||
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
||||
}
|
||||
|
||||
+static int
|
||||
+run_save_helper(pam_handle_t *pamh, const char *user,
|
||||
+ int howmany, int debug)
|
||||
+{
|
||||
+ int retval, child;
|
||||
+ struct sigaction newsa, oldsa;
|
||||
+
|
||||
+ memset(&newsa, '\0', sizeof(newsa));
|
||||
+ newsa.sa_handler = SIG_DFL;
|
||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
||||
+
|
||||
+ child = fork();
|
||||
+ if (child == 0)
|
||||
+ {
|
||||
+ int i = 0;
|
||||
+ struct rlimit rlim;
|
||||
+ int dummyfds[2];
|
||||
+ static char *envp[] = { NULL };
|
||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
|
||||
+
|
||||
+ /* replace std file descriptors with a dummy pipe */
|
||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
||||
+ {
|
||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
||||
+ }
|
||||
+
|
||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
||||
+ {
|
||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
||||
+ rlim.rlim_max = MAX_FD_NO;
|
||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
||||
+ {
|
||||
+ if (i != dummyfds[0])
|
||||
+ close(i);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* exec binary helper */
|
||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
||||
+ args[1] = strdup("save");
|
||||
+ args[2] = x_strdup(user);
|
||||
+ asprintf(&args[3], "%d", howmany);
|
||||
+ asprintf(&args[4], "%d", debug);
|
||||
+
|
||||
+ execve(args[0], args, envp);
|
||||
+
|
||||
+ _exit(PAM_SYSTEM_ERR);
|
||||
+ }
|
||||
+ else if (child > 0)
|
||||
+ {
|
||||
+ /* wait for child */
|
||||
+ int rc = 0;
|
||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
||||
+ if (rc < 0)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else if (!WIFEXITED(retval))
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = WEXITSTATUS(retval);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+run_check_helper(pam_handle_t *pamh, const char *user,
|
||||
+ const char *newpass, int debug)
|
||||
+{
|
||||
+ int retval, child, fds[2];
|
||||
+ struct sigaction newsa, oldsa;
|
||||
+
|
||||
+ /* create a pipe for the password */
|
||||
+ if (pipe(fds) != 0)
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+
|
||||
+ memset(&newsa, '\0', sizeof(newsa));
|
||||
+ newsa.sa_handler = SIG_DFL;
|
||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
||||
+
|
||||
+ child = fork();
|
||||
+ if (child == 0)
|
||||
+ {
|
||||
+ int i = 0;
|
||||
+ struct rlimit rlim;
|
||||
+ int dummyfds[2];
|
||||
+ static char *envp[] = { NULL };
|
||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
|
||||
+
|
||||
+ /* reopen stdin as pipe */
|
||||
+ dup2(fds[0], STDIN_FILENO);
|
||||
+
|
||||
+ /* replace std file descriptors with a dummy pipe */
|
||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
||||
+ {
|
||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
||||
+ }
|
||||
+
|
||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
||||
+ {
|
||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
||||
+ rlim.rlim_max = MAX_FD_NO;
|
||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
||||
+ {
|
||||
+ if (i != dummyfds[0])
|
||||
+ close(i);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* exec binary helper */
|
||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
||||
+ args[1] = strdup("check");
|
||||
+ args[2] = x_strdup(user);
|
||||
+ asprintf(&args[3], "%d", debug);
|
||||
+
|
||||
+ execve(args[0], args, envp);
|
||||
+
|
||||
+ _exit(PAM_SYSTEM_ERR);
|
||||
+ }
|
||||
+ else if (child > 0)
|
||||
+ {
|
||||
+ /* wait for child */
|
||||
+ int rc = 0;
|
||||
+ if (newpass == NULL)
|
||||
+ newpass = "";
|
||||
+
|
||||
+ /* send the password to the child */
|
||||
+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ newpass = NULL;
|
||||
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
|
||||
+ close(fds[1]);
|
||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
||||
+ if (rc < 0)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else if (!WIFEXITED(retval))
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = WEXITSTATUS(retval);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ close(fds[0]);
|
||||
+ close(fds[1]);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
|
||||
/* This module saves the current crypted password in /etc/security/opasswd
|
||||
and then compares the new password with all entries in this file. */
|
||||
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
|
||||
int
|
||||
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
- struct passwd *pwd;
|
||||
const char *newpass;
|
||||
const char *user;
|
||||
int retval, tries;
|
||||
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
- pwd = pam_modutil_getpwnam (pamh, user);
|
||||
- if (pwd == NULL)
|
||||
- return PAM_USER_UNKNOWN;
|
||||
-
|
||||
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
||||
- ((pwd->pw_passwd[0] == '#') &&
|
||||
- (pwd->pw_passwd[1] == '#') &&
|
||||
- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
||||
- {
|
||||
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
||||
- if (spw == NULL)
|
||||
- return PAM_USER_UNKNOWN;
|
||||
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
||||
|
||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
||||
- options.remember, options.debug);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
|
||||
- options.remember, options.debug);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
||||
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
||||
+
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
+ return retval;
|
||||
|
||||
newpass = NULL;
|
||||
tries = 0;
|
||||
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
if (options.debug)
|
||||
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
||||
|
||||
- if (check_old_pass (pamh, user, newpass,
|
||||
- options.debug) != PAM_SUCCESS)
|
||||
+ retval = check_old_pass (pamh, user, newpass, options.debug);
|
||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
||||
+ retval = run_check_helper(pamh, user, newpass, options.debug);
|
||||
+
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
{
|
||||
if (getuid() || options.enforce_for_root ||
|
||||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
|
||||
@@ -0,0 +1,209 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
+ * Author: Tomas Mraz <tmraz@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+#include <errno.h>
|
||||
+#include <unistd.h>
|
||||
+#include <signal.h>
|
||||
+#include <security/_pam_types.h>
|
||||
+#include <security/_pam_macros.h>
|
||||
+#include "opasswd.h"
|
||||
+
|
||||
+#define MAXPASS 200
|
||||
+
|
||||
+static void
|
||||
+su_sighandler(int sig)
|
||||
+{
|
||||
+#ifndef SA_RESETHAND
|
||||
+ /* emulate the behaviour of the SA_RESETHAND flag */
|
||||
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
|
||||
+ struct sigaction sa;
|
||||
+ memset(&sa, '\0', sizeof(sa));
|
||||
+ sa.sa_handler = SIG_DFL;
|
||||
+ sigaction(sig, &sa, NULL);
|
||||
+ }
|
||||
+#endif
|
||||
+ if (sig > 0) {
|
||||
+ _exit(sig);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+setup_signals(void)
|
||||
+{
|
||||
+ struct sigaction action; /* posix signal structure */
|
||||
+
|
||||
+ /*
|
||||
+ * Setup signal handlers
|
||||
+ */
|
||||
+ (void) memset((void *) &action, 0, sizeof(action));
|
||||
+ action.sa_handler = su_sighandler;
|
||||
+#ifdef SA_RESETHAND
|
||||
+ action.sa_flags = SA_RESETHAND;
|
||||
+#endif
|
||||
+ (void) sigaction(SIGILL, &action, NULL);
|
||||
+ (void) sigaction(SIGTRAP, &action, NULL);
|
||||
+ (void) sigaction(SIGBUS, &action, NULL);
|
||||
+ (void) sigaction(SIGSEGV, &action, NULL);
|
||||
+ action.sa_handler = SIG_IGN;
|
||||
+ action.sa_flags = 0;
|
||||
+ (void) sigaction(SIGTERM, &action, NULL);
|
||||
+ (void) sigaction(SIGHUP, &action, NULL);
|
||||
+ (void) sigaction(SIGINT, &action, NULL);
|
||||
+ (void) sigaction(SIGQUIT, &action, NULL);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+read_passwords(int fd, int npass, char **passwords)
|
||||
+{
|
||||
+ int rbytes = 0;
|
||||
+ int offset = 0;
|
||||
+ int i = 0;
|
||||
+ char *pptr;
|
||||
+ while (npass > 0)
|
||||
+ {
|
||||
+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
|
||||
+
|
||||
+ if (rbytes < 0)
|
||||
+ {
|
||||
+ if (errno == EINTR) continue;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (rbytes == 0)
|
||||
+ break;
|
||||
+
|
||||
+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
|
||||
+ != NULL)
|
||||
+ {
|
||||
+ rbytes -= pptr - (passwords[i]+offset) + 1;
|
||||
+ i++;
|
||||
+ offset = 0;
|
||||
+ npass--;
|
||||
+ if (rbytes > 0)
|
||||
+ {
|
||||
+ if (npass > 0)
|
||||
+ memcpy(passwords[i], pptr+1, rbytes);
|
||||
+ memset(pptr+1, '\0', rbytes);
|
||||
+ }
|
||||
+ }
|
||||
+ offset += rbytes;
|
||||
+ }
|
||||
+
|
||||
+ /* clear up */
|
||||
+ if (offset > 0 && npass > 0)
|
||||
+ memset(passwords[i], '\0', offset);
|
||||
+
|
||||
+ return i;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
+check_history(const char *user, const char *debug)
|
||||
+{
|
||||
+ char pass[MAXPASS + 1];
|
||||
+ char *passwords[] = { pass };
|
||||
+ int npass;
|
||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
||||
+ int retval;
|
||||
+
|
||||
+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
|
||||
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
|
||||
+
|
||||
+ if (npass != 1)
|
||||
+ { /* is it a valid password? */
|
||||
+ helper_log_err(LOG_DEBUG, "no password supplied");
|
||||
+ return PAM_AUTHTOK_ERR;
|
||||
+ }
|
||||
+
|
||||
+ retval = check_old_pass(user, pass, dbg);
|
||||
+
|
||||
+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+save_history(const char *user, const char *howmany, const char *debug)
|
||||
+{
|
||||
+ int num = atoi(howmany);
|
||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
||||
+ int retval;
|
||||
+
|
||||
+ retval = save_old_pass(user, num, dbg);
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ const char *option;
|
||||
+ const char *user;
|
||||
+
|
||||
+ /*
|
||||
+ * Catch or ignore as many signal as possible.
|
||||
+ */
|
||||
+ setup_signals();
|
||||
+
|
||||
+ /*
|
||||
+ * we establish that this program is running with non-tty stdin.
|
||||
+ * this is to discourage casual use.
|
||||
+ */
|
||||
+
|
||||
+ if (isatty(STDIN_FILENO) || argc < 4)
|
||||
+ {
|
||||
+ fprintf(stderr,
|
||||
+ "This binary is not designed for running in this way.\n");
|
||||
+ sleep(10); /* this should discourage/annoy the user */
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ option = argv[1];
|
||||
+ user = argv[2];
|
||||
+
|
||||
+ if (strcmp(option, "check") == 0 && argc == 4)
|
||||
+ return check_history(user, argv[3]);
|
||||
+ else if (strcmp(option, "save") == 0 && argc == 5)
|
||||
+ return save_history(user, argv[3], argv[4]);
|
||||
+
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+}
|
||||
+
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
|
||||
@@ -0,0 +1,68 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+
|
||||
+<refentry id="pwhistory_helper">
|
||||
+
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id="pwhistory_helper-name">
|
||||
+ <refname>pwhistory_helper</refname>
|
||||
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsynopsisdiv>
|
||||
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
||||
+ <command>pwhistory_helper</command>
|
||||
+ <arg choice="opt">
|
||||
+ ...
|
||||
+ </arg>
|
||||
+ </cmdsynopsis>
|
||||
+ </refsynopsisdiv>
|
||||
+
|
||||
+ <refsect1 id="pwhistory_helper-description">
|
||||
+
|
||||
+ <title>DESCRIPTION</title>
|
||||
+
|
||||
+ <para>
|
||||
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
||||
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
||||
+ from passwd or shadow file to the opasswd file and checks a password
|
||||
+ supplied by user against the existing hashes in the opasswd file.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The purpose of the helper is to enable tighter confinement of
|
||||
+ login and password changing services. The helper is thus called only
|
||||
+ when SELinux is enabled on the system.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The interface of the helper - command line options, and input/output
|
||||
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
||||
+ module and it should not be called directly from applications.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory_helper-see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory_helper-author'>
|
||||
+ <title>AUTHOR</title>
|
||||
+ <para>
|
||||
+ Written by Tomas Mraz based on the code originally in
|
||||
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+</refentry>
|
@ -0,0 +1,16 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
|
||||
@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
return PAM_SUCCESS;
|
||||
} else if (off(UNIX__IAMROOT, ctrl) ||
|
||||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
||||
- /* instruct user what is happening */
|
||||
- if (off(UNIX__QUIET, ctrl)) {
|
||||
- retval = pam_info(pamh, _("Changing password for %s."), user);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
@ -0,0 +1,158 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames Linux-PAM-1.3.1/modules/pam_access/pam_access.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames 2024-01-19 16:45:18.319862531 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c 2024-01-19 16:50:34.239545948 +0100
|
||||
@@ -683,7 +683,7 @@ string_match (pam_handle_t *pamh, const
|
||||
/*
|
||||
* If the token has the magic value "ALL" the match always succeeds.
|
||||
* Otherwise, return YES if the token fully matches the string.
|
||||
- * "NONE" token matches NULL string.
|
||||
+ * "NONE" token matches NULL string.
|
||||
*/
|
||||
|
||||
if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
|
||||
@@ -701,7 +701,8 @@ string_match (pam_handle_t *pamh, const
|
||||
|
||||
/* network_netmask_match - match a string against one token
|
||||
* where string is a hostname or ip (v4,v6) address and tok
|
||||
- * represents either a single ip (v4,v6) address or a network/netmask
|
||||
+ * represents either a hostname, a single ip (v4,v6) address
|
||||
+ * or a network/netmask
|
||||
*/
|
||||
static int
|
||||
network_netmask_match (pam_handle_t *pamh,
|
||||
@@ -710,10 +711,12 @@ network_netmask_match (pam_handle_t *pam
|
||||
char *netmask_ptr;
|
||||
char netmask_string[MAXHOSTNAMELEN + 1];
|
||||
int addr_type;
|
||||
+ struct addrinfo *ai = NULL;
|
||||
|
||||
if (item->debug)
|
||||
- pam_syslog (pamh, LOG_DEBUG,
|
||||
+ pam_syslog (pamh, LOG_DEBUG,
|
||||
"network_netmask_match: tok=%s, item=%s", tok, string);
|
||||
+
|
||||
/* OK, check if tok is of type addr/mask */
|
||||
if ((netmask_ptr = strchr(tok, '/')) != NULL)
|
||||
{
|
||||
@@ -745,52 +748,109 @@ network_netmask_match (pam_handle_t *pam
|
||||
netmask_ptr = number_to_netmask(netmask, addr_type,
|
||||
netmask_string, MAXHOSTNAMELEN);
|
||||
}
|
||||
- }
|
||||
+
|
||||
+ /*
|
||||
+ * Construct an addrinfo list from the IP address.
|
||||
+ * This should not fail as the input is a correct IP address...
|
||||
+ */
|
||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||||
+ {
|
||||
+ return NO;
|
||||
+ }
|
||||
+ }
|
||||
else
|
||||
- /* NO, then check if it is only an addr */
|
||||
- if (isipaddr(tok, NULL, NULL) != YES)
|
||||
+ {
|
||||
+ /*
|
||||
+ * It is either an IP address or a hostname.
|
||||
+ * Let getaddrinfo sort everything out
|
||||
+ */
|
||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||||
{
|
||||
+ if (item->debug)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
|
||||
+
|
||||
return NO;
|
||||
}
|
||||
+ netmask_ptr = NULL;
|
||||
+ }
|
||||
|
||||
if (isipaddr(string, NULL, NULL) != YES)
|
||||
{
|
||||
- /* Assume network/netmask with a name of a host. */
|
||||
struct addrinfo hint;
|
||||
|
||||
+ /* Assume network/netmask with a name of a host. */
|
||||
memset (&hint, '\0', sizeof (hint));
|
||||
hint.ai_flags = AI_CANONNAME;
|
||||
hint.ai_family = AF_UNSPEC;
|
||||
|
||||
if (item->gai_rv != 0)
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
return NO;
|
||||
+ }
|
||||
else if (!item->res &&
|
||||
(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
return NO;
|
||||
+ }
|
||||
else
|
||||
{
|
||||
struct addrinfo *runp = item->res;
|
||||
+ struct addrinfo *runp1;
|
||||
|
||||
while (runp != NULL)
|
||||
{
|
||||
char buf[INET6_ADDRSTRLEN];
|
||||
|
||||
- inet_ntop (runp->ai_family,
|
||||
- runp->ai_family == AF_INET
|
||||
- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
|
||||
- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
|
||||
- buf, sizeof (buf));
|
||||
+ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
+ return NO;
|
||||
+ }
|
||||
|
||||
- if (are_addresses_equal(buf, tok, netmask_ptr))
|
||||
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
|
||||
{
|
||||
- return YES;
|
||||
+ char buf1[INET6_ADDRSTRLEN];
|
||||
+
|
||||
+ if (runp->ai_family != runp1->ai_family)
|
||||
+ continue;
|
||||
+
|
||||
+ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
+ return NO;
|
||||
+ }
|
||||
+
|
||||
+ if (are_addresses_equal (buf, buf1, netmask_ptr))
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
+ return YES;
|
||||
+ }
|
||||
}
|
||||
runp = runp->ai_next;
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
- return (are_addresses_equal(string, tok, netmask_ptr));
|
||||
+ {
|
||||
+ struct addrinfo *runp1;
|
||||
+
|
||||
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
|
||||
+ {
|
||||
+ char buf1[INET6_ADDRSTRLEN];
|
||||
+
|
||||
+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
|
||||
+
|
||||
+ if (are_addresses_equal(string, buf1, netmask_ptr))
|
||||
+ {
|
||||
+ freeaddrinfo(ai);
|
||||
+ return YES;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ freeaddrinfo(ai);
|
||||
|
||||
return NO;
|
||||
}
|
@ -0,0 +1,35 @@
|
||||
From b429ea18b1c9c8953df5169c6a453b4255a6f23d Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ikerpedrosam@gmail.com>
|
||||
Date: Thu, 27 Feb 2020 11:48:47 +0100
|
||||
Subject: [PATCH] pam_tty_audit: if kernel audit is disabled return PAM_IGNORE
|
||||
|
||||
If kernel audit is disabled the socket open will return
|
||||
EPROTONOSUPPORT.
|
||||
Return PAM_IGNORE from pam_tty_audit and log a warning
|
||||
in this situation so login is not blocked by the module.
|
||||
---
|
||||
modules/pam_tty_audit/pam_tty_audit.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
|
||||
index 7dbcada2..589c60a2 100644
|
||||
--- a/modules/pam_tty_audit/pam_tty_audit.c
|
||||
+++ b/modules/pam_tty_audit/pam_tty_audit.c
|
||||
@@ -351,6 +351,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
|
||||
fd = nl_open ();
|
||||
if (fd == -1
|
||||
+ && errno == EPROTONOSUPPORT)
|
||||
+ {
|
||||
+ pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not "
|
||||
+ "supported; tty_audit skipped");
|
||||
+ free (old_status);
|
||||
+ return PAM_IGNORE;
|
||||
+ }
|
||||
+ else if (fd == -1
|
||||
|| nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0
|
||||
|| nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0)
|
||||
{
|
||||
--
|
||||
2.25.2
|
||||
|
@ -0,0 +1,88 @@
|
||||
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Wed, 7 Aug 2019 12:22:55 +0200
|
||||
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
|
||||
|
||||
If password was already verified by previous modules in the stack
|
||||
it does not need to be verified by pam_get_authtok_verify either.
|
||||
|
||||
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
|
||||
appropriately.
|
||||
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
|
||||
set it when the password is verified.
|
||||
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
|
||||
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
|
||||
---
|
||||
libpam/pam_get_authtok.c | 10 ++++++++++
|
||||
libpam/pam_private.h | 1 +
|
||||
libpam/pam_start.c | 1 +
|
||||
3 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
|
||||
index 800c6e5..99eb25f 100644
|
||||
--- a/libpam/pam_get_authtok.c
|
||||
+++ b/libpam/pam_get_authtok.c
|
||||
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
||||
}
|
||||
else if (chpass)
|
||||
{
|
||||
+ pamh->authtok_verified = 0;
|
||||
+
|
||||
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
|
||||
PROMPT1, authtok_type,
|
||||
strlen (authtok_type) > 0?" ":"");
|
||||
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
||||
if (retval != PAM_SUCCESS)
|
||||
return retval;
|
||||
|
||||
+ if (chpass > 1)
|
||||
+ pamh->authtok_verified = 1;
|
||||
+
|
||||
return pam_get_item(pamh, item, (const void **)authtok);
|
||||
}
|
||||
|
||||
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
||||
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
|
||||
return PAM_SYSTEM_ERR;
|
||||
|
||||
+ if (pamh->authtok_verified)
|
||||
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
|
||||
+
|
||||
if (prompt != NULL)
|
||||
{
|
||||
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
|
||||
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
||||
if (retval != PAM_SUCCESS)
|
||||
return retval;
|
||||
|
||||
+ pamh->authtok_verified = 1;
|
||||
+
|
||||
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
|
||||
}
|
||||
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
||||
index 7ff9f75..58a26f5 100644
|
||||
--- a/libpam/pam_private.h
|
||||
+++ b/libpam/pam_private.h
|
||||
@@ -172,6 +172,7 @@ struct pam_handle {
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
int audit_state; /* keep track of reported audit messages */
|
||||
#endif
|
||||
+ int authtok_verified;
|
||||
};
|
||||
|
||||
/* Values for select arg to _pam_dispatch() */
|
||||
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
|
||||
index 328416d..e27c64b 100644
|
||||
--- a/libpam/pam_start.c
|
||||
+++ b/libpam/pam_start.c
|
||||
@@ -94,6 +94,7 @@ int pam_start (
|
||||
#endif
|
||||
(*pamh)->xdisplay = NULL;
|
||||
(*pamh)->authtok_type = NULL;
|
||||
+ (*pamh)->authtok_verified = 0;
|
||||
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
|
||||
|
||||
if (((*pamh)->pam_conversation = (struct pam_conv *)
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,11 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build Linux-PAM-1.3.1/modules/pam_console/sed-static
|
||||
--- Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build 2014-01-31 14:17:53.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_console/sed-static 2018-09-10 15:06:04.115302315 +0200
|
||||
@@ -13,6 +13,7 @@ sed '
|
||||
/^YY_BUFFER_STATE yy_scan_buffer/s/^/STATIC /
|
||||
/^YY_BUFFER_STATE yy_scan_string/s/^/STATIC /
|
||||
/^void yy_switch_to_buffer/s/^/STATIC /
|
||||
+/^extern int yylex/s/^extern /STATIC /
|
||||
/define YY_DECL int yylex/s/YY_DECL /YY_DECL STATIC /
|
||||
/^int yyparse/s/^/STATIC /
|
||||
/^void yyrestart/s/^/STATIC /
|
@ -0,0 +1,185 @@
|
||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||
index 106ef7c..b2e94c7 100644
|
||||
--- a/libpam/pam_handlers.c
|
||||
+++ b/libpam/pam_handlers.c
|
||||
@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
|
||||
{
|
||||
char *p;
|
||||
FILE *f;
|
||||
- int err = 0;
|
||||
|
||||
/* Absolute path */
|
||||
if (service[0] == '/') {
|
||||
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
|
||||
index be53f34..07dce36 100644
|
||||
--- a/libpam_misc/misc_conv.c
|
||||
+++ b/libpam_misc/misc_conv.c
|
||||
@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||
line[nc] = '\0';
|
||||
}
|
||||
*retstr = strdup(line);
|
||||
- _pam_overwrite(line);
|
||||
+ _pam_overwrite_n(line, sizeof(line));
|
||||
if (!*retstr) {
|
||||
D(("no memory for response string"));
|
||||
nc = -1;
|
||||
@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||
D(("the timer appears to have expired"));
|
||||
|
||||
*retstr = NULL;
|
||||
- _pam_overwrite(line);
|
||||
+ _pam_overwrite_n(line, sizeof(line));
|
||||
|
||||
cleanexit:
|
||||
|
||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||
index 80d885d..3801862 100644
|
||||
--- a/modules/pam_access/pam_access.c
|
||||
+++ b/modules/pam_access/pam_access.c
|
||||
@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
|
||||
const char *user=NULL;
|
||||
const void *void_from=NULL;
|
||||
const char *from;
|
||||
- const char const *default_config = PAM_ACCESS_CONFIG;
|
||||
+ const char * const default_config = PAM_ACCESS_CONFIG;
|
||||
struct passwd *user_pw;
|
||||
char hostname[MAXHOSTNAMELEN + 1];
|
||||
int rv;
|
||||
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
||||
index 4bc4ae7..f8476b4 100644
|
||||
--- a/modules/pam_limits/pam_limits.c
|
||||
+++ b/modules/pam_limits/pam_limits.c
|
||||
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
|
||||
#endif
|
||||
};
|
||||
|
||||
-static int str2rlimit(char *name) {
|
||||
+static int str2rlimit(const char *name) {
|
||||
int i;
|
||||
if (!name || *name == '\0')
|
||||
return -1;
|
||||
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
-static rlim_t str2rlim_t(char *value) {
|
||||
+static rlim_t str2rlim_t(const char *value) {
|
||||
unsigned long long rlimit = 0;
|
||||
|
||||
if (!value) return (rlim_t)rlimit;
|
||||
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
|
||||
FILE *limitsfile;
|
||||
const char *proclimits = "/proc/1/limits";
|
||||
char line[256];
|
||||
- char *units, *hard, *soft, *name;
|
||||
+ const char *units, *hard, *soft, *name;
|
||||
|
||||
if (!(limitsfile = fopen(proclimits, "r"))) {
|
||||
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
||||
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
|
||||
index 96bfd98..66d202c 100644
|
||||
--- a/modules/pam_loginuid/pam_loginuid.c
|
||||
+++ b/modules/pam_loginuid/pam_loginuid.c
|
||||
@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
|
||||
fd = open("/proc/self/uid_map", O_RDONLY);
|
||||
if (fd >= 0) {
|
||||
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
||||
- if (strncmp(uid_map, host_uid_map, count) != 0)
|
||||
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
|
||||
rc = PAM_IGNORE;
|
||||
close(fd);
|
||||
}
|
||||
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
index 9e204c1..4b8d6b7 100644
|
||||
--- a/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
|
||||
{
|
||||
pam_syslog(NULL, LOG_DEBUG,
|
||||
"unable to open or stat src file %s: %m", newsource);
|
||||
+ if (srcfd >= 0)
|
||||
+ close(srcfd);
|
||||
closedir(d);
|
||||
|
||||
#ifndef PATH_MAX
|
||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||
index f541f89..85f5efa 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.c
|
||||
+++ b/modules/pam_namespace/pam_namespace.c
|
||||
@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
|
||||
if (fstat(fd, &newstatbuf) < 0) {
|
||||
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
|
||||
ipath);
|
||||
+ close(fd);
|
||||
rmdir(ipath);
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
||||
index e6cf346..813f579 100644
|
||||
--- a/modules/pam_pwhistory/opasswd.c
|
||||
+++ b/modules/pam_pwhistory/opasswd.c
|
||||
@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
n = strlen (buf);
|
||||
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||
|
||||
+ if (n < 1)
|
||||
+ break;
|
||||
+
|
||||
cp = buf;
|
||||
save = strdup (buf); /* Copy to write the original data back. */
|
||||
if (save == NULL)
|
||||
@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
goto error_opasswd;
|
||||
}
|
||||
|
||||
- if (n < 1)
|
||||
- break;
|
||||
-
|
||||
tmp = strchr (cp, '#'); /* remove comments */
|
||||
if (tmp)
|
||||
*tmp = '\0';
|
||||
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
|
||||
index 17baabe..a9d9140 100644
|
||||
--- a/modules/pam_rootok/pam_rootok.c
|
||||
+++ b/modules/pam_rootok/pam_rootok.c
|
||||
@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
|
||||
int audit_fd;
|
||||
va_list ap;
|
||||
|
||||
- va_start(ap, fmt);
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
audit_fd = audit_open();
|
||||
|
||||
if (audit_fd >= 0) {
|
||||
char *buf;
|
||||
+ int ret;
|
||||
|
||||
- if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ va_start(ap, fmt);
|
||||
+ ret = vasprintf (&buf, fmt, ap);
|
||||
+ va_end(ap);
|
||||
+ if (ret < 0)
|
||||
return 0;
|
||||
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
NULL, 0);
|
||||
@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
|
||||
}
|
||||
|
||||
#endif
|
||||
+ va_start(ap, fmt);
|
||||
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
va_end(ap);
|
||||
return 0;
|
||||
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
|
||||
index c653290..f37af0f 100644
|
||||
--- a/modules/pam_sepermit/pam_sepermit.c
|
||||
+++ b/modules/pam_sepermit/pam_sepermit.c
|
||||
@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
|
||||
if (*sense == PAM_SUCCESS) {
|
||||
if (ignore)
|
||||
*sense = PAM_IGNORE;
|
||||
- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
|
||||
+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
|
||||
if (sepermit_lock(pamh, user, debug) < 0)
|
||||
*sense = PAM_AUTH_ERR;
|
||||
}
|
@ -0,0 +1,13 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir Linux-PAM-1.3.1/modules/pam_faillock/faillock.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir 2024-01-08 11:32:02.122392119 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c 2024-01-08 11:33:10.916515943 +0100
|
||||
@@ -74,6 +74,9 @@ open_tally (const char *dir, const char
|
||||
|
||||
if (create) {
|
||||
flags |= O_CREAT;
|
||||
+ if (access(dir, F_OK) != 0) {
|
||||
+ mkdir(dir, 0755);
|
||||
+ }
|
||||
}
|
||||
|
||||
fd = open(path, flags, 0600);
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,70 @@
|
||||
diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
|
||||
--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <fcntl.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/resource.h>
|
||||
+#include <dirent.h>
|
||||
|
||||
/*
|
||||
* Creates a pipe, closes its write end, redirects fd to its read end.
|
||||
@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
|
||||
static void
|
||||
close_fds(void)
|
||||
{
|
||||
+ DIR *dir = NULL;
|
||||
+ struct dirent *dent;
|
||||
+ int dfd = -1;
|
||||
+ int fd;
|
||||
+ struct rlimit rlim;
|
||||
+
|
||||
/*
|
||||
* An arbitrary upper limit for the maximum file descriptor number
|
||||
* returned by RLIMIT_NOFILE.
|
||||
*/
|
||||
- const int MAX_FD_NO = 65535;
|
||||
+ const unsigned int MAX_FD_NO = 65535;
|
||||
|
||||
/* The lower limit is the same as for _POSIX_OPEN_MAX. */
|
||||
- const int MIN_FD_NO = 20;
|
||||
+ const unsigned int MIN_FD_NO = 20;
|
||||
|
||||
- int fd;
|
||||
- struct rlimit rlim;
|
||||
-
|
||||
- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
||||
- fd = MAX_FD_NO;
|
||||
- else if (rlim.rlim_max < MIN_FD_NO)
|
||||
- fd = MIN_FD_NO;
|
||||
- else
|
||||
- fd = rlim.rlim_max - 1;
|
||||
+ /* If /proc is mounted, we can optimize which fd can be closed. */
|
||||
+ if ((dir = opendir("/proc/self/fd")) != NULL) {
|
||||
+ if ((dfd = dirfd(dir)) >= 0) {
|
||||
+ while ((dent = readdir(dir)) != NULL) {
|
||||
+ fd = atoi(dent->d_name);
|
||||
+ if (fd > STDERR_FILENO && fd != dfd)
|
||||
+ close(fd);
|
||||
+ }
|
||||
+ }
|
||||
+ closedir(dir);
|
||||
+ }
|
||||
+
|
||||
+ /* If /proc isn't available, fallback to the previous behavior. */
|
||||
+ if (dfd < 0) {
|
||||
+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
||||
+ fd = MAX_FD_NO;
|
||||
+ else if (rlim.rlim_max < MIN_FD_NO)
|
||||
+ fd = MIN_FD_NO;
|
||||
+ else
|
||||
+ fd = rlim.rlim_max - 1;
|
||||
|
||||
- for (; fd > STDERR_FILENO; --fd)
|
||||
- close(fd);
|
||||
+ for (; fd > STDERR_FILENO; --fd)
|
||||
+ close(fd);
|
||||
+ }
|
||||
}
|
||||
|
||||
int
|
@ -0,0 +1,105 @@
|
||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.inline Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h
|
||||
--- Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.inline 2022-05-26 10:44:31.702623614 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h 2022-05-26 10:44:31.703623621 +0200
|
||||
@@ -44,4 +44,17 @@
|
||||
# define DIAG_POP_IGNORE_CAST_ALIGN /* empty */
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * Evaluates to
|
||||
+ * 1, if the given two types are known to be the same
|
||||
+ * 0, otherwise.
|
||||
+ */
|
||||
+#if PAM_GNUC_PREREQ(3, 0)
|
||||
+# define PAM_IS_SAME_TYPE(x_, y_) \
|
||||
+ __builtin_types_compatible_p(__typeof__(x_), __typeof__(y_))
|
||||
+#else
|
||||
+/* Cannot tell whether these types are the same. */
|
||||
+# define PAM_IS_SAME_TYPE(x_, y_) 0
|
||||
+#endif
|
||||
+
|
||||
#endif /* PAM_CC_COMPAT_H */
|
||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_inline.h.inline Linux-PAM-1.3.1/libpam/include/pam_inline.h
|
||||
--- Linux-PAM-1.3.1/libpam/include/pam_inline.h.inline 2022-05-26 10:44:31.703623621 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam/include/pam_inline.h 2022-05-26 10:44:31.703623621 +0200
|
||||
@@ -0,0 +1,67 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org>
|
||||
+ *
|
||||
+ * Handy inline functions and macros providing some convenient functionality
|
||||
+ * to libpam and its modules.
|
||||
+ */
|
||||
+
|
||||
+#ifndef PAM_INLINE_H
|
||||
+#define PAM_INLINE_H
|
||||
+
|
||||
+#include "pam_cc_compat.h"
|
||||
+#include <string.h>
|
||||
+
|
||||
+/*
|
||||
+ * Evaluates to
|
||||
+ * - a syntax error if the argument is 0,
|
||||
+ * 0, otherwise.
|
||||
+ */
|
||||
+#define PAM_FAIL_BUILD_ON_ZERO(e_) (sizeof(int[-1 + 2 * !!(e_)]) * 0)
|
||||
+
|
||||
+/*
|
||||
+ * Evaluates to
|
||||
+ * 1, if the given type is known to be a non-array type
|
||||
+ * 0, otherwise.
|
||||
+ */
|
||||
+#define PAM_IS_NOT_ARRAY(a_) PAM_IS_SAME_TYPE((a_), &(a_)[0])
|
||||
+
|
||||
+/*
|
||||
+ * Evaluates to
|
||||
+ * - a syntax error if the argument is not an array,
|
||||
+ * 0, otherwise.
|
||||
+ */
|
||||
+#define PAM_MUST_BE_ARRAY(a_) PAM_FAIL_BUILD_ON_ZERO(!PAM_IS_NOT_ARRAY(a_))
|
||||
+
|
||||
+/* Evaluates to the number of elements in the specified array. */
|
||||
+#define PAM_ARRAY_SIZE(a_) (sizeof(a_) / sizeof((a_)[0]) + PAM_MUST_BE_ARRAY(a_))
|
||||
+
|
||||
+/*
|
||||
+ * Returns NULL if STR does not start with PREFIX,
|
||||
+ * or a pointer to the first char in STR after PREFIX.
|
||||
+ * The length of PREFIX is specified by PREFIX_LEN.
|
||||
+ */
|
||||
+static inline const char *
|
||||
+pam_str_skip_prefix_len(const char *str, const char *prefix, size_t prefix_len)
|
||||
+{
|
||||
+ return strncmp(str, prefix, prefix_len) ? NULL : str + prefix_len;
|
||||
+}
|
||||
+
|
||||
+#define pam_str_skip_prefix(str_, prefix_) \
|
||||
+ pam_str_skip_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_))
|
||||
+
|
||||
+/*
|
||||
+ * Returns NULL if STR does not start with PREFIX
|
||||
+ * (ignoring the case of the characters),
|
||||
+ * or a pointer to the first char in STR after PREFIX.
|
||||
+ * The length of PREFIX is specified by PREFIX_LEN.
|
||||
+ */
|
||||
+static inline const char *
|
||||
+pam_str_skip_icase_prefix_len(const char *str, const char *prefix, size_t prefix_len)
|
||||
+{
|
||||
+ return strncasecmp(str, prefix, prefix_len) ? NULL : str + prefix_len;
|
||||
+}
|
||||
+
|
||||
+#define pam_str_skip_icase_prefix(str_, prefix_) \
|
||||
+ pam_str_skip_icase_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_))
|
||||
+
|
||||
+#endif /* PAM_INLINE_H */
|
||||
diff -up Linux-PAM-1.3.1/libpam/Makefile.am.inline Linux-PAM-1.3.1/libpam/Makefile.am
|
||||
--- Linux-PAM-1.3.1/libpam/Makefile.am.inline 2022-05-26 10:44:31.702623614 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam/Makefile.am 2022-05-26 10:45:21.146977780 +0200
|
||||
@@ -18,7 +18,8 @@ include_HEADERS = include/security/_pam_
|
||||
include/security/pam_ext.h include/security/pam_modutil.h
|
||||
|
||||
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
|
||||
- pam_modutil_private.h include/pam_cc_compat.h
|
||||
+ pam_modutil_private.h include/pam_cc_compat.h \
|
||||
+ include/pam_inline.h
|
||||
|
||||
libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84
|
||||
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
|
@ -0,0 +1,82 @@
|
||||
From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001
|
||||
From: Nir Soffer <nsoffer@redhat.com>
|
||||
Date: Wed, 9 Jan 2019 23:41:16 +0200
|
||||
Subject: [PATCH] pam_lastlog: Improve silent option documentation
|
||||
|
||||
The silent option explicitly silents only the last login message and not
|
||||
bad logins. Add a note to the manual to make this clear.
|
||||
|
||||
* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.8.xml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
index c8f247e..bc2e1be 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
@@ -102,6 +102,7 @@
|
||||
<para>
|
||||
Don't inform the user about any previous login,
|
||||
just update the <filename>/var/log/lastlog</filename> file.
|
||||
+ This option does not affect display of bad login attempts.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.20.1
|
||||
|
||||
From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001
|
||||
From: Nir Soffer <nsoffer@redhat.com>
|
||||
Date: Sun, 6 Jan 2019 00:36:27 +0200
|
||||
Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag
|
||||
|
||||
pam_lastlog module will not log info about failed login if the session
|
||||
was opened with PAM_SILENT flag.
|
||||
|
||||
Example use case enabled by this change:
|
||||
|
||||
sudo --non-interactive program
|
||||
|
||||
If this command is run by another program expecting specific output from
|
||||
the command run by sudo, the unexpected info about failed logins will
|
||||
break this program.
|
||||
|
||||
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
|
||||
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||
index 18bf7be..e980c04 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||
@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
|
||||
|
||||
- /* does the appliction require quiet? */
|
||||
- if (flags & PAM_SILENT) {
|
||||
- ctrl |= LASTLOG_QUIET;
|
||||
- }
|
||||
-
|
||||
/* step through arguments */
|
||||
for (; argc-- > 0; ++argv) {
|
||||
|
||||
@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* does the appliction require quiet? */
|
||||
+ if (flags & PAM_SILENT) {
|
||||
+ ctrl |= LASTLOG_QUIET;
|
||||
+ ctrl &= ~LASTLOG_BTMP;
|
||||
+ }
|
||||
+
|
||||
D(("ctrl = %o", ctrl));
|
||||
return ctrl;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,227 @@
|
||||
From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001
|
||||
From: Carlos Santos <casantos@redhat.com>
|
||||
Date: Wed, 11 Sep 2019 11:50:28 -0300
|
||||
Subject: [PATCH] pam_lastlog: document the 'unlimited' option
|
||||
|
||||
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
index bc2e1be..f10e94a 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||
@@ -48,6 +48,9 @@
|
||||
<arg choice="opt">
|
||||
inactive=<days>
|
||||
</arg>
|
||||
+ <arg choice="opt">
|
||||
+ unlimited
|
||||
+ </arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@@ -196,6 +199,18 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>unlimited</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
|
||||
+ used to override it, preventing failures on systems with large UID
|
||||
+ values that lead lastlog to become a huge sparse file.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
@@ -300,6 +315,9 @@
|
||||
<refsect1 id='pam_lastlog-see_also'>
|
||||
<title>SEE ALSO</title>
|
||||
<para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
--
|
||||
2.20.1
|
||||
|
||||
From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001
|
||||
From: Carlos Santos <casantos@redhat.com>
|
||||
Date: Tue, 10 Sep 2019 23:08:30 -0300
|
||||
Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit
|
||||
|
||||
It a reduced fsize limit is set in /etc/security/limits.conf and
|
||||
pam_limits is in use pam_lastlog may cause a crash, e.g.
|
||||
|
||||
----- begin /etc/pam.d/su ----
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_wheel.so use_uid
|
||||
auth required pam_env.so
|
||||
auth required pam_unix.so nullok
|
||||
account required pam_unix.so
|
||||
password required pam_unix.so nullok
|
||||
session required pam_limits.so
|
||||
session required pam_env.so
|
||||
session required pam_unix.so
|
||||
session optional pam_lastlog.so
|
||||
----- end /etc/pam.d/su -----
|
||||
|
||||
----- begin /etc/security/limits.d/fsize.conf -----
|
||||
* soft fsize 1710
|
||||
* hard fsize 1710
|
||||
----- end /etc/security/limits.d/fsize.conf -----
|
||||
|
||||
# id user1
|
||||
uid=1000(user1) gid=1000(user1) groups=1000(user1)
|
||||
# su - user1
|
||||
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
|
||||
$ exit
|
||||
# id user2
|
||||
uid=60000(user2) gid=60000(user2) groups=60000(user2)
|
||||
# su - user2
|
||||
File size limit exceeded
|
||||
|
||||
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
|
||||
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
|
||||
|
||||
In order to fix this, and an 'unlimited' option, which leads to saving
|
||||
the 'fsize' limit and set it to unlimited before writing lastlog. After
|
||||
that, restore the saved value. If 'fsize' is already unlimited nothing
|
||||
is done.
|
||||
|
||||
Failing to set the 'fsize' limit is not a fatal error. With luck the
|
||||
configured limit will suffice, so we try to write lastlog anyway, even
|
||||
under the risk of dying due to a SIGXFSZ.
|
||||
|
||||
Failing to restore the 'fsize' limit is a fatal error, since we don't
|
||||
want to keep it unlimited.
|
||||
|
||||
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++-----
|
||||
1 file changed, 57 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||
index e980c04..a135c9f 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||
@@ -25,6 +25,8 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
+#include <sys/time.h>
|
||||
+#include <sys/resource.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@@ -82,15 +84,16 @@ struct lastlog {
|
||||
|
||||
/* argument parsing */
|
||||
|
||||
-#define LASTLOG_DATE 01 /* display the date of the last login */
|
||||
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
||||
-#define LASTLOG_LINE 04 /* display the last terminal used */
|
||||
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
||||
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
||||
-#define LASTLOG_QUIET 040 /* keep quiet about things */
|
||||
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
||||
-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
||||
-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
||||
+#define LASTLOG_DATE 01 /* display the date of the last login */
|
||||
+#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
||||
+#define LASTLOG_LINE 04 /* display the last terminal used */
|
||||
+#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
||||
+#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
||||
+#define LASTLOG_QUIET 040 /* keep quiet about things */
|
||||
+#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
||||
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
||||
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
||||
+#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */
|
||||
|
||||
static int
|
||||
_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
|
||||
@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
|
||||
} else if (!strcmp(*argv,"showfailed")) {
|
||||
ctrl |= LASTLOG_BTMP;
|
||||
+ } else if (!strcmp(*argv,"unlimited")) {
|
||||
+ ctrl |= LASTLOG_UNLIMITED;
|
||||
} else {
|
||||
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
|
||||
}
|
||||
@@ -373,6 +378,12 @@ static int
|
||||
last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||
uid_t uid, const char *user)
|
||||
{
|
||||
+ static struct rlimit no_limit = {
|
||||
+ RLIM_INFINITY,
|
||||
+ RLIM_INFINITY
|
||||
+ };
|
||||
+ struct rlimit old_limit;
|
||||
+ int setrlimit_res;
|
||||
struct flock last_lock;
|
||||
struct lastlog last_login;
|
||||
time_t ll_time;
|
||||
@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||
sleep(LASTLOG_IGNORE_LOCK_TIME);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Failing to set the 'fsize' limit is not a fatal error. We try to write
|
||||
+ * lastlog anyway, under the risk of dying due to a SIGXFSZ.
|
||||
+ */
|
||||
+ D(("setting limit for 'fsize'"));
|
||||
+
|
||||
+ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */
|
||||
+ setrlimit_res = -1;
|
||||
+ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
|
||||
+ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */
|
||||
+ setrlimit_res = -1;
|
||||
+ } else {
|
||||
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
|
||||
+ if (setrlimit_res != 0)
|
||||
+ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
|
||||
+ }
|
||||
+ } else {
|
||||
+ setrlimit_res = -1;
|
||||
+ if (errno == EINVAL) {
|
||||
+ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
|
||||
+ } else {
|
||||
+ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
D(("writing to the lastlog file"));
|
||||
if (pam_modutil_write (last_fd, (char *) &last_login,
|
||||
sizeof (last_login)) != sizeof(last_login)) {
|
||||
@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||
retval = PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Failing to restore the 'fsize' limit is a fatal error.
|
||||
+ */
|
||||
+ D(("restoring limit for 'fsize'"));
|
||||
+ if (setrlimit_res == 0) {
|
||||
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
|
||||
+ if (setrlimit_res != 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
|
||||
+ retval = PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
last_lock.l_type = F_UNLCK;
|
||||
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
|
||||
D(("unlocked"));
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,25 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage 2018-05-18 11:50:46.000000000 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml 2019-12-19 10:29:36.243558251 +0100
|
||||
@@ -31,10 +31,19 @@
|
||||
<para>
|
||||
pam_motd is a PAM module that can be used to display
|
||||
arbitrary motd (message of the day) files after a successful
|
||||
- login. By default the <filename>/etc/motd</filename> file is
|
||||
+ login. By default the <filename>/etc/motd</filename> file and
|
||||
+ all files from <filename>/etc/motd.d</filename> are
|
||||
shown. The message size is limited to 64KB.
|
||||
</para>
|
||||
-
|
||||
+ <para>
|
||||
+ To silence a message,
|
||||
+ a symbolic link with target <filename>/dev/null</filename>
|
||||
+ may be placed in <filename>/etc/motd.d</filename> with
|
||||
+ the same filename as the message to be silenced. Example:
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <command>ln -sfn /dev/null /etc/motd.d/my_motd</command>
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="pam_motd-options">
|
@ -0,0 +1,68 @@
|
||||
From 491e5500b6b3913f531574208274358a2df88659 Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Mon, 5 Oct 2020 10:41:29 +0200
|
||||
Subject: [PATCH] pam_namespace: polyinstantiation refer to gdm doc
|
||||
|
||||
modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
|
||||
about polyinstantiation and refer to gdm's documentation.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
|
||||
---
|
||||
modules/pam_namespace/pam_namespace.8.xml | 41 ++---------------------
|
||||
1 file changed, 2 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
|
||||
index f0f80d33..57c44c4b 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.8.xml
|
||||
+++ b/modules/pam_namespace/pam_namespace.8.xml
|
||||
@@ -343,45 +343,8 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
- To use polyinstantiation with graphical display manager gdm, insert the
|
||||
- following line, before exit 0, in /etc/gdm/PostSession/Default:
|
||||
- </para>
|
||||
-
|
||||
- <para>
|
||||
- /usr/sbin/gdm-safe-restart
|
||||
- </para>
|
||||
-
|
||||
- <para>
|
||||
- This allows gdm to restart after each session and appropriately adjust
|
||||
- namespaces of display manager and the X server. If polyinstantiation
|
||||
- of /tmp is desired along with the graphical environment, then additional
|
||||
- configuration changes are needed to address the interaction of X server
|
||||
- and font server namespaces with their use of /tmp to create
|
||||
- communication sockets. Please use the initialization script
|
||||
- <filename>/etc/security/namespace.init</filename> to ensure that
|
||||
- the X server and its clients can appropriately access the
|
||||
- communication socket X0. Please refer to the sample instructions
|
||||
- provided in the comment section of the instance initialization script
|
||||
- <filename>/etc/security/namespace.init</filename>. In addition,
|
||||
- perform the following changes to use graphical environment with
|
||||
- polyinstantiation of /tmp:
|
||||
- </para>
|
||||
-
|
||||
- <para>
|
||||
- <literallayout>
|
||||
- 1. Disable the use of font server by commenting out "FontPath"
|
||||
- line in /etc/X11/xorg.conf. If you do want to use the font server
|
||||
- then you will have to augment the instance initialization
|
||||
- script to appropriately provide /tmp/.font-unix from the
|
||||
- polyinstantiated /tmp.
|
||||
- 2. Ensure that the gdm service is setup to use pam_namespace,
|
||||
- as described above, by modifying /etc/pam.d/gdm.
|
||||
- 3. Ensure that the display manager is configured to restart X server
|
||||
- with each new session. This default setup can be verified by
|
||||
- making sure that /usr/share/gdm/defaults.conf contains
|
||||
- "AlwaysRestartServer=true", and it is not overridden by
|
||||
- /etc/gdm/custom.conf.
|
||||
- </literallayout>
|
||||
+ To use polyinstantiation with graphical display manager gdm, please refer
|
||||
+ to gdm's documentation.
|
||||
</para>
|
||||
|
||||
</refsect1>
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,131 @@
|
||||
diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
|
||||
index c7698cb..a94b49e 100644
|
||||
--- a/modules/pam_namespace/namespace.conf.5.xml
|
||||
+++ b/modules/pam_namespace/namespace.conf.5.xml
|
||||
@@ -122,9 +122,14 @@
|
||||
<para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
|
||||
- value of this flag is passed to the mount call when the tmpfs mount is
|
||||
done. It allows for example the specification of the maximum size of the
|
||||
- tmpfs instance that is created by the mount call. See <citerefentry>
|
||||
- <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry> for details.
|
||||
+ tmpfs instance that is created by the mount call. In addition to
|
||||
+ options specified in the <citerefentry>
|
||||
+ <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry> manual the <emphasis>nosuid</emphasis>,
|
||||
+ <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
|
||||
+ can be used to respectively disable setuid bit effect, disable running
|
||||
+ executables, and disable devices to be interpreted on the mounted
|
||||
+ tmpfs filesystem.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||
index f541f89..660c7a1 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.c
|
||||
+++ b/modules/pam_namespace/pam_namespace.c
|
||||
@@ -230,6 +230,73 @@ static int parse_iscript_params(char *params, struct polydir_s *poly)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+struct mntflag {
|
||||
+ const char *name;
|
||||
+ size_t len;
|
||||
+ unsigned long flag;
|
||||
+};
|
||||
+
|
||||
+#define LITERAL_AND_LEN(x) x, sizeof(x) - 1
|
||||
+
|
||||
+static const struct mntflag mntflags[] = {
|
||||
+ { LITERAL_AND_LEN("noexec"), MS_NOEXEC },
|
||||
+ { LITERAL_AND_LEN("nosuid"), MS_NOSUID },
|
||||
+ { LITERAL_AND_LEN("nodev"), MS_NODEV }
|
||||
+ };
|
||||
+
|
||||
+static int filter_mntopts(const char *opts, char **filtered,
|
||||
+ unsigned long *mountflags)
|
||||
+{
|
||||
+ size_t origlen = strlen(opts);
|
||||
+ const char *end;
|
||||
+ char *dest;
|
||||
+
|
||||
+ dest = *filtered = NULL;
|
||||
+ *mountflags = 0;
|
||||
+
|
||||
+ if (origlen == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ do {
|
||||
+ size_t len;
|
||||
+ int i;
|
||||
+
|
||||
+ end = strchr(opts, ',');
|
||||
+ if (end == NULL) {
|
||||
+ len = strlen(opts);
|
||||
+ } else {
|
||||
+ len = end - opts;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) {
|
||||
+ if (mntflags[i].len != len)
|
||||
+ continue;
|
||||
+ if (memcmp(mntflags[i].name, opts, len) == 0) {
|
||||
+ *mountflags |= mntflags[i].flag;
|
||||
+ opts = end;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (opts != end) {
|
||||
+ if (dest != NULL) {
|
||||
+ *dest = ',';
|
||||
+ ++dest;
|
||||
+ } else {
|
||||
+ dest = *filtered = calloc(1, origlen + 1);
|
||||
+ if (dest == NULL)
|
||||
+ return -1;
|
||||
+ }
|
||||
+ memcpy(dest, opts, len);
|
||||
+ dest += len;
|
||||
+ }
|
||||
+
|
||||
+ opts = end + 1;
|
||||
+ } while (end != NULL);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int parse_method(char *method, struct polydir_s *poly,
|
||||
struct instance_data *idata)
|
||||
{
|
||||
@@ -289,7 +356,8 @@ static int parse_method(char *method, struct polydir_s *poly,
|
||||
break;
|
||||
}
|
||||
free(poly->mount_opts); /* if duplicate mntopts specified */
|
||||
- if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
|
||||
+ poly->mount_opts = NULL;
|
||||
+ if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) {
|
||||
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
|
||||
return -1;
|
||||
}
|
||||
@@ -1484,7 +1552,7 @@ static int ns_setup(struct polydir_s *polyptr,
|
||||
}
|
||||
|
||||
if (polyptr->method == TMPFS) {
|
||||
- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
|
||||
+ if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) {
|
||||
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
|
||||
polyptr->dir);
|
||||
return PAM_SESSION_ERR;
|
||||
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
|
||||
index 47ebcc3..1522386 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.h
|
||||
+++ b/modules/pam_namespace/pam_namespace.h
|
||||
@@ -166,6 +166,7 @@ struct polydir_s {
|
||||
unsigned int flags; /* polydir flags */
|
||||
char *init_script; /* path to init script */
|
||||
char *mount_opts; /* mount options for tmpfs mount */
|
||||
+ unsigned long mount_flags; /* mount flags for tmpfs mount */
|
||||
uid_t owner; /* user which should own the polydir */
|
||||
gid_t group; /* group which should own the polydir */
|
||||
mode_t mode; /* mode of the polydir */
|
@ -0,0 +1,58 @@
|
||||
From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
|
||||
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
||||
Date: Wed, 27 Dec 2023 14:01:59 +0100
|
||||
Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
|
||||
local DoS situations
|
||||
|
||||
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
|
||||
being placed in user controlled directories, causing the PAM module to
|
||||
block indefinitely during `openat()`.
|
||||
|
||||
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
|
||||
refer to a directory.
|
||||
|
||||
With this the check whether the final path element is a directory
|
||||
becomes unnecessary, drop it.
|
||||
---
|
||||
modules/pam_namespace/pam_namespace.c | 18 +-----------------
|
||||
1 file changed, 1 insertion(+), 17 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||
index 2528cff8..f72d6718 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.c
|
||||
+++ b/modules/pam_namespace/pam_namespace.c
|
||||
@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
||||
int dfd = AT_FDCWD;
|
||||
int dfd_next;
|
||||
int save_errno;
|
||||
- int flags = O_RDONLY;
|
||||
+ int flags = O_RDONLY | O_DIRECTORY;
|
||||
int rv = -1;
|
||||
struct stat st;
|
||||
|
||||
@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
||||
rv = openat(dfd, dir, flags);
|
||||
}
|
||||
|
||||
- if (rv != -1) {
|
||||
- if (fstat(rv, &st) != 0) {
|
||||
- save_errno = errno;
|
||||
- close(rv);
|
||||
- rv = -1;
|
||||
- errno = save_errno;
|
||||
- goto error;
|
||||
- }
|
||||
- if (!S_ISDIR(st.st_mode)) {
|
||||
- close(rv);
|
||||
- errno = ENOTDIR;
|
||||
- rv = -1;
|
||||
- goto error;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (flags & O_NOFOLLOW) {
|
||||
/* we are inside user-owned dir - protect */
|
||||
if (protect_mount(rv, p, idata) == -1) {
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,24 @@
|
||||
diff -up Linux-PAM-1.3.1/doc/Makefile.am.noflex Linux-PAM-1.3.1/doc/Makefile.am
|
||||
--- Linux-PAM-1.3.1/doc/Makefile.am.noflex 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/doc/Makefile.am 2018-05-18 14:53:50.300997606 +0200
|
||||
@@ -2,7 +2,7 @@
|
||||
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
||||
#
|
||||
|
||||
-SUBDIRS = man specs sag adg mwg
|
||||
+SUBDIRS = man sag adg mwg
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
diff -up Linux-PAM-1.3.1/Makefile.am.noflex Linux-PAM-1.3.1/Makefile.am
|
||||
--- Linux-PAM-1.3.1/Makefile.am.noflex 2018-05-18 14:53:50.301997629 +0200
|
||||
+++ Linux-PAM-1.3.1/Makefile.am 2018-05-18 14:55:31.576353800 +0200
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
|
||||
|
||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
|
||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
||||
|
||||
CLEANFILES = *~
|
||||
|
@ -0,0 +1,63 @@
|
||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-cc-compat Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h
|
||||
--- Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-cc-compat 2022-05-26 10:43:50.436328027 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h 2022-05-26 10:43:50.436328027 +0200
|
||||
@@ -0,0 +1,47 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org>
|
||||
+ */
|
||||
+
|
||||
+#ifndef PAM_CC_COMPAT_H
|
||||
+#define PAM_CC_COMPAT_H
|
||||
+
|
||||
+#include "config.h"
|
||||
+#include <security/_pam_types.h>
|
||||
+
|
||||
+#if defined __clang__ && defined __clang_major__ && defined __clang_minor__
|
||||
+# define PAM_CLANG_PREREQ(maj, min) \
|
||||
+ ((__clang_major__ << 16) + __clang_minor__ >= ((maj) << 16) + (min))
|
||||
+#else
|
||||
+# define PAM_CLANG_PREREQ(maj, min) 0
|
||||
+#endif
|
||||
+
|
||||
+#if PAM_GNUC_PREREQ(4, 6)
|
||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL \
|
||||
+ _Pragma("GCC diagnostic push"); \
|
||||
+ _Pragma("GCC diagnostic ignored \"-Wcast-qual\"")
|
||||
+# define DIAG_POP_IGNORE_CAST_QUAL \
|
||||
+ _Pragma("GCC diagnostic pop")
|
||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN \
|
||||
+ _Pragma("GCC diagnostic push"); \
|
||||
+ _Pragma("GCC diagnostic ignored \"-Wcast-align\"")
|
||||
+# define DIAG_POP_IGNORE_CAST_ALIGN \
|
||||
+ _Pragma("GCC diagnostic pop")
|
||||
+#elif PAM_CLANG_PREREQ(2, 6)
|
||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL \
|
||||
+ _Pragma("clang diagnostic push"); \
|
||||
+ _Pragma("clang diagnostic ignored \"-Wcast-qual\"")
|
||||
+# define DIAG_POP_IGNORE_CAST_QUAL \
|
||||
+ _Pragma("clang diagnostic pop")
|
||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN \
|
||||
+ _Pragma("clang diagnostic push"); \
|
||||
+ _Pragma("clang diagnostic ignored \"-Wcast-align\"")
|
||||
+# define DIAG_POP_IGNORE_CAST_ALIGN \
|
||||
+ _Pragma("clang diagnostic pop")
|
||||
+#else
|
||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL /* empty */
|
||||
+# define DIAG_POP_IGNORE_CAST_QUAL /* empty */
|
||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN /* empty */
|
||||
+# define DIAG_POP_IGNORE_CAST_ALIGN /* empty */
|
||||
+#endif
|
||||
+
|
||||
+#endif /* PAM_CC_COMPAT_H */
|
||||
diff -up Linux-PAM-1.3.1/libpam/Makefile.am.pam-cc-compat Linux-PAM-1.3.1/libpam/Makefile.am
|
||||
--- Linux-PAM-1.3.1/libpam/Makefile.am.pam-cc-compat 2022-05-26 10:43:50.436328027 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam/Makefile.am 2022-05-26 10:44:00.865402730 +0200
|
||||
@@ -18,7 +18,7 @@ include_HEADERS = include/security/_pam_
|
||||
include/security/pam_ext.h include/security/pam_modutil.h
|
||||
|
||||
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
|
||||
- pam_modutil_private.h
|
||||
+ pam_modutil_private.h include/pam_cc_compat.h
|
||||
|
||||
libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84
|
||||
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
|
@ -0,0 +1,125 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c 2022-04-25 12:10:28.071240439 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <security/pam_modutil.h>
|
||||
#include <security/pam_ext.h>
|
||||
#include <sys/syscall.h>
|
||||
+#include <stdatomic.h>
|
||||
|
||||
#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */
|
||||
#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */
|
||||
@@ -30,12 +31,12 @@
|
||||
#define KEYCTL_REVOKE 3 /* revoke a key */
|
||||
#define KEYCTL_LINK 8 /* link a key into a keyring */
|
||||
|
||||
-static int my_session_keyring;
|
||||
-static int session_counter;
|
||||
-static int do_revoke;
|
||||
-static int revoke_as_uid;
|
||||
-static int revoke_as_gid;
|
||||
-static int xdebug = 0;
|
||||
+static _Thread_local int my_session_keyring = 0;
|
||||
+static _Atomic int session_counter = 0;
|
||||
+static _Thread_local int do_revoke = 0;
|
||||
+static _Thread_local uid_t revoke_as_uid;
|
||||
+static _Thread_local gid_t revoke_as_gid;
|
||||
+static _Thread_local int xdebug = 0;
|
||||
|
||||
static void debug(pam_handle_t *pamh, const char *fmt, ...)
|
||||
__attribute__((format(printf, 2, 3)));
|
||||
@@ -65,6 +66,33 @@ static int error(pam_handle_t *pamh, con
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
|
||||
+static int pam_setreuid(uid_t ruid, uid_t euid)
|
||||
+{
|
||||
+#if defined(SYS_setreuid32)
|
||||
+ return syscall(SYS_setreuid32, ruid, euid);
|
||||
+#else
|
||||
+ return syscall(SYS_setreuid, ruid, euid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static int pam_setregid(gid_t rgid, gid_t egid)
|
||||
+{
|
||||
+#if defined(SYS_setregid32)
|
||||
+ return syscall(SYS_setregid32, rgid, egid);
|
||||
+#else
|
||||
+ return syscall(SYS_setregid, rgid, egid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
||||
+{
|
||||
+#if defined(SYS_setresuid32)
|
||||
+ return syscall(SYS_setresuid32, ruid, euid, suid);
|
||||
+#else
|
||||
+ return syscall(SYS_setresuid, ruid, euid, suid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* initialise the session keyring for this process
|
||||
*/
|
||||
@@ -139,23 +167,25 @@ static void kill_keyrings(pam_handle_t *
|
||||
|
||||
/* switch to the real UID and GID so that we have permission to
|
||||
* revoke the key */
|
||||
- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
|
||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0)
|
||||
error(pamh, "Unable to change GID to %d temporarily\n",
|
||||
revoke_as_gid);
|
||||
|
||||
- if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0)
|
||||
+ if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0)
|
||||
error(pamh, "Unable to change UID to %d temporarily\n",
|
||||
revoke_as_uid);
|
||||
+ if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0)
|
||||
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
|
||||
syscall(__NR_keyctl,
|
||||
KEYCTL_REVOKE,
|
||||
my_session_keyring);
|
||||
|
||||
/* return to the orignal UID and GID (probably root) */
|
||||
- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
|
||||
+ if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0)
|
||||
error(pamh, "Unable to change UID back to %d\n", old_uid);
|
||||
|
||||
- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
|
||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0)
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
|
||||
my_session_keyring = 0;
|
||||
@@ -210,14 +240,14 @@ int pam_sm_open_session(pam_handle_t *pa
|
||||
|
||||
/* switch to the real UID and GID so that the keyring ends up owned by
|
||||
* the right user */
|
||||
- if (gid != old_gid && setregid(gid, -1) < 0) {
|
||||
+ if (gid != old_gid && pam_setregid(gid, -1) < 0) {
|
||||
error(pamh, "Unable to change GID to %d temporarily\n", gid);
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
|
||||
- if (uid != old_uid && setreuid(uid, -1) < 0) {
|
||||
+ if (uid != old_uid && pam_setreuid(uid, -1) < 0) {
|
||||
error(pamh, "Unable to change UID to %d temporarily\n", uid);
|
||||
- if (setregid(old_gid, -1) < 0)
|
||||
+ if (pam_setregid(old_gid, -1) < 0)
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
@@ -225,10 +255,10 @@ int pam_sm_open_session(pam_handle_t *pa
|
||||
ret = init_keyrings(pamh, force);
|
||||
|
||||
/* return to the orignal UID and GID (probably root) */
|
||||
- if (uid != old_uid && setreuid(old_uid, -1) < 0)
|
||||
+ if (uid != old_uid && pam_setreuid(old_uid, -1) < 0)
|
||||
ret = error(pamh, "Unable to change UID back to %d\n", old_uid);
|
||||
|
||||
- if (gid != old_gid && setregid(old_gid, -1) < 0)
|
||||
+ if (gid != old_gid && pam_setregid(old_gid, -1) < 0)
|
||||
ret = error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
|
||||
return ret;
|
@ -0,0 +1,78 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value 2022-01-28 09:45:41.431606850 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml 2022-01-28 09:47:31.732430391 +0100
|
||||
@@ -275,6 +275,8 @@
|
||||
All items support the values <emphasis>-1</emphasis>,
|
||||
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
|
||||
except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
|
||||
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
|
||||
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
||||
</para>
|
||||
<para>
|
||||
If a hard limit or soft limit of a resource is set to a valid value,
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value 2022-01-28 09:45:41.415606731 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c 2022-01-28 09:45:41.431606850 +0100
|
||||
@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pam
|
||||
return retval;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Read the contents of <pathname> and return it in *valuep
|
||||
+ * return 1 if conversion succeeds, result is in *valuep
|
||||
+ * return 0 if conversion fails, *valuep is untouched.
|
||||
+ */
|
||||
+static int
|
||||
+value_from_file(const char *pathname, rlim_t *valuep)
|
||||
+{
|
||||
+ char buf[128];
|
||||
+ FILE *fp;
|
||||
+ int retval;
|
||||
+
|
||||
+ retval = 0;
|
||||
+
|
||||
+ if ((fp = fopen(pathname, "r")) != NULL) {
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ char *endptr;
|
||||
+ unsigned long long value;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ value = strtoull(buf, &endptr, 10);
|
||||
+ if (endptr != buf &&
|
||||
+ (value != ULLONG_MAX || errno == 0) &&
|
||||
+ (unsigned long long) (rlim_t) value == value) {
|
||||
+ *valuep = (rlim_t) value;
|
||||
+ retval = 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ fclose(fp);
|
||||
+ }
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
||||
const char *lim_item, const char *lim_value,
|
||||
@@ -652,6 +687,20 @@ process_limit (const pam_handle_t *pamh,
|
||||
rlimit_value = 20 - int_value;
|
||||
break;
|
||||
#endif
|
||||
+ case RLIMIT_NOFILE:
|
||||
+ /*
|
||||
+ * If nofile is to be set to "unlimited", try to set it to
|
||||
+ * the value in /proc/sys/fs/nr_open instead.
|
||||
+ */
|
||||
+ if (rlimit_value == RLIM_INFINITY) {
|
||||
+ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "Cannot set \"nofile\" to a sensible value");
|
||||
+ else if (ctrl & PAM_DEBUG_ARG)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
|
||||
+ (unsigned long long) rlimit_value);
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
|
||||
if ( (limit_item != LIMIT_LOGIN)
|
@ -0,0 +1,29 @@
|
||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-misc-configurable Linux-PAM-1.3.1/configure.ac
|
||||
--- Linux-PAM-1.3.1/configure.ac.pam-misc-configurable 2023-06-26 09:57:00.243146563 +0200
|
||||
+++ Linux-PAM-1.3.1/configure.ac 2023-06-26 09:59:45.353636685 +0200
|
||||
@@ -621,6 +621,13 @@ if test x"$opt_kerneloverflowuid" == x;
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.])
|
||||
|
||||
+AC_ARG_WITH([misc-conv-bufsize],
|
||||
+AS_HELP_STRING([--with-misc-conv-bufsize=<number>],
|
||||
+ [Size of input buffer for libpam_misc's misc_conv() conversation function, default=4096]),
|
||||
+ [],
|
||||
+ [with_misc_conv_bufsize=4096])
|
||||
+AC_DEFINE_UNQUOTED(PAM_MISC_CONV_BUFSIZE, $with_misc_conv_bufsize, [libpam_misc misc_conv() buffer size.])
|
||||
+
|
||||
dnl Files to be created from when we run configure
|
||||
AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
|
||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
||||
diff -up Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable Linux-PAM-1.3.1/libpam_misc/misc_conv.c
|
||||
--- Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable 2023-06-26 09:57:00.242146560 +0200
|
||||
+++ Linux-PAM-1.3.1/libpam_misc/misc_conv.c 2023-06-26 10:00:38.023787972 +0200
|
||||
@@ -18,7 +18,7 @@
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_misc.h>
|
||||
|
||||
-#define INPUTSIZE PAM_MAX_MSG_SIZE /* maximum length of input+1 */
|
||||
+#define INPUTSIZE PAM_MISC_CONV_BUFSIZE /* maximum length of input+1 */
|
||||
#define CONV_ECHO_ON 1 /* types of echo state */
|
||||
#define CONV_ECHO_OFF 0
|
||||
|
@ -0,0 +1,74 @@
|
||||
From b6f73810a2e7afd02a231e2dfa14b05752c83db7 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Wed, 26 Feb 2020 19:20:58 +0000
|
||||
Subject: [PATCH] pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of
|
||||
PAM_MODUTIL_PIPE_FD
|
||||
|
||||
When pam_modutil_sanitize_helper_fds() is invoked with
|
||||
PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
|
||||
or stderr, it closes the read end of the newly created dummy pipe.
|
||||
The negative side effect of this approach is that any write to such
|
||||
descriptor triggers a SIGPIPE. Avoid this by closing the write end of
|
||||
the dummy pipe and using its read end as a dummy pipe descriptor for
|
||||
output. Any read from such descriptor returns 0, and any write just
|
||||
fails with EBADF, which should work better with unprepared writers.
|
||||
|
||||
* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
|
||||
(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
|
||||
|
||||
Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
|
||||
---
|
||||
libpam/pam_modutil_sanitize.c | 30 +-----------------------------
|
||||
1 file changed, 1 insertion(+), 29 deletions(-)
|
||||
|
||||
diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
|
||||
index 605c859d..58b9537c 100644
|
||||
--- a/libpam/pam_modutil_sanitize.c
|
||||
+++ b/libpam/pam_modutil_sanitize.c
|
||||
@@ -46,34 +46,6 @@ redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name)
|
||||
return fd;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Creates a pipe, closes its read end, redirects fd to its write end.
|
||||
- * Returns fd on success, -1 otherwise.
|
||||
- */
|
||||
-static int
|
||||
-redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name)
|
||||
-{
|
||||
- int out[2];
|
||||
-
|
||||
- if (pipe(out) < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m");
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- close(out[0]);
|
||||
-
|
||||
- if (out[1] == fd)
|
||||
- return fd;
|
||||
-
|
||||
- if (dup2(out[1], fd) != fd) {
|
||||
- pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name);
|
||||
- fd = -1;
|
||||
- }
|
||||
-
|
||||
- close(out[1]);
|
||||
- return fd;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* Opens /dev/null for writing, redirects fd there.
|
||||
* Returns fd on success, -1 otherwise.
|
||||
@@ -106,7 +78,7 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
|
||||
{
|
||||
switch (mode) {
|
||||
case PAM_MODUTIL_PIPE_FD:
|
||||
- if (redirect_out_pipe(pamh, fd, name) < 0)
|
||||
+ if (redirect_in_pipe(pamh, fd, name) < 0)
|
||||
return -1;
|
||||
break;
|
||||
case PAM_MODUTIL_NULL_FD:
|
||||
--
|
||||
2.25.3
|
||||
|
@ -0,0 +1,283 @@
|
||||
From d57ab22133654033ee1da89f128a81572d320985 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 20 Dec 2018 13:59:25 +0100
|
||||
Subject: [PATCH] pam_motd: Cleanup the code and avoid unnecessary logging
|
||||
|
||||
The pam_motd module will not log if the default motd.d directories
|
||||
are missing.
|
||||
|
||||
Also cleanup some code cleanliness issues and fix compilation
|
||||
warnings.
|
||||
|
||||
* modules/pam_motd/pam_motd.c: Constification of constant strings.
|
||||
(try_to_display_directory): Removed unused function.
|
||||
(pam_split_string): Replace uint with unsigned int. Fix warnings.
|
||||
(compare_strings): Fix warnings by proper constification.
|
||||
(try_to_display_directories_with_overrides): Cleanups. Switch
|
||||
off the logging if the motd.d directories are missing and they
|
||||
are default ones.
|
||||
(pam_sm_open_session): Cleanup warnings. Pass the information
|
||||
to try_to_display_directories_with_overrides() that non-default
|
||||
motd options are used.
|
||||
---
|
||||
modules/pam_motd/pam_motd.c | 88 ++++++++++++++++---------------------
|
||||
1 file changed, 37 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
||||
index ec3ebd58..dbd718b6 100644
|
||||
--- a/modules/pam_motd/pam_motd.c
|
||||
+++ b/modules/pam_motd/pam_motd.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <sys/stat.h>
|
||||
#include <pwd.h>
|
||||
#include <syslog.h>
|
||||
+#include <errno.h>
|
||||
|
||||
#include <security/_pam_macros.h>
|
||||
#include <security/pam_ext.h>
|
||||
@@ -48,8 +49,8 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
|
||||
-static char default_motd[] = DEFAULT_MOTD;
|
||||
-static char default_motd_dir[] = DEFAULT_MOTD_D;
|
||||
+static const char default_motd[] = DEFAULT_MOTD;
|
||||
+static const char default_motd_dir[] = DEFAULT_MOTD_D;
|
||||
|
||||
static void try_to_display_fd(pam_handle_t *pamh, int fd)
|
||||
{
|
||||
@@ -75,28 +76,6 @@ static void try_to_display_fd(pam_handle_t *pamh, int fd)
|
||||
_pam_drop(mtmp);
|
||||
}
|
||||
|
||||
-static void try_to_display_directory(pam_handle_t *pamh, const char *dirname)
|
||||
-{
|
||||
- DIR *dirp;
|
||||
-
|
||||
- dirp = opendir(dirname);
|
||||
-
|
||||
- if (dirp != NULL) {
|
||||
- struct dirent *entry;
|
||||
-
|
||||
- while ((entry = readdir(dirp))) {
|
||||
- int fd = openat(dirfd(dirp), entry->d_name, O_RDONLY);
|
||||
-
|
||||
- if (fd >= 0) {
|
||||
- try_to_display_fd(pamh, fd);
|
||||
- close(fd);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- closedir(dirp);
|
||||
- }
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* Split a DELIM-separated string ARG into an array.
|
||||
* Outputs a newly allocated array of strings OUT_ARG_SPLIT
|
||||
@@ -104,14 +83,14 @@ static void try_to_display_directory(pam_handle_t *pamh, const char *dirname)
|
||||
* Returns 0 in case of error, 1 in case of success.
|
||||
*/
|
||||
static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
||||
- char ***out_arg_split, uint *out_num_strs)
|
||||
+ char ***out_arg_split, unsigned int *out_num_strs)
|
||||
{
|
||||
char *arg_extracted = NULL;
|
||||
const char *arg_ptr = arg;
|
||||
char **arg_split = NULL;
|
||||
char delim_str[2];
|
||||
- int i = 0;
|
||||
- uint num_strs = 0;
|
||||
+ unsigned int i = 0;
|
||||
+ unsigned int num_strs = 0;
|
||||
int retval = 0;
|
||||
|
||||
delim_str[0] = delim;
|
||||
@@ -126,7 +105,7 @@ static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
||||
arg_ptr = strchr(arg_ptr + sizeof(const char), delim);
|
||||
}
|
||||
|
||||
- arg_split = (char **)calloc(num_strs, sizeof(char *));
|
||||
+ arg_split = calloc(num_strs, sizeof(char *));
|
||||
if (arg_split == NULL) {
|
||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate string array");
|
||||
goto out;
|
||||
@@ -180,10 +159,10 @@ static int join_dir_strings(char **strp_out, const char *a_str, const char *b_st
|
||||
return retval;
|
||||
}
|
||||
|
||||
-static int compare_strings(const void * a, const void * b)
|
||||
+static int compare_strings(const void *a, const void *b)
|
||||
{
|
||||
- const char *a_str = *(char **)a;
|
||||
- const char *b_str = *(char **)b;
|
||||
+ const char *a_str = *(const char * const *)a;
|
||||
+ const char *b_str = *(const char * const *)b;
|
||||
|
||||
if (a_str == NULL && b_str == NULL) {
|
||||
return 0;
|
||||
@@ -205,13 +184,13 @@ static int filter_dirents(const struct dirent *d)
|
||||
}
|
||||
|
||||
static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
- char **motd_dir_path_split, int num_motd_dirs)
|
||||
+ char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
|
||||
{
|
||||
struct dirent ***dirscans = NULL;
|
||||
- int *dirscans_sizes = NULL;
|
||||
- int dirscans_size_total = 0;
|
||||
+ unsigned int *dirscans_sizes = NULL;
|
||||
+ unsigned int dirscans_size_total = 0;
|
||||
char **dirnames_all = NULL;
|
||||
- int i;
|
||||
+ unsigned int i;
|
||||
int i_dirnames = 0;
|
||||
|
||||
if (pamh == NULL || motd_dir_path_split == NULL) {
|
||||
@@ -221,29 +200,31 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((dirscans = (struct dirent ***)calloc(num_motd_dirs,
|
||||
- sizeof(struct dirent **))) == NULL) {
|
||||
+ if ((dirscans = calloc(num_motd_dirs, sizeof(struct dirent **))) == NULL) {
|
||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent arrays");
|
||||
goto out;
|
||||
}
|
||||
- if ((dirscans_sizes = (int *)calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
||||
+ if ((dirscans_sizes = calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent array sizes");
|
||||
goto out;
|
||||
}
|
||||
|
||||
for (i = 0; i < num_motd_dirs; i++) {
|
||||
- dirscans_sizes[i] = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
||||
+ int rv;
|
||||
+ rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
||||
filter_dirents, alphasort);
|
||||
- if (dirscans_sizes[i] < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s", motd_dir_path_split[i]);
|
||||
- dirscans_sizes[i] = 0;
|
||||
+ if (rv < 0) {
|
||||
+ if (errno != ENOENT || report_missing) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s: %m",
|
||||
+ motd_dir_path_split[i]);
|
||||
+ }
|
||||
+ dirscans_sizes[i] = rv;
|
||||
}
|
||||
dirscans_size_total += dirscans_sizes[i];
|
||||
}
|
||||
|
||||
/* Allocate space for all file names found in the directories, including duplicates. */
|
||||
- if ((dirnames_all = (char **)calloc(dirscans_size_total,
|
||||
- sizeof(char *))) == NULL) {
|
||||
+ if ((dirnames_all = calloc(dirscans_size_total, sizeof(char *))) == NULL) {
|
||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirname array");
|
||||
goto out;
|
||||
}
|
||||
@@ -253,7 +234,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
}
|
||||
|
||||
for (i = 0; i < num_motd_dirs; i++) {
|
||||
- int j;
|
||||
+ unsigned int j;
|
||||
|
||||
for (j = 0; j < dirscans_sizes[i]; j++) {
|
||||
dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
|
||||
@@ -265,7 +246,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
sizeof(const char *), compare_strings);
|
||||
|
||||
for (i = 0; i < dirscans_size_total; i++) {
|
||||
- int j;
|
||||
+ unsigned int j;
|
||||
|
||||
if (dirnames_all[i] == NULL) {
|
||||
continue;
|
||||
@@ -301,7 +282,8 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
out:
|
||||
_pam_drop(dirnames_all);
|
||||
for (i = 0; i < num_motd_dirs; i++) {
|
||||
- int j;
|
||||
+ unsigned int j;
|
||||
+
|
||||
for (j = 0; j < dirscans_sizes[i]; j++) {
|
||||
_pam_drop(dirscans[i][j]);
|
||||
}
|
||||
@@ -319,12 +301,13 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
int retval = PAM_IGNORE;
|
||||
const char *motd_path = NULL;
|
||||
char *motd_path_copy = NULL;
|
||||
- int num_motd_paths = 0;
|
||||
+ unsigned int num_motd_paths = 0;
|
||||
char **motd_path_split = NULL;
|
||||
const char *motd_dir_path = NULL;
|
||||
char *motd_dir_path_copy = NULL;
|
||||
- int num_motd_dir_paths = 0;
|
||||
+ unsigned int num_motd_dir_paths = 0;
|
||||
char **motd_dir_path_split = NULL;
|
||||
+ int report_missing;
|
||||
|
||||
if (flags & PAM_SILENT) {
|
||||
return retval;
|
||||
@@ -360,6 +343,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
if (motd_path == NULL && motd_dir_path == NULL) {
|
||||
motd_path = default_motd;
|
||||
motd_dir_path = default_motd_dir;
|
||||
+ report_missing = 0;
|
||||
+ } else {
|
||||
+ report_missing = 1;
|
||||
}
|
||||
|
||||
if (motd_path != NULL) {
|
||||
@@ -385,7 +371,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
}
|
||||
|
||||
if (motd_path_split != NULL) {
|
||||
- int i;
|
||||
+ unsigned int i;
|
||||
|
||||
for (i = 0; i < num_motd_paths; i++) {
|
||||
int fd = open(motd_path_split[i], O_RDONLY, 0);
|
||||
@@ -402,7 +388,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
|
||||
if (motd_dir_path_split != NULL)
|
||||
try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
||||
- num_motd_dir_paths);
|
||||
+ num_motd_dir_paths, report_missing);
|
||||
|
||||
out:
|
||||
_pam_drop(motd_path_copy);
|
||||
--
|
||||
2.37.3
|
||||
|
||||
From c2c0434bd634a817f2b16ce7f58fc96c04e88b03 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Sun, 26 Apr 2020 11:12:59 +0000
|
||||
Subject: [PATCH] pam_motd: fix NULL dereference when at least one of motd
|
||||
directories is not available
|
||||
|
||||
* modules/pam_motd/pam_motd.c
|
||||
(try_to_display_directories_with_overrides): Do not assign -1U to
|
||||
dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error.
|
||||
|
||||
Resolves: https://bugzilla.altlinux.org/38389
|
||||
Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
|
||||
---
|
||||
modules/pam_motd/pam_motd.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
||||
index df09b7d0..8147c6fd 100644
|
||||
--- a/modules/pam_motd/pam_motd.c
|
||||
+++ b/modules/pam_motd/pam_motd.c
|
||||
@@ -219,6 +219,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s: %m",
|
||||
motd_dir_path_split[i]);
|
||||
}
|
||||
+ } else {
|
||||
dirscans_sizes[i] = rv;
|
||||
}
|
||||
dirscans_size_total += dirscans_sizes[i];
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,57 @@
|
||||
From 62cd745d730e5ba13d5d7092ac566fc0b2148e61 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Sun, 26 Apr 2020 11:12:59 +0000
|
||||
Subject: [PATCH] pam_motd: fix memory leak
|
||||
|
||||
pam_motd used to leak memory allocated for each motd file
|
||||
successfully opened in try_to_display_directories_with_overrides.
|
||||
|
||||
* modules/pam_motd/pam_motd.c
|
||||
(try_to_display_directories_with_overrides): Free abs_path.
|
||||
|
||||
Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
|
||||
---
|
||||
modules/pam_motd/pam_motd.c | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
||||
index f0cd317d..3be129a5 100644
|
||||
--- a/modules/pam_motd/pam_motd.c
|
||||
+++ b/modules/pam_motd/pam_motd.c
|
||||
@@ -259,23 +259,23 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
|
||||
for (j = 0; j < num_motd_dirs; j++) {
|
||||
char *abs_path = NULL;
|
||||
+ int fd;
|
||||
|
||||
if (join_dir_strings(&abs_path, motd_dir_path_split[j],
|
||||
- dirnames_all[i]) < 0) {
|
||||
+ dirnames_all[i]) < 0 || abs_path == NULL) {
|
||||
continue;
|
||||
}
|
||||
|
||||
- if (abs_path != NULL) {
|
||||
- int fd = open(abs_path, O_RDONLY, 0);
|
||||
- if (fd >= 0) {
|
||||
- try_to_display_fd(pamh, fd);
|
||||
- close(fd);
|
||||
+ fd = open(abs_path, O_RDONLY, 0);
|
||||
+ _pam_drop(abs_path);
|
||||
|
||||
- /* We displayed a file, skip to the next file name. */
|
||||
- break;
|
||||
- }
|
||||
+ if (fd >= 0) {
|
||||
+ try_to_display_fd(pamh, fd);
|
||||
+ close(fd);
|
||||
+
|
||||
+ /* We displayed a file, skip to the next file name. */
|
||||
+ break;
|
||||
}
|
||||
- _pam_drop(abs_path);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.35.3
|
||||
|
@ -0,0 +1,133 @@
|
||||
From 8eaf5570cf011148a0b55c53570df5edaafebdb0 Mon Sep 17 00:00:00 2001
|
||||
From: Robert Fairley <rfairley@users.noreply.github.com>
|
||||
Date: Wed, 21 Nov 2018 02:46:02 -0500
|
||||
Subject: [PATCH] pam_motd: Fix segmentation fault when no motd_dir specified
|
||||
(#76)
|
||||
|
||||
This fixes a regression introduced by #69, where motd_path was set
|
||||
to NULL and passed into strdup() if the motd_dir argument was
|
||||
not specified in the configuration file. This caused a segmentation
|
||||
fault.
|
||||
|
||||
* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
|
||||
* xtests/Makefile.am: add test scripts and config file
|
||||
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
|
||||
* xtests/tst-pam_motd4.pamd: create
|
||||
* xtests/tst-pam_motd4.sh: create
|
||||
---
|
||||
modules/pam_motd/pam_motd.c | 15 ++++++++++-----
|
||||
xtests/Makefile.am | 4 ++--
|
||||
xtests/tst-pam_motd.sh | 1 +
|
||||
xtests/tst-pam_motd4.pamd | 3 +++
|
||||
xtests/tst-pam_motd4.sh | 27 +++++++++++++++++++++++++++
|
||||
5 files changed, 43 insertions(+), 7 deletions(-)
|
||||
create mode 100644 xtests/tst-pam_motd4.pamd
|
||||
create mode 100755 xtests/tst-pam_motd4.sh
|
||||
|
||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
||||
index 1c1cfcfa..ec3ebd58 100644
|
||||
--- a/modules/pam_motd/pam_motd.c
|
||||
+++ b/modules/pam_motd/pam_motd.c
|
||||
@@ -132,7 +132,6 @@ static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
||||
goto out;
|
||||
}
|
||||
|
||||
-
|
||||
arg_extracted = strtok_r(arg, delim_str, &arg);
|
||||
while (arg_extracted != NULL && i < num_strs) {
|
||||
arg_split[i++] = arg_extracted;
|
||||
@@ -363,15 +362,21 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
motd_dir_path = default_motd_dir;
|
||||
}
|
||||
|
||||
- motd_path_copy = strdup(motd_path);
|
||||
+ if (motd_path != NULL) {
|
||||
+ motd_path_copy = strdup(motd_path);
|
||||
+ }
|
||||
+
|
||||
if (motd_path_copy != NULL) {
|
||||
- if (pam_split_string(pamh, motd_path_copy, ':', &motd_path_split,
|
||||
- &num_motd_paths) == 0) {
|
||||
+ if (pam_split_string(pamh, motd_path_copy, ':',
|
||||
+ &motd_path_split, &num_motd_paths) == 0) {
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
- motd_dir_path_copy = strdup(motd_dir_path);
|
||||
+ if (motd_dir_path != NULL) {
|
||||
+ motd_dir_path_copy = strdup(motd_dir_path);
|
||||
+ }
|
||||
+
|
||||
if (motd_dir_path_copy != NULL) {
|
||||
if (pam_split_string(pamh, motd_dir_path_copy, ':',
|
||||
&motd_dir_path_split, &num_motd_dir_paths) == 0) {
|
||||
diff --git a/xtests/Makefile.am b/xtests/Makefile.am
|
||||
index 555d5e33..4d5aba3d 100644
|
||||
--- a/xtests/Makefile.am
|
||||
+++ b/xtests/Makefile.am
|
||||
@@ -34,8 +34,8 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
|
||||
tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh \
|
||||
tst-pam_time1.pamd time.conf \
|
||||
tst-pam_motd.sh tst-pam_motd1.sh tst-pam_motd2.sh \
|
||||
- tst-pam_motd3.sh tst-pam_motd1.pamd \
|
||||
- tst-pam_motd2.pamd tst-pam_motd3.pamd
|
||||
+ tst-pam_motd3.sh tst-pam_motd4.sh tst-pam_motd1.pamd \
|
||||
+ tst-pam_motd2.pamd tst-pam_motd3.pamd tst-pam_motd4.pamd
|
||||
|
||||
XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
|
||||
tst-pam_dispatch4 tst-pam_dispatch5 \
|
||||
diff --git a/xtests/tst-pam_motd.sh b/xtests/tst-pam_motd.sh
|
||||
index 9b0c38f6..90801280 100755
|
||||
--- a/xtests/tst-pam_motd.sh
|
||||
+++ b/xtests/tst-pam_motd.sh
|
||||
@@ -5,3 +5,4 @@ set -e
|
||||
./tst-pam_motd1.sh
|
||||
./tst-pam_motd2.sh
|
||||
./tst-pam_motd3.sh
|
||||
+./tst-pam_motd4.sh
|
||||
diff --git a/xtests/tst-pam_motd4.pamd b/xtests/tst-pam_motd4.pamd
|
||||
new file mode 100644
|
||||
index 00000000..9dc311ad
|
||||
--- /dev/null
|
||||
+++ b/xtests/tst-pam_motd4.pamd
|
||||
@@ -0,0 +1,3 @@
|
||||
+#%PAM-1.0
|
||||
+session required pam_permit.so
|
||||
+session optional pam_motd.so motd=tst-pam_motd4.d/etc/motd
|
||||
diff --git a/xtests/tst-pam_motd4.sh b/xtests/tst-pam_motd4.sh
|
||||
new file mode 100755
|
||||
index 00000000..6022177f
|
||||
--- /dev/null
|
||||
+++ b/xtests/tst-pam_motd4.sh
|
||||
@@ -0,0 +1,27 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+TST_DIR="tst-pam_motd4.d"
|
||||
+
|
||||
+function tst_cleanup() {
|
||||
+ rm -rf "${TST_DIR}"
|
||||
+ rm -f tst-pam_motd4.out
|
||||
+}
|
||||
+
|
||||
+mkdir -p ${TST_DIR}/etc
|
||||
+
|
||||
+# Verify the case of single motd with no motd_dir given in tst-pam_motd4.pamd
|
||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
||||
+
|
||||
+./tst-pam_motd tst-pam_motd4 > tst-pam_motd4.out
|
||||
+
|
||||
+RET=$?
|
||||
+
|
||||
+motd_to_show_output=$(cat tst-pam_motd4.out | grep "motd: /etc/motd")
|
||||
+if [ -z "${motd_to_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+tst_cleanup
|
||||
+exit $RET
|
||||
--
|
||||
2.35.1
|
||||
|
@ -0,0 +1,691 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.939663167 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml 2022-04-25 12:34:43.506582206 +0200
|
||||
@@ -21,6 +21,9 @@
|
||||
<arg choice="opt">
|
||||
motd=<replaceable>/path/filename</replaceable>
|
||||
</arg>
|
||||
+ <arg choice="opt">
|
||||
+ motd_dir=<replaceable>/path/dirname.d</replaceable>
|
||||
+ </arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@@ -31,18 +34,49 @@
|
||||
<para>
|
||||
pam_motd is a PAM module that can be used to display
|
||||
arbitrary motd (message of the day) files after a successful
|
||||
- login. By default the <filename>/etc/motd</filename> file and
|
||||
- all files from <filename>/etc/motd.d</filename> are
|
||||
- shown. The message size is limited to 64KB.
|
||||
+ login. By default, pam_motd shows files in the
|
||||
+ following locations:
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <simplelist type='vert'>
|
||||
+ <member><filename>/etc/motd</filename></member>
|
||||
+ <member><filename>/run/motd</filename></member>
|
||||
+ <member><filename>/usr/lib/motd</filename></member>
|
||||
+ <member><filename>/etc/motd.d/</filename></member>
|
||||
+ <member><filename>/run/motd.d/</filename></member>
|
||||
+ <member><filename>/usr/lib/motd.d/</filename></member>
|
||||
+ </simplelist>
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Each message size is limited to 64KB.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If <filename>/etc/motd</filename> does not exist,
|
||||
+ then <filename>/run/motd</filename> is shown. If
|
||||
+ <filename>/run/motd</filename> does not exist, then
|
||||
+ <filename>/usr/lib/motd</filename> is shown.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Similar overriding behavior applies to the directories.
|
||||
+ Files in <filename>/etc/motd.d/</filename> override files
|
||||
+ with the same name in <filename>/run/motd.d/</filename> and
|
||||
+ <filename>/usr/lib/motd.d/</filename>. Files in <filename>/run/motd.d/</filename>
|
||||
+ override files with the same name in <filename>/usr/lib/motd.d/</filename>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Files in the directories listed above are displayed in lexicographic
|
||||
+ order by name. Moreover, the files are filtered by reading them with the
|
||||
+ credentials of the target user authenticating on the system.
|
||||
</para>
|
||||
<para>
|
||||
To silence a message,
|
||||
a symbolic link with target <filename>/dev/null</filename>
|
||||
may be placed in <filename>/etc/motd.d</filename> with
|
||||
the same filename as the message to be silenced. Example:
|
||||
+ Creating a symbolic link as follows silences <filename>/usr/lib/motd.d/my_motd</filename>.
|
||||
</para>
|
||||
<para>
|
||||
- <command>ln -sfn /dev/null /etc/motd.d/my_motd</command>
|
||||
+ <command>ln -s /dev/null /etc/motd.d/my_motd</command>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
@@ -56,8 +90,10 @@
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- The <filename>/path/filename</filename> file is displayed
|
||||
- as message of the day.
|
||||
+ The <filename>/path/filename</filename> file is displayed
|
||||
+ as message of the day. Multiple paths to try can be
|
||||
+ specified as a colon-separated list. By default this option
|
||||
+ is set to <filename>/etc/motd:/run/motd:/usr/lib/motd</filename>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -68,16 +104,17 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The <filename>/path/dirname.d</filename> directory is scanned
|
||||
- and each file contained inside of it is displayed.
|
||||
+ and each file contained inside of it is displayed. Multiple
|
||||
+ directories to scan can be specified as a colon-separated list.
|
||||
+ By default this option is set to <filename>/etc/motd.d:/run/motd.d:/usr/lib/motd.d</filename>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
<para>
|
||||
- When no options are given, the default is to display both
|
||||
- <filename>/etc/motd</filename> and the contents of
|
||||
- <filename>/etc/motd.d</filename>. Specifying either option (or both)
|
||||
- will disable this default behavior.
|
||||
+ When no options are given, the default behavior applies for both
|
||||
+ options. Specifying either option (or both) will disable the
|
||||
+ default behavior for both options.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c.pam_motd-support-multiple-motd-paths1 2018-05-18 11:50:46.000000000 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -33,8 +33,8 @@
|
||||
*/
|
||||
|
||||
#define PAM_SM_SESSION
|
||||
-#define DEFAULT_MOTD "/etc/motd"
|
||||
-#define DEFAULT_MOTD_D "/etc/motd.d"
|
||||
+#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd"
|
||||
+#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d"
|
||||
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_modutil.h>
|
||||
@@ -97,12 +97,235 @@ static void try_to_display_directory(pam
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Split a DELIM-separated string ARG into an array.
|
||||
+ * Outputs a newly allocated array of strings OUT_ARG_SPLIT
|
||||
+ * and the number of strings OUT_NUM_STRS.
|
||||
+ * Returns 0 in case of error, 1 in case of success.
|
||||
+ */
|
||||
+static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
||||
+ char ***out_arg_split, uint *out_num_strs)
|
||||
+{
|
||||
+ char *arg_extracted = NULL;
|
||||
+ const char *arg_ptr = arg;
|
||||
+ char **arg_split = NULL;
|
||||
+ char delim_str[2];
|
||||
+ int i = 0;
|
||||
+ uint num_strs = 0;
|
||||
+ int retval = 0;
|
||||
+
|
||||
+ delim_str[0] = delim;
|
||||
+ delim_str[1] = '\0';
|
||||
+
|
||||
+ if (arg == NULL) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ while (arg_ptr != NULL) {
|
||||
+ num_strs++;
|
||||
+ arg_ptr = strchr(arg_ptr + sizeof(const char), delim);
|
||||
+ }
|
||||
+
|
||||
+ arg_split = (char **)calloc(num_strs, sizeof(char *));
|
||||
+ if (arg_split == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate string array");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ arg_extracted = strtok_r(arg, delim_str, &arg);
|
||||
+ while (arg_extracted != NULL && i < num_strs) {
|
||||
+ arg_split[i++] = arg_extracted;
|
||||
+ arg_extracted = strtok_r(NULL, delim_str, &arg);
|
||||
+ }
|
||||
+
|
||||
+ retval = 1;
|
||||
+
|
||||
+ out:
|
||||
+ *out_num_strs = num_strs;
|
||||
+ *out_arg_split = arg_split;
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+/* Join A_STR and B_STR, inserting a "/" between them if one is not already trailing
|
||||
+ * in A_STR or beginning B_STR. A pointer to a newly allocated string holding the
|
||||
+ * joined string is returned in STRP_OUT.
|
||||
+ * Returns -1 in case of error, or the number of bytes in the joined string in
|
||||
+ * case of success. */
|
||||
+static int join_dir_strings(char **strp_out, const char *a_str, const char *b_str)
|
||||
+{
|
||||
+ int has_sep = 0;
|
||||
+ int retval = -1;
|
||||
+ char *join_strp = NULL;
|
||||
+
|
||||
+ if (strp_out == NULL || a_str == NULL || b_str == NULL) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (strlen(a_str) == 0) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ has_sep = (a_str[strlen(a_str) - 1] == '/') || (b_str[0] == '/');
|
||||
+
|
||||
+ retval = asprintf(&join_strp, "%s%s%s", a_str,
|
||||
+ (has_sep == 1) ? "" : "/", b_str);
|
||||
+
|
||||
+ if (retval < 0) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *strp_out = join_strp;
|
||||
+
|
||||
+ out:
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static int compare_strings(const void * a, const void * b)
|
||||
+{
|
||||
+ const char *a_str = *(char **)a;
|
||||
+ const char *b_str = *(char **)b;
|
||||
+
|
||||
+ if (a_str == NULL && b_str == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ else if (a_str == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ else if (b_str == NULL) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ else {
|
||||
+ return strcmp(a_str, b_str);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int filter_dirents(const struct dirent *d)
|
||||
+{
|
||||
+ return (d->d_type == DT_REG || d->d_type == DT_LNK);
|
||||
+}
|
||||
+
|
||||
+static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
||||
+ char **motd_dir_path_split, int num_motd_dirs)
|
||||
+{
|
||||
+ struct dirent ***dirscans = NULL;
|
||||
+ int *dirscans_sizes = NULL;
|
||||
+ int dirscans_size_total = 0;
|
||||
+ char **dirnames_all = NULL;
|
||||
+ int i;
|
||||
+ int i_dirnames = 0;
|
||||
+
|
||||
+ if (pamh == NULL || motd_dir_path_split == NULL) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (num_motd_dirs < 1) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if ((dirscans = (struct dirent ***)calloc(num_motd_dirs,
|
||||
+ sizeof(struct dirent **))) == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent arrays");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if ((dirscans_sizes = (int *)calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent array sizes");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
||||
+ dirscans_sizes[i] = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
||||
+ filter_dirents, alphasort);
|
||||
+ if (dirscans_sizes[i] < 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s", motd_dir_path_split[i]);
|
||||
+ dirscans_sizes[i] = 0;
|
||||
+ }
|
||||
+ dirscans_size_total += dirscans_sizes[i];
|
||||
+ }
|
||||
+
|
||||
+ /* Allocate space for all file names found in the directories, including duplicates. */
|
||||
+ if ((dirnames_all = (char **)calloc(dirscans_size_total,
|
||||
+ sizeof(char *))) == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirname array");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < dirscans_size_total; i++) {
|
||||
+ dirnames_all[i] = NULL;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
||||
+ int j;
|
||||
+
|
||||
+ for (j = 0; j < dirscans_sizes[i]; j++) {
|
||||
+ dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
|
||||
+ i_dirnames++;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ qsort(dirnames_all, dirscans_size_total,
|
||||
+ sizeof(const char *), compare_strings);
|
||||
+
|
||||
+ for (i = 0; i < dirscans_size_total; i++) {
|
||||
+ int j;
|
||||
+
|
||||
+ if (dirnames_all[i] == NULL) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* Skip duplicate file names. */
|
||||
+ if (i > 0 && strcmp(dirnames_all[i], dirnames_all[i - 1]) == 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ for (j = 0; j < num_motd_dirs; j++) {
|
||||
+ char *abs_path = NULL;
|
||||
+
|
||||
+ if (join_dir_strings(&abs_path, motd_dir_path_split[j],
|
||||
+ dirnames_all[i]) < 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (abs_path != NULL) {
|
||||
+ int fd = open(abs_path, O_RDONLY, 0);
|
||||
+ if (fd >= 0) {
|
||||
+ try_to_display_fd(pamh, fd);
|
||||
+ close(fd);
|
||||
+
|
||||
+ /* We displayed a file, skip to the next file name. */
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ _pam_drop(abs_path);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ out:
|
||||
+ _pam_drop(dirnames_all);
|
||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
||||
+ int j;
|
||||
+ for (j = 0; j < dirscans_sizes[i]; j++) {
|
||||
+ _pam_drop(dirscans[i][j]);
|
||||
+ }
|
||||
+ _pam_drop(dirscans[i]);
|
||||
+ }
|
||||
+ _pam_drop(dirscans_sizes);
|
||||
+ _pam_drop(dirscans);
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
int argc, const char **argv)
|
||||
{
|
||||
int retval = PAM_IGNORE;
|
||||
const char *motd_path = NULL;
|
||||
+ char *motd_path_copy = NULL;
|
||||
+ int num_motd_paths = 0;
|
||||
+ char **motd_path_split = NULL;
|
||||
const char *motd_dir_path = NULL;
|
||||
+ char *motd_dir_path_copy = NULL;
|
||||
+ int num_motd_dir_paths = 0;
|
||||
+ char **motd_dir_path_split = NULL;
|
||||
|
||||
if (flags & PAM_SILENT) {
|
||||
return retval;
|
||||
@@ -140,17 +363,47 @@ int pam_sm_open_session(pam_handle_t *pa
|
||||
motd_dir_path = default_motd_dir;
|
||||
}
|
||||
|
||||
- if (motd_path != NULL) {
|
||||
- int fd = open(motd_path, O_RDONLY, 0);
|
||||
+ motd_path_copy = strdup(motd_path);
|
||||
+ if (motd_path_copy != NULL) {
|
||||
+ if (pam_split_string(pamh, motd_path_copy, ':', &motd_path_split,
|
||||
+ &num_motd_paths) == 0) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ motd_dir_path_copy = strdup(motd_dir_path);
|
||||
+ if (motd_dir_path_copy != NULL) {
|
||||
+ if (pam_split_string(pamh, motd_dir_path_copy, ':',
|
||||
+ &motd_dir_path_split, &num_motd_dir_paths) == 0) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (motd_path_split != NULL) {
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < num_motd_paths; i++) {
|
||||
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
|
||||
|
||||
- if (fd >= 0) {
|
||||
- try_to_display_fd(pamh, fd);
|
||||
- close(fd);
|
||||
+ if (fd >= 0) {
|
||||
+ try_to_display_fd(pamh, fd);
|
||||
+ close(fd);
|
||||
+
|
||||
+ /* We found and displayed a file, move onto next filename. */
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
- if (motd_dir_path != NULL)
|
||||
- try_to_display_directory(pamh, motd_dir_path);
|
||||
+ if (motd_dir_path_split != NULL)
|
||||
+ try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
||||
+ num_motd_dir_paths);
|
||||
+
|
||||
+ out:
|
||||
+ _pam_drop(motd_path_copy);
|
||||
+ _pam_drop(motd_path_split);
|
||||
+ _pam_drop(motd_dir_path_copy);
|
||||
+ _pam_drop(motd_dir_path_split);
|
||||
|
||||
return retval;
|
||||
}
|
||||
diff -up Linux-PAM-1.3.1/xtests/Makefile.am.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/Makefile.am
|
||||
--- Linux-PAM-1.3.1/xtests/Makefile.am.pam_motd-support-multiple-motd-paths1 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/xtests/Makefile.am 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -32,7 +32,10 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispa
|
||||
tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh \
|
||||
tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh \
|
||||
tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh \
|
||||
- tst-pam_time1.pamd time.conf
|
||||
+ tst-pam_time1.pamd time.conf \
|
||||
+ tst-pam_motd.sh tst-pam_motd1.sh tst-pam_motd2.sh \
|
||||
+ tst-pam_motd3.sh tst-pam_motd1.pamd \
|
||||
+ tst-pam_motd2.pamd tst-pam_motd3.pamd
|
||||
|
||||
XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
|
||||
tst-pam_dispatch4 tst-pam_dispatch5 \
|
||||
@@ -41,7 +44,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispa
|
||||
tst-pam_access1 tst-pam_access2 tst-pam_access3 \
|
||||
tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
|
||||
tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
|
||||
- tst-pam_pwhistory1 tst-pam_time1
|
||||
+ tst-pam_pwhistory1 tst-pam_time1 tst-pam_motd
|
||||
|
||||
NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
|
||||
tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line1
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,3 @@
|
||||
+#%PAM-1.0
|
||||
+session required pam_permit.so
|
||||
+session optional pam_motd.so motd=tst-pam_motd1.d/etc/motd motd_dir=tst-pam_motd1.d/etc/motd.d
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,36 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+TST_DIR="tst-pam_motd1.d"
|
||||
+
|
||||
+function tst_cleanup() {
|
||||
+ rm -rf "${TST_DIR}"
|
||||
+ rm -f tst-pam_motd1.out
|
||||
+}
|
||||
+
|
||||
+mkdir -p ${TST_DIR}
|
||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
||||
+
|
||||
+# Verify the case of single motd and motd.d directory works
|
||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
||||
+echo "motd: /etc/motd.d/test" > ${TST_DIR}/etc/motd.d/test
|
||||
+
|
||||
+./tst-pam_motd tst-pam_motd1 > tst-pam_motd1.out
|
||||
+
|
||||
+RET=$?
|
||||
+
|
||||
+motd_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd")
|
||||
+if [ -z "${motd_to_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+motd_dir_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd.d/test")
|
||||
+if [ -z "${motd_dir_to_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+tst_cleanup
|
||||
+exit $RET
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,3 @@
|
||||
+#%PAM-1.0
|
||||
+session required pam_permit.so
|
||||
+session optional pam_motd.so motd=tst-pam_motd2.d/etc/motd:tst-pam_motd2.d/run/motd:tst-pam_motd2.d/usr/lib/motd motd_dir=tst-pam_motd2.d/etc/motd.d:tst-pam_motd2.d/run/motd.d:tst-pam_motd2.d/usr/lib/motd.d
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,53 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+TST_DIR="tst-pam_motd2.d"
|
||||
+
|
||||
+function tst_cleanup() {
|
||||
+ rm -rf "${TST_DIR}"
|
||||
+ rm -f tst-pam_motd2.out
|
||||
+}
|
||||
+
|
||||
+mkdir -p ${TST_DIR}
|
||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
||||
+mkdir -p ${TST_DIR}/run/motd.d
|
||||
+mkdir -p ${TST_DIR}/usr/lib/motd.d
|
||||
+
|
||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
||||
+echo "motd: /run/motd" > ${TST_DIR}/run/motd
|
||||
+echo "motd: /usr/lib/motd" > ${TST_DIR}/usr/lib/motd
|
||||
+
|
||||
+# Drop a motd file in test directories such that every overriding
|
||||
+# condition (for 3 directories in this case) will be seen.
|
||||
+echo "motd: e0r0u1 in usr/lib - will show" > ${TST_DIR}/usr/lib/motd.d/e0r0u1.motd
|
||||
+echo "motd: e0r1u0 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u0.motd
|
||||
+echo "motd: e0r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e0r1u1.motd
|
||||
+echo "motd: e0r1u1 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u1.motd
|
||||
+echo "motd: e1r0u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u0.motd
|
||||
+echo "motd: e1r0u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r0u1.motd
|
||||
+echo "motd: e1r0u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u1.motd
|
||||
+echo "motd: e1r1u0 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u0.motd
|
||||
+echo "motd: e1r1u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u0.motd
|
||||
+echo "motd: e1r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r1u1.motd
|
||||
+echo "motd: e1r1u1 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u1.motd
|
||||
+echo "motd: e1r1u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u1.motd
|
||||
+
|
||||
+./tst-pam_motd tst-pam_motd2 > tst-pam_motd2.out
|
||||
+
|
||||
+RET=$?
|
||||
+
|
||||
+motd_to_show_output=$(cat tst-pam_motd2.out | grep "motd: /etc/motd")
|
||||
+if [ -z "${motd_to_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+motd_dir_not_show_output=$(cat tst-pam_motd2.out | grep "not show")
|
||||
+if [ -n "${motd_dir_not_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+tst_cleanup
|
||||
+exit $RET
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,3 @@
|
||||
+#%PAM-1.0
|
||||
+session required pam_permit.so
|
||||
+session optional pam_motd.so motd=tst-pam_motd3.d/etc/motd:tst-pam_motd3.d/run/motd:tst-pam_motd3.d/usr/lib/motd motd_dir=tst-pam_motd3.d/etc/motd.d:tst-pam_motd3.d/run/motd.d:tst-pam_motd3.d/usr/lib/motd.d
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,53 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+TST_DIR="tst-pam_motd3.d"
|
||||
+
|
||||
+function tst_cleanup() {
|
||||
+ rm -rf "${TST_DIR}"
|
||||
+ rm -f tst-pam_motd3.out
|
||||
+}
|
||||
+
|
||||
+mkdir -p ${TST_DIR}
|
||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
||||
+mkdir -p ${TST_DIR}/run/motd.d
|
||||
+mkdir -p ${TST_DIR}/usr/lib/motd.d
|
||||
+
|
||||
+# Verify motd is still displayed when not overridden
|
||||
+echo "motd: test-show in run - show" > ${TST_DIR}/run/motd.d/test-show.motd
|
||||
+
|
||||
+# Test overridden by a symlink to a file that isn't /dev/null; symlink target should show
|
||||
+echo "motd: hidden-by-symlink in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/hidden-by-symlink.motd
|
||||
+echo "motd: test-from-symlink - show" > ${TST_DIR}/test-from-symlink.motd
|
||||
+ln -sr ${TST_DIR}/test-from-symlink.motd ${TST_DIR}/run/motd.d/hidden-by-symlink.motd
|
||||
+
|
||||
+# Test hidden by a null symlink
|
||||
+echo "motd: hidden-by-null-symlink in run - not show" > ${TST_DIR}/run/motd.d/hidden-by-null-symlink.motd
|
||||
+ln -s /dev/null ${TST_DIR}/etc/motd.d/hidden-by-null-symlink.motd
|
||||
+
|
||||
+./tst-pam_motd tst-pam_motd3 > tst-pam_motd3.out
|
||||
+
|
||||
+RET=$?
|
||||
+
|
||||
+motd_dir_not_show_output=$(cat tst-pam_motd3.out | grep "not show")
|
||||
+if [ -n "${motd_dir_not_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+motd_test_show_output=$(cat tst-pam_motd3.out | grep "test-show.*- show")
|
||||
+if [ -z "${motd_test_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+motd_general_symlink_show_output=$(cat tst-pam_motd3.out | grep "test-from-symlink.*- show")
|
||||
+if [ -z "${motd_general_symlink_show_output}" ];
|
||||
+then
|
||||
+ tst_cleanup
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+tst_cleanup
|
||||
+exit $RET
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd.c.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd.c
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd.c.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd.c 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,69 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include <config.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <security/pam_appl.h>
|
||||
+#include <security/pam_misc.h>
|
||||
+
|
||||
+static struct pam_conv conv = {
|
||||
+ misc_conv,
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+int main(int argc, char *argv[])
|
||||
+{
|
||||
+ pam_handle_t *pamh=NULL;
|
||||
+ char *tst_arg = NULL;
|
||||
+ int retval;
|
||||
+
|
||||
+ if (argc > 1)
|
||||
+ tst_arg = argv[1];
|
||||
+
|
||||
+ retval = pam_start(tst_arg, NULL, &conv, &pamh);
|
||||
+
|
||||
+ retval = pam_open_session(pamh, 0);
|
||||
+
|
||||
+ retval = pam_close_session(pamh, 0);
|
||||
+
|
||||
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
|
||||
+ pamh = NULL;
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
|
||||
+}
|
||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd.sh
|
||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd.sh 2022-04-25 12:32:36.947663225 +0200
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+./tst-pam_motd1.sh
|
||||
+./tst-pam_motd2.sh
|
||||
+./tst-pam_motd3.sh
|
@ -0,0 +1,573 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.709355179 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am 2022-09-29 10:13:35.780355766 +0200
|
||||
@@ -10,9 +10,10 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
||||
|
||||
TESTS = tst-pam_pwhistory
|
||||
|
||||
-man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
||||
+man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
|
||||
|
||||
-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
|
||||
+ pwhistory.conf.5.xml
|
||||
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
@@ -25,12 +26,14 @@ if HAVE_VERSIONING
|
||||
pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
-noinst_HEADERS = opasswd.h
|
||||
+noinst_HEADERS = opasswd.h pwhistory_config.h
|
||||
+
|
||||
+dist_secureconf_DATA = pwhistory.conf
|
||||
|
||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
||||
pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
||||
-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
||||
+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
|
||||
|
||||
sbin_PROGRAMS = pwhistory_helper
|
||||
pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml 2022-09-29 10:13:35.780355766 +0200
|
||||
@@ -36,6 +36,9 @@
|
||||
<arg choice="opt">
|
||||
authtok_type=<replaceable>STRING</replaceable>
|
||||
</arg>
|
||||
+ <arg choice="opt">
|
||||
+ conf=<replaceable>/path/to/config-file</replaceable>
|
||||
+ </arg>
|
||||
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@@ -104,7 +107,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The last <replaceable>N</replaceable> passwords for each
|
||||
- user are saved in <filename>/etc/security/opasswd</filename>.
|
||||
+ user are saved.
|
||||
The default is <emphasis>10</emphasis>. Value of
|
||||
<emphasis>0</emphasis> makes the module to keep the existing
|
||||
contents of the <filename>opasswd</filename> file unchanged.
|
||||
@@ -137,7 +140,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>conf=<replaceable>/path/to/config-file</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Use another configuration file instead of the default
|
||||
+ <filename>/etc/security/pwhistory.conf</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
+ <para>
|
||||
+ The options for configuring the module behavior are described in the
|
||||
+ <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum></citerefentry> manual page. The options
|
||||
+ specified on the module command line override the values from the
|
||||
+ configuration file.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="pam_pwhistory-types">
|
||||
@@ -223,6 +245,9 @@ password required pam_unix.so
|
||||
<title>SEE ALSO</title>
|
||||
<para>
|
||||
<citerefentry>
|
||||
+ <refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.711355195 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c 2022-09-29 10:13:35.780355766 +0200
|
||||
@@ -62,18 +62,11 @@
|
||||
#include <security/_pam_macros.h>
|
||||
|
||||
#include "opasswd.h"
|
||||
+#include "pwhistory_config.h"
|
||||
|
||||
#define DEFAULT_BUFLEN 2048
|
||||
#define MAX_FD_NO 20000
|
||||
|
||||
-struct options_t {
|
||||
- int debug;
|
||||
- int enforce_for_root;
|
||||
- int remember;
|
||||
- int tries;
|
||||
-};
|
||||
-typedef struct options_t options_t;
|
||||
-
|
||||
|
||||
static void
|
||||
parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
|
||||
@@ -304,6 +297,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
options.remember = 10;
|
||||
options.tries = 1;
|
||||
|
||||
+ parse_config_file(pamh, argc, argv, &options);
|
||||
+
|
||||
/* Parse parameters for module */
|
||||
for ( ; argc-- > 0; argv++)
|
||||
parse_option (pamh, *argv, &options);
|
||||
@@ -311,7 +306,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
if (options.debug)
|
||||
pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
|
||||
|
||||
-
|
||||
if (options.remember == 0)
|
||||
return PAM_IGNORE;
|
||||
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.780355766 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml 2022-09-29 10:13:35.780355766 +0200
|
||||
@@ -0,0 +1,155 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+
|
||||
+<refentry id="pwhistory.conf">
|
||||
+
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>pwhistory.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id="pwhistory.conf-name">
|
||||
+ <refname>pwhistory.conf</refname>
|
||||
+ <refpurpose>pam_pwhistory configuration file</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-description">
|
||||
+
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para>
|
||||
+ <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
|
||||
+ default settings for saving the last passwords for each user.
|
||||
+ This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
|
||||
+ preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The file has a very simple <emphasis>name = value</emphasis> format with possible comments
|
||||
+ starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
|
||||
+ of line, and around the <emphasis>=</emphasis> sign is ignored.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-options">
|
||||
+
|
||||
+ <title>OPTIONS</title>
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>debug</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Turns on debugging via
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>enforce_for_root</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If this option is set, the check is enforced for root, too.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>remember=<replaceable>N</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The last <replaceable>N</replaceable> passwords for each
|
||||
+ user are saved.
|
||||
+ The default is <emphasis>10</emphasis>. Value of
|
||||
+ <emphasis>0</emphasis> makes the module to keep the existing
|
||||
+ contents of the <filename>opasswd</filename> file unchanged.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>retry=<replaceable>N</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Prompt user at most <replaceable>N</replaceable> times
|
||||
+ before returning with error. The default is 1.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>file=<replaceable>/path/filename</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Store password history in file
|
||||
+ <replaceable>/path/filename</replaceable> rather than the default
|
||||
+ location. The default location is
|
||||
+ <filename>/etc/security/opasswd</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-examples'>
|
||||
+ <title>EXAMPLES</title>
|
||||
+ <para>
|
||||
+ /etc/security/pwhistory.conf file example:
|
||||
+ </para>
|
||||
+ <programlisting>
|
||||
+debug
|
||||
+remember=5
|
||||
+file=/tmp/opasswd
|
||||
+ </programlisting>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-files">
|
||||
+ <title>FILES</title>
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term><filename>/etc/security/pwhistory.conf</filename></term>
|
||||
+ <listitem>
|
||||
+ <para>the config file for custom options</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-author'>
|
||||
+ <title>AUTHOR</title>
|
||||
+ <para>
|
||||
+ pam_pwhistory was written by Thorsten Kukuk. The support for
|
||||
+ pwhistory.conf was written by Iker Pedrosa.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+</refentry>
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c 2022-09-29 10:14:33.377832622 +0200
|
||||
@@ -0,0 +1,195 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+#include <ctype.h>
|
||||
+
|
||||
+#include <security/pam_modutil.h>
|
||||
+
|
||||
+#include "pam_inline.h"
|
||||
+#include "pwhistory_config.h"
|
||||
+
|
||||
+#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
|
||||
+
|
||||
+/* lookup a value for key in login.defs file or similar key value format */
|
||||
+static char *
|
||||
+pwhistory_search_key(pam_handle_t *pamh UNUSED,
|
||||
+ const char *file_name,
|
||||
+ const char *key)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char *buf = NULL;
|
||||
+ size_t buflen = 0;
|
||||
+ char *retval = NULL;
|
||||
+
|
||||
+#ifdef USE_ECONF
|
||||
+ if (strcmp (file_name, LOGIN_DEFS) == 0)
|
||||
+ return econf_search_key ("login", ".defs", key);
|
||||
+#endif
|
||||
+
|
||||
+ fp = fopen(file_name, "r");
|
||||
+ if (NULL == fp)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (!feof(fp)) {
|
||||
+ char *tmp, *cp;
|
||||
+#if defined(HAVE_GETLINE)
|
||||
+ ssize_t n = getline(&buf, &buflen, fp);
|
||||
+#elif defined (HAVE_GETDELIM)
|
||||
+ ssize_t n = getdelim(&buf, &buflen, '\n', fp);
|
||||
+#else
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ if (buf == NULL) {
|
||||
+ buflen = BUF_SIZE;
|
||||
+ buf = malloc(buflen);
|
||||
+ if (buf == NULL) {
|
||||
+ fclose(fp);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ buf[0] = '\0';
|
||||
+ if (fgets(buf, buflen - 1, fp) == NULL)
|
||||
+ break;
|
||||
+ else if (buf != NULL)
|
||||
+ n = strlen(buf);
|
||||
+ else
|
||||
+ n = 0;
|
||||
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||
+ cp = buf;
|
||||
+
|
||||
+ if (n < 1)
|
||||
+ break;
|
||||
+ if (cp[n - 1] == '\n')
|
||||
+ cp[n - 1] = '\0';
|
||||
+
|
||||
+ tmp = strchr(cp, '#'); /* remove comments */
|
||||
+ if (tmp)
|
||||
+ *tmp = '\0';
|
||||
+ while (isspace((int)*cp)) /* remove spaces and tabs */
|
||||
+ ++cp;
|
||||
+ if (*cp == '\0') /* ignore empty lines */
|
||||
+ continue;
|
||||
+
|
||||
+ tmp = strsep (&cp, " \t=");
|
||||
+ if (cp != NULL)
|
||||
+ while (isspace((int)*cp) || *cp == '=')
|
||||
+ ++cp;
|
||||
+ else
|
||||
+ cp = buf + n; /* empty string */
|
||||
+
|
||||
+ if (strcasecmp(tmp, key) == 0) {
|
||||
+ retval = strdup(cp);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ free(buf);
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
||||
+ struct options_t *options)
|
||||
+{
|
||||
+ const char *fname = NULL;
|
||||
+ int i;
|
||||
+ char *val;
|
||||
+
|
||||
+ for (i = 0; i < argc; ++i) {
|
||||
+ const char *str = pam_str_skip_prefix(argv[i], "conf=");
|
||||
+
|
||||
+ if (str != NULL) {
|
||||
+ fname = str;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (fname == NULL) {
|
||||
+ fname = PWHISTORY_DEFAULT_CONF;
|
||||
+ }
|
||||
+
|
||||
+ val = pwhistory_search_key (pamh, fname, "debug");
|
||||
+ if (val != NULL) {
|
||||
+ options->debug = 1;
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pwhistory_search_key (pamh, fname, "enforce_for_root");
|
||||
+ if (val != NULL) {
|
||||
+ options->enforce_for_root = 1;
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pwhistory_search_key (pamh, fname, "remember");
|
||||
+ if (val != NULL) {
|
||||
+ unsigned int temp;
|
||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for remember argument");
|
||||
+ } else {
|
||||
+ options->remember = temp;
|
||||
+ }
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pwhistory_search_key (pamh, fname, "retry");
|
||||
+ if (val != NULL) {
|
||||
+ unsigned int temp;
|
||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for retry argument");
|
||||
+ } else {
|
||||
+ options->tries = temp;
|
||||
+ }
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pwhistory_search_key (pamh, fname, "file");
|
||||
+ if (val != NULL) {
|
||||
+ if (*val != '/') {
|
||||
+ pam_syslog (pamh, LOG_ERR,
|
||||
+ "File path should be absolute: %s", val);
|
||||
+ } else {
|
||||
+ options->filename = val;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h 2022-09-29 10:13:35.781355775 +0200
|
||||
@@ -0,0 +1,54 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef _PWHISTORY_CONFIG_H
|
||||
+#define _PWHISTORY_CONFIG_H
|
||||
+
|
||||
+#include <security/pam_ext.h>
|
||||
+
|
||||
+struct options_t {
|
||||
+ int debug;
|
||||
+ int enforce_for_root;
|
||||
+ int remember;
|
||||
+ int tries;
|
||||
+ const char *filename;
|
||||
+};
|
||||
+typedef struct options_t options_t;
|
||||
+
|
||||
+void
|
||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
||||
+ struct options_t *options);
|
||||
+
|
||||
+#endif /* _PWHISTORY_CONFIG_H */
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf 2022-09-29 10:13:35.781355775 +0200
|
||||
@@ -0,0 +1,21 @@
|
||||
+# Configuration for remembering the last passwords used by a user.
|
||||
+#
|
||||
+# Enable the debugging logs.
|
||||
+# Enabled if option is present.
|
||||
+# debug
|
||||
+#
|
||||
+# root account's passwords are also remembered.
|
||||
+# Enabled if option is present.
|
||||
+# enforce_for_root
|
||||
+#
|
||||
+# Number of passwords to remember.
|
||||
+# The default is 10.
|
||||
+# remember = 10
|
||||
+#
|
||||
+# Number of times to prompt for the password.
|
||||
+# The default is 1.
|
||||
+# retry = 1
|
||||
+#
|
||||
+# The directory where the last passwords are kept.
|
||||
+# The default is /etc/security/opasswd.
|
||||
+# file = /etc/security/opasswd
|
@ -0,0 +1,111 @@
|
||||
From a7453aeeb398d6cbb7a709c4e2a1d75905220fff Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Zidek <szidek@redhat.com>
|
||||
Date: Fri, 16 Apr 2021 19:14:18 +0200
|
||||
Subject: [PATCH] pam_userdb: Prevent garbage characters from db
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
|
||||
---
|
||||
modules/pam_userdb/pam_userdb.8.xml | 3 +-
|
||||
modules/pam_userdb/pam_userdb.c | 56 +++++++++++++++++------------
|
||||
2 files changed, 36 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml
|
||||
index fa628ada..bce92850 100644
|
||||
--- a/modules/pam_userdb/pam_userdb.8.xml
|
||||
+++ b/modules/pam_userdb/pam_userdb.8.xml
|
||||
@@ -100,7 +100,8 @@
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Print debug information.
|
||||
+ Print debug information. Note that password hashes, both from db
|
||||
+ and computed, will be printed to syslog.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
||||
index dc2ca232..d59801bf 100644
|
||||
--- a/modules/pam_userdb/pam_userdb.c
|
||||
+++ b/modules/pam_userdb/pam_userdb.c
|
||||
@@ -194,7 +194,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
||||
}
|
||||
|
||||
if (data.dptr != NULL) {
|
||||
- int compare = 0;
|
||||
+ int compare = -2;
|
||||
|
||||
if (ctrl & PAM_KEY_ONLY_ARG)
|
||||
{
|
||||
@@ -209,36 +209,48 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
||||
char *cryptpw = NULL;
|
||||
|
||||
if (data.dsize < 13) {
|
||||
- compare = -2;
|
||||
+ /* hash is too short */
|
||||
+ pam_syslog(pamh, LOG_INFO, "password hash in database is too short");
|
||||
} else if (ctrl & PAM_ICASE_ARG) {
|
||||
- compare = -2;
|
||||
+ pam_syslog(pamh, LOG_INFO,
|
||||
+ "case-insensitive comparison only works with plaintext passwords");
|
||||
} else {
|
||||
+ /* libdb is not guaranteed to produce null terminated strings */
|
||||
+ char *pwhash = strndup(data.dptr, data.dsize);
|
||||
+
|
||||
+ if (pwhash == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr");
|
||||
+ } else {
|
||||
#ifdef HAVE_CRYPT_R
|
||||
- struct crypt_data *cdata = NULL;
|
||||
- cdata = malloc(sizeof(*cdata));
|
||||
- if (cdata != NULL) {
|
||||
- cdata->initialized = 0;
|
||||
- cryptpw = crypt_r(pass, data.dptr, cdata);
|
||||
- }
|
||||
+ struct crypt_data *cdata = NULL;
|
||||
+ cdata = malloc(sizeof(*cdata));
|
||||
+ if (cdata == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data");
|
||||
+ } else {
|
||||
+ cdata->initialized = 0;
|
||||
+ cryptpw = crypt_r(pass, pwhash, cdata);
|
||||
+ }
|
||||
#else
|
||||
- cryptpw = crypt (pass, data.dptr);
|
||||
+ cryptpw = crypt (pass, pwhash);
|
||||
#endif
|
||||
- if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||
- compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||
- } else {
|
||||
- compare = -2;
|
||||
- if (ctrl & PAM_DEBUG_ARG) {
|
||||
- if (cryptpw)
|
||||
- pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||
- else
|
||||
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||
+ } else {
|
||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
||||
+ if (cryptpw) {
|
||||
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||
+ pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw);
|
||||
+ } else {
|
||||
+ pam_syslog(pamh, LOG_ERR, "crypt() returned NULL");
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
#ifdef HAVE_CRYPT_R
|
||||
- free(cdata);
|
||||
+ free(cdata);
|
||||
#endif
|
||||
+ }
|
||||
+ free(pwhash);
|
||||
}
|
||||
-
|
||||
} else {
|
||||
|
||||
/* Unknown password encryption method -
|
||||
--
|
||||
2.30.2
|
||||
|
@ -0,0 +1,75 @@
|
||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/configure.ac
|
||||
--- Linux-PAM-1.3.1/configure.ac.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.169146826 +0200
|
||||
+++ Linux-PAM-1.3.1/configure.ac 2022-06-22 16:43:54.343373619 +0200
|
||||
@@ -615,12 +615,6 @@ if test x"$opt_uidmin" == x; then
|
||||
fi
|
||||
AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
||||
|
||||
-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
||||
-if test x"$opt_sysuidmin" == x; then
|
||||
- opt_sysuidmin=101
|
||||
-fi
|
||||
-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
||||
-
|
||||
AC_ARG_WITH([kerneloverflowuid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
||||
if test x"$opt_kerneloverflowuid" == x; then
|
||||
opt_kerneloverflowuid=65534
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.155146722 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml 2022-06-22 16:41:09.169146826 +0200
|
||||
@@ -31,7 +31,7 @@
|
||||
pam_usertype.so is designed to succeed or fail authentication
|
||||
based on type of the account of the authenticated user.
|
||||
The type of the account is decided with help of
|
||||
- <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
||||
+ <emphasis>SYS_UID_MAX</emphasis>
|
||||
settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
||||
whether to load other modules based on this test.
|
||||
</para>
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.155146722 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2022-06-22 16:41:09.169146826 +0200
|
||||
@@ -277,7 +277,6 @@ static int
|
||||
pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
||||
{
|
||||
uid_t uid_min;
|
||||
- uid_t sys_min;
|
||||
uid_t sys_max;
|
||||
|
||||
if (uid == (uid_t)-1) {
|
||||
@@ -285,21 +284,19 @@ pam_usertype_is_system(pam_handle_t *pam
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
|
||||
- if (uid <= 99) {
|
||||
- /* Reserved. */
|
||||
- return PAM_SUCCESS;
|
||||
- }
|
||||
-
|
||||
if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
||||
/* nobody */
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
||||
- sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
||||
sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
||||
|
||||
- return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
||||
+ if (uid <= sys_max && uid < uid_min) {
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -336,7 +333,7 @@ pam_usertype_evaluate(struct pam_usertyp
|
||||
|
||||
/**
|
||||
* Arguments:
|
||||
- * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
||||
+ * - issystem: uid less than SYS_UID_MAX
|
||||
* - isregular: not issystem
|
||||
* - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
||||
* - audit: log unknown users to syslog
|
@ -0,0 +1,712 @@
|
||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-usertype Linux-PAM-1.3.1/configure.ac
|
||||
--- Linux-PAM-1.3.1/configure.ac.pam-usertype 2020-05-15 10:03:27.247468160 +0200
|
||||
+++ Linux-PAM-1.3.1/configure.ac 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -606,6 +606,27 @@ AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KE
|
||||
|
||||
AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
|
||||
|
||||
+dnl
|
||||
+dnl Get values for default uid ranges in login.defs used in pam_usertype
|
||||
+dnl
|
||||
+AC_ARG_WITH([uidmin], AS_HELP_STRING([--with-uidmin=<number>],[default value for regular user min uid (1000)]), opt_uidmin=$withval)
|
||||
+if test x"$opt_uidmin" == x; then
|
||||
+ opt_uidmin=1000
|
||||
+fi
|
||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
||||
+
|
||||
+AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
||||
+if test x"$opt_sysuidmin" == x; then
|
||||
+ opt_sysuidmin=101
|
||||
+fi
|
||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
||||
+
|
||||
+AC_ARG_WITH([kerneloverflowuid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
||||
+if test x"$opt_kerneloverflowuid" == x; then
|
||||
+ opt_kerneloverflowuid=65534
|
||||
+fi
|
||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.])
|
||||
+
|
||||
dnl Files to be created from when we run configure
|
||||
AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
|
||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
||||
@@ -636,6 +657,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||
modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
|
||||
modules/pam_umask/Makefile \
|
||||
modules/pam_unix/Makefile modules/pam_userdb/Makefile \
|
||||
+ modules/pam_usertype/Makefile \
|
||||
modules/pam_warn/Makefile modules/pam_wheel/Makefile \
|
||||
modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
|
||||
doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
|
||||
diff -up Linux-PAM-1.3.1/modules/Makefile.am.pam-usertype Linux-PAM-1.3.1/modules/Makefile.am
|
||||
--- Linux-PAM-1.3.1/modules/Makefile.am.pam-usertype 2020-05-15 10:03:27.247468160 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/Makefile.am 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -12,7 +12,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
|
||||
pam_selinux pam_sepermit pam_shells pam_stress \
|
||||
pam_succeed_if pam_time pam_timestamp \
|
||||
pam_tty_audit pam_umask \
|
||||
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
|
||||
+ pam_unix pam_userdb pam_usertype pam_warn pam_wheel pam_xauth
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -0,0 +1,34 @@
|
||||
+#
|
||||
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
|
||||
+# Copyright (c) 2020 Red Hat, Inc.
|
||||
+#
|
||||
+
|
||||
+CLEANFILES = *~
|
||||
+MAINTAINERCLEANFILES = $(MANS) README
|
||||
+
|
||||
+EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_usertype
|
||||
+
|
||||
+TESTS = tst-pam_usertype
|
||||
+
|
||||
+man_MANS = pam_usertype.8
|
||||
+
|
||||
+XMLS = README.xml pam_usertype.8.xml
|
||||
+
|
||||
+securelibdir = $(SECUREDIR)
|
||||
+secureconfdir = $(SCONFIGDIR)
|
||||
+
|
||||
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
+ $(WARN_CFLAGS)
|
||||
+AM_LDFLAGS = -no-undefined -avoid-version -module
|
||||
+if HAVE_VERSIONING
|
||||
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
+endif
|
||||
+
|
||||
+securelib_LTLIBRARIES = pam_usertype.la
|
||||
+pam_usertype_la_LIBADD = $(top_builddir)/libpam/libpam.la
|
||||
+
|
||||
+if ENABLE_REGENERATE_MAN
|
||||
+noinst_DATA = README
|
||||
+README: pam_usertype.8.xml
|
||||
+-include $(top_srcdir)/Make.xml.rules
|
||||
+endif
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -0,0 +1,170 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+
|
||||
+
|
||||
+<refentry id='pam_usertype'>
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>pam_usertype</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id='pam_usertype-name'>
|
||||
+ <refname>pam_usertype</refname>
|
||||
+ <refpurpose>check if the authenticated user is a system or regular account</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+
|
||||
+ <refsynopsisdiv>
|
||||
+ <cmdsynopsis id='pam_usertype-cmdsynopsis'>
|
||||
+ <command>pam_usertype.so</command>
|
||||
+ <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg>
|
||||
+ <arg choice='req'><replaceable>condition</replaceable></arg>
|
||||
+ </cmdsynopsis>
|
||||
+ </refsynopsisdiv>
|
||||
+
|
||||
+
|
||||
+ <refsect1 id='pam_usertype-description'>
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para>
|
||||
+ pam_usertype.so is designed to succeed or fail authentication
|
||||
+ based on type of the account of the authenticated user.
|
||||
+ The type of the account is decided with help of
|
||||
+ <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
||||
+ settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
||||
+ whether to load other modules based on this test.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The module should be given only one condition as module argument.
|
||||
+ Authentication will succeed only if the condition is met.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pam_usertype-options">
|
||||
+ <title>OPTIONS</title>
|
||||
+ <para>
|
||||
+ The following <emphasis>flag</emphasis>s are supported:
|
||||
+ </para>
|
||||
+
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term><option>use_uid</option></term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Evaluate conditions using the account of the user whose UID
|
||||
+ the application is running under instead of the user being
|
||||
+ authenticated.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>audit</option></term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Log unknown users to the system log.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+
|
||||
+ <para>
|
||||
+ Available <emphasis>condition</emphasis>s are:
|
||||
+ </para>
|
||||
+
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term><option>issystem</option></term>
|
||||
+ <listitem>
|
||||
+ <para>Succeed if the user is a system user.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term><option>isregular</option></term>
|
||||
+ <listitem>
|
||||
+ <para>Succeed if the user is a regular user.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pam_usertype-types">
|
||||
+ <title>MODULE TYPES PROVIDED</title>
|
||||
+ <para>
|
||||
+ All module types (<option>account</option>, <option>auth</option>,
|
||||
+ <option>password</option> and <option>session</option>) are provided.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pam_usertype-return_values'>
|
||||
+ <title>RETURN VALUES</title>
|
||||
+ <variablelist>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>PAM_SUCCESS</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The condition was true.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>PAM_AUTH_ERR</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The condition was false.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>PAM_SERVICE_ERR</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ A service error occurred or the arguments can't be
|
||||
+ parsed correctly.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>PAM_USER_UNKNOWN</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ User was not found.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+
|
||||
+ <refsect1 id='pam_usertype-examples'>
|
||||
+ <title>EXAMPLES</title>
|
||||
+ <para>
|
||||
+ Skip remaining modules if the user is a system user:
|
||||
+ </para>
|
||||
+ <programlisting>
|
||||
+account sufficient pam_usertype.so issystem
|
||||
+ </programlisting>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pam_usertype-see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pam_usertype-author'>
|
||||
+ <title>AUTHOR</title>
|
||||
+ <para>Pavel Březina <pbrezina@redhat.com></para>
|
||||
+ </refsect1>
|
||||
+</refentry>
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2020-05-15 10:16:08.053198025 +0200
|
||||
@@ -0,0 +1,394 @@
|
||||
+/******************************************************************************
|
||||
+ * Check user type based on login.defs.
|
||||
+ *
|
||||
+ * Copyright (c) 2020 Red Hat, Inc.
|
||||
+ * Written by Pavel Březina <pbrezina@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+#include <unistd.h>
|
||||
+#include <pwd.h>
|
||||
+#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#define PAM_SM_AUTH
|
||||
+#define PAM_SM_ACCOUNT
|
||||
+#define PAM_SM_SESSION
|
||||
+#define PAM_SM_PASSWORD
|
||||
+
|
||||
+#include <security/pam_modules.h>
|
||||
+#include <security/pam_modutil.h>
|
||||
+#include <security/pam_ext.h>
|
||||
+
|
||||
+#define LOGIN_DEFS "/etc/login.defs"
|
||||
+
|
||||
+enum pam_usertype_op {
|
||||
+ OP_IS_SYSTEM,
|
||||
+ OP_IS_REGULAR,
|
||||
+
|
||||
+ OP_SENTINEL
|
||||
+};
|
||||
+
|
||||
+struct pam_usertype_opts {
|
||||
+ enum pam_usertype_op op;
|
||||
+ int use_uid;
|
||||
+ int audit;
|
||||
+};
|
||||
+
|
||||
+static int
|
||||
+pam_usertype_parse_args(struct pam_usertype_opts *opts,
|
||||
+ pam_handle_t *pamh,
|
||||
+ int argc,
|
||||
+ const char **argv)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ memset(opts, 0, sizeof(struct pam_usertype_opts));
|
||||
+ opts->op = OP_SENTINEL;
|
||||
+
|
||||
+ for (i = 0; i < argc; i++) {
|
||||
+ if (strcmp(argv[i], "use_uid") == 0) {
|
||||
+ opts->use_uid = 1;
|
||||
+ } else if (strcmp(argv[i], "audit") == 0) {
|
||||
+ opts->audit = 1;
|
||||
+ } else if (strcmp(argv[i], "issystem") == 0) {
|
||||
+ opts->op = OP_IS_SYSTEM;
|
||||
+ } else if (strcmp(argv[i], "isregular") == 0) {
|
||||
+ opts->op = OP_IS_REGULAR;
|
||||
+ } else {
|
||||
+ pam_syslog(pamh, LOG_WARNING, "Unknown argument: %s", argv[i]);
|
||||
+ /* Just continue. */
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (opts->op == OP_SENTINEL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Operation not specified");
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+pam_usertype_get_uid(struct pam_usertype_opts *opts,
|
||||
+ pam_handle_t *pamh,
|
||||
+ uid_t *_uid)
|
||||
+{
|
||||
+ struct passwd *pwd;
|
||||
+ const void *prompt;
|
||||
+ const char *username;
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Get uid of user that runs the application. */
|
||||
+ if (opts->use_uid) {
|
||||
+ pwd = pam_modutil_getpwuid(pamh, getuid());
|
||||
+ if (pwd == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "error retrieving information about user %lu",
|
||||
+ (unsigned long)getuid());
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ }
|
||||
+
|
||||
+ *_uid = pwd->pw_uid;
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ /* Get uid of user that is being authenticated. */
|
||||
+ ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt);
|
||||
+ if (ret != PAM_SUCCESS || prompt == NULL || strlen(prompt) == 0) {
|
||||
+ prompt = "login: ";
|
||||
+ }
|
||||
+
|
||||
+ ret = pam_get_user(pamh, &username, prompt);
|
||||
+ if (ret != PAM_SUCCESS || username == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s",
|
||||
+ pam_strerror(pamh, ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ pwd = pam_modutil_getpwnam(pamh, username);
|
||||
+ if (pwd == NULL) {
|
||||
+ if (opts->audit) {
|
||||
+ pam_syslog(pamh, LOG_NOTICE,
|
||||
+ "error retrieving information about user %s", username);
|
||||
+ }
|
||||
+
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ }
|
||||
+
|
||||
+ *_uid = pwd->pw_uid;
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+#define MAX_UID_VALUE 0xFFFFFFFFUL
|
||||
+
|
||||
+/* lookup a value for key in login.defs file or similar key value format */
|
||||
+char *
|
||||
+pam_usertype_search_key(pam_handle_t *pamh UNUSED,
|
||||
+ const char *file_name,
|
||||
+ const char *key)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char *buf = NULL;
|
||||
+ size_t buflen = 0;
|
||||
+ char *retval = NULL;
|
||||
+
|
||||
+ fp = fopen(file_name, "r");
|
||||
+ if (NULL == fp)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (!feof(fp)) {
|
||||
+ char *tmp, *cp;
|
||||
+#if defined(HAVE_GETLINE)
|
||||
+ ssize_t n = getline(&buf, &buflen, fp);
|
||||
+#elif defined (HAVE_GETDELIM)
|
||||
+ ssize_t n = getdelim(&buf, &buflen, '\n', fp);
|
||||
+#else
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ if (buf == NULL) {
|
||||
+ buflen = BUF_SIZE;
|
||||
+ buf = malloc(buflen);
|
||||
+ if (buf == NULL) {
|
||||
+ fclose(fp);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ buf[0] = '\0';
|
||||
+ if (fgets(buf, buflen - 1, fp) == NULL)
|
||||
+ break;
|
||||
+ else if (buf != NULL)
|
||||
+ n = strlen(buf);
|
||||
+ else
|
||||
+ n = 0;
|
||||
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||
+ cp = buf;
|
||||
+
|
||||
+ if (n < 1)
|
||||
+ break;
|
||||
+ if (cp[n - 1] == '\n')
|
||||
+ cp[n - 1] = '\0';
|
||||
+
|
||||
+ tmp = strchr(cp, '#'); /* remove comments */
|
||||
+ if (tmp)
|
||||
+ *tmp = '\0';
|
||||
+ while (isspace((int)*cp)) /* remove spaces and tabs */
|
||||
+ ++cp;
|
||||
+ if (*cp == '\0') /* ignore empty lines */
|
||||
+ continue;
|
||||
+
|
||||
+ tmp = strsep (&cp, " \t=");
|
||||
+ if (cp != NULL)
|
||||
+ while (isspace((int)*cp) || *cp == '=')
|
||||
+ ++cp;
|
||||
+ else
|
||||
+ cp = "";
|
||||
+
|
||||
+ if (strcasecmp(tmp, key) == 0) {
|
||||
+ retval = strdup(cp);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ free(buf);
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static uid_t
|
||||
+pam_usertype_get_id(pam_handle_t *pamh,
|
||||
+ const char *key,
|
||||
+ uid_t default_value)
|
||||
+{
|
||||
+ unsigned long ul;
|
||||
+ char *value;
|
||||
+ char *ep;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ value = pam_usertype_search_key(pamh, LOGIN_DEFS, key);
|
||||
+ if (value == NULL) {
|
||||
+ return default_value;
|
||||
+ }
|
||||
+
|
||||
+ /* taken from get_lastlog_uid_max() */
|
||||
+ ep = value + strlen(value);
|
||||
+ while (ep > value && isspace(*(--ep))) {
|
||||
+ *ep = '\0';
|
||||
+ }
|
||||
+
|
||||
+ errno = 0;
|
||||
+ ul = strtoul(value, &ep, 10);
|
||||
+ if (!(ul >= MAX_UID_VALUE
|
||||
+ || (uid_t)ul >= MAX_UID_VALUE
|
||||
+ || (errno != 0 && ul == 0)
|
||||
+ || value == ep
|
||||
+ || *ep != '\0')) {
|
||||
+ uid = (uid_t)ul;
|
||||
+ } else {
|
||||
+ uid = default_value;
|
||||
+ }
|
||||
+
|
||||
+ free(value);
|
||||
+
|
||||
+ return uid;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
||||
+{
|
||||
+ uid_t uid_min;
|
||||
+ uid_t sys_min;
|
||||
+ uid_t sys_max;
|
||||
+
|
||||
+ if (uid == (uid_t)-1) {
|
||||
+ pam_syslog(pamh, LOG_WARNING, "invalid uid");
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ }
|
||||
+
|
||||
+ if (uid <= 99) {
|
||||
+ /* Reserved. */
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
||||
+ /* nobody */
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
||||
+ sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
||||
+ sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
||||
+
|
||||
+ return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+pam_usertype_is_regular(pam_handle_t *pamh, uid_t uid)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = pam_usertype_is_system(pamh, uid);
|
||||
+ switch (ret) {
|
||||
+ case PAM_SUCCESS:
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ case PAM_USER_UNKNOWN:
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ default:
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+pam_usertype_evaluate(struct pam_usertype_opts *opts,
|
||||
+ pam_handle_t *pamh,
|
||||
+ uid_t uid)
|
||||
+{
|
||||
+ switch (opts->op) {
|
||||
+ case OP_IS_SYSTEM:
|
||||
+ return pam_usertype_is_system(pamh, uid);
|
||||
+ case OP_IS_REGULAR:
|
||||
+ return pam_usertype_is_regular(pamh, uid);
|
||||
+ default:
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unknown operation: %d", opts->op);
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Arguments:
|
||||
+ * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
||||
+ * - isregular: not issystem
|
||||
+ * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
||||
+ * - audit: log unknown users to syslog
|
||||
+ */
|
||||
+int
|
||||
+pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
||||
+ int argc, const char **argv)
|
||||
+{
|
||||
+ struct pam_usertype_opts opts;
|
||||
+ uid_t uid;
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = pam_usertype_parse_args(&opts, pamh, argc, argv);
|
||||
+ if (ret != PAM_SUCCESS) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = pam_usertype_get_uid(&opts, pamh, &uid);
|
||||
+ if (ret != PAM_SUCCESS) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return pam_usertype_evaluate(&opts, pamh, uid);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
|
||||
+ int argc UNUSED, const char **argv UNUSED)
|
||||
+{
|
||||
+ return PAM_IGNORE;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
+{
|
||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
+{
|
||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
+{
|
||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
+{
|
||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
||||
+}
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/README.xml.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/README.xml
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/README.xml.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/README.xml 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -0,0 +1,41 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
|
||||
+[
|
||||
+<!--
|
||||
+<!ENTITY pamaccess SYSTEM "pam_usertype.8.xml">
|
||||
+-->
|
||||
+]>
|
||||
+
|
||||
+<article>
|
||||
+
|
||||
+ <articleinfo>
|
||||
+
|
||||
+ <title>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_usertype-name"]/*)'/>
|
||||
+ </title>
|
||||
+
|
||||
+ </articleinfo>
|
||||
+
|
||||
+ <section>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-description"]/*)'/>
|
||||
+ </section>
|
||||
+
|
||||
+ <section>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-options"]/*)'/>
|
||||
+ </section>
|
||||
+
|
||||
+ <section>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-examples"]/*)'/>
|
||||
+ </section>
|
||||
+
|
||||
+ <section>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-author"]/*)'/>
|
||||
+ </section>
|
||||
+
|
||||
+</article>
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype
|
||||
--- Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype 2020-05-15 10:03:27.270468089 +0200
|
||||
@@ -0,0 +1,2 @@
|
||||
+#!/bin/sh
|
||||
+../../tests/tst-dlopen .libs/pam_usertype.so
|
@ -0,0 +1,33 @@
|
||||
From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Wed, 7 Aug 2019 18:13:57 +0200
|
||||
Subject: [PATCH] pam_tty_audit: Manual page clarification about password
|
||||
logging
|
||||
|
||||
* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
|
||||
can be sometimes logged even when the option is not set.
|
||||
---
|
||||
modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||
index 59a3406..e346c68 100644
|
||||
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||
@@ -149,6 +149,13 @@
|
||||
greater than or equal to <replaceable>min_uid</replaceable> will be
|
||||
matched.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Please note that passwords in some circumstances may be logged by TTY auditing
|
||||
+ even if the <option>log_passwd</option> is not used. For example, all input to
|
||||
+ an ssh session will be logged - even if there is a password being typed into
|
||||
+ some software running at the remote host because only the local TTY state
|
||||
+ affects the local TTY auditing.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='pam_tty_audit-examples'>
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds 2023-11-02 09:59:54.533238124 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c 2023-11-02 10:40:58.017404936 +0100
|
||||
@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
unsigned int ctrl, lctrl;
|
||||
int retval;
|
||||
int remember = -1;
|
||||
- int rounds = -1;
|
||||
+ int rounds = 0;
|
||||
int pass_min_len = 0;
|
||||
|
||||
/* <DO NOT free() THESE> */
|
@ -0,0 +1,174 @@
|
||||
From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
||||
Date: Thu, 15 Nov 2018 15:01:57 +0100
|
||||
Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
|
||||
|
||||
Bcrypt hashes used the "$2a$" prefix since 1997.
|
||||
However, in 2011 an implementation bug was discovered in bcrypt
|
||||
affecting the handling of characters in passphrases with the 8th
|
||||
bit set.
|
||||
|
||||
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
|
||||
for a behavior that exactly matches crypt_blowfish's "$2y$", and
|
||||
the crypt_blowfish implementation supports it as well since v1.1.
|
||||
|
||||
That said new computed bcrypt hashes should use the "$2b$" prefix.
|
||||
|
||||
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
|
||||
---
|
||||
modules/pam_unix/passverify.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index 9c1771e2..1f433b3a 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
|
||||
/* algoid = "$1" */
|
||||
return crypt_md5_wrapper(password);
|
||||
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
||||
- algoid = "$2a$";
|
||||
+ algoid = "$2b$";
|
||||
} else if (on(UNIX_SHA256_PASS, ctrl)) {
|
||||
algoid = "$5$";
|
||||
} else if (on(UNIX_SHA512_PASS, ctrl)) {
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up Linux-PAM-1.3.1/configure.ac.legacy-xcrypt Linux-PAM-1.3.1/configure.ac
|
||||
--- Linux-PAM-1.3.1/configure.ac.legacy-xcrypt 2023-10-26 12:08:46.896437225 +0200
|
||||
+++ Linux-PAM-1.3.1/configure.ac 2023-10-26 12:10:38.289654696 +0200
|
||||
@@ -395,19 +395,32 @@ AC_SUBST(LIBAUDIT)
|
||||
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
|
||||
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
|
||||
|
||||
-AC_CHECK_HEADERS(xcrypt.h crypt.h)
|
||||
-AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
|
||||
- [crypt_libs="xcrypt crypt"],
|
||||
- [crypt_libs="crypt"])
|
||||
+AC_CHECK_HEADERS(crypt.h)
|
||||
|
||||
BACKUP_LIBS=$LIBS
|
||||
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
|
||||
-AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
|
||||
+LIBCRYPT=""
|
||||
+PKG_CHECK_MODULES([CRYPT], [libcrypt], [
|
||||
+ CFLAGS="$CFLAGS $CRYPT_CFLAGS"
|
||||
+ CPPFLAGS="$CPPFLAGS $CRYPT_CFLAGS"
|
||||
+ LIBS="$LIBS $CRYPT_LIBS"
|
||||
+ LIBCRYPT="$CRYPT_LIBS"
|
||||
+], [
|
||||
+ AC_SEARCH_LIBS([crypt_gensalt_rn],[crypt])
|
||||
+ case "$ac_cv_search_crypt_gensalt_rn" in
|
||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt_gensalt_rn" ;;
|
||||
+ no) AC_SEARCH_LIBS([crypt_r],[crypt])
|
||||
+ case "$ac_cv_search_crypt_r" in
|
||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt_r" ;;
|
||||
+ no ) AC_SEARCH_LIBS([crypt],[crypt])
|
||||
+ case "$ac_cv_search_crypt" in
|
||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt" ;;
|
||||
+ esac ;;
|
||||
+ esac ;;
|
||||
+ esac
|
||||
+])
|
||||
+AC_CHECK_FUNCS([crypt_r])
|
||||
LIBS=$BACKUP_LIBS
|
||||
AC_SUBST(LIBCRYPT)
|
||||
-if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
|
||||
- AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
|
||||
-fi
|
||||
|
||||
AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
|
||||
if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt 2023-10-26 12:08:46.896437225 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c 2023-10-26 12:11:14.437725259 +0200
|
||||
@@ -52,9 +52,7 @@
|
||||
#include <stdarg.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
-#if defined (HAVE_XCRYPT_H)
|
||||
-#include <xcrypt.h>
|
||||
-#elif defined (HAVE_CRYPT_H)
|
||||
+#ifdef HAVE_CRYPT_H
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c 2023-10-26 12:08:46.896437225 +0200
|
||||
@@ -29,9 +29,7 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <security/_pam_macros.h>
|
||||
-#ifdef HAVE_LIBXCRYPT
|
||||
-#include <xcrypt.h>
|
||||
-#elif defined(HAVE_CRYPT_H)
|
||||
+#ifdef HAVE_CRYPT_H
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/passverify.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt 2023-10-26 12:08:46.895437223 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c 2023-10-26 12:16:25.470320408 +0200
|
||||
@@ -19,9 +19,7 @@
|
||||
#include <sys/time.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
-#ifdef HAVE_LIBXCRYPT
|
||||
-#include <xcrypt.h>
|
||||
-#elif defined(HAVE_CRYPT_H)
|
||||
+#ifdef HAVE_CRYPT_H
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
@@ -406,23 +404,19 @@ PAMH_ARG_DECL(char * create_password_has
|
||||
return crypted;
|
||||
}
|
||||
|
||||
-#ifdef HAVE_CRYPT_GENSALT_R
|
||||
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
||||
- char entropy[17];
|
||||
- crypt_make_salt(entropy, sizeof(entropy) - 1);
|
||||
- sp = crypt_gensalt_r (algoid, rounds,
|
||||
- entropy, sizeof(entropy),
|
||||
- salt, sizeof(salt));
|
||||
- } else {
|
||||
-#endif
|
||||
- sp = stpcpy(salt, algoid);
|
||||
- if (on(UNIX_ALGO_ROUNDS, ctrl)) {
|
||||
- sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
|
||||
- }
|
||||
- crypt_make_salt(sp, 16);
|
||||
-#ifdef HAVE_CRYPT_GENSALT_R
|
||||
+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
|
||||
+ /*
|
||||
+ * Any version of libcrypt supporting auto entropy is
|
||||
+ * guaranteed to have crypt_gensalt_rn().
|
||||
+ */
|
||||
+ sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
|
||||
+#else
|
||||
+ sp = stpcpy(salt, algoid);
|
||||
+ if (on(UNIX_ALGO_ROUNDS, ctrl)) {
|
||||
+ sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
|
||||
}
|
||||
-#endif
|
||||
+ crypt_make_salt(sp, 16);
|
||||
+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
|
||||
#ifdef HAVE_CRYPT_R
|
||||
sp = NULL;
|
||||
cdata = malloc(sizeof(*cdata));
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c
|
||||
--- Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt 2023-10-26 12:08:46.880437194 +0200
|
||||
+++ Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c 2023-10-26 12:08:46.896437225 +0200
|
||||
@@ -17,9 +17,7 @@
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
-#ifdef HAVE_LIBXCRYPT
|
||||
-#include <xcrypt.h>
|
||||
-#elif defined(HAVE_CRYPT_H)
|
||||
+#ifdef HAVE_CRYPT_H
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
@ -0,0 +1,57 @@
|
||||
From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Mon, 14 Oct 2019 16:52:46 +0200
|
||||
Subject: [PATCH] pam_unix: Add logging useful for debugging problems
|
||||
|
||||
Two messages added about obtaining the username are guarded
|
||||
by the debug option as these should not be normally
|
||||
logged - they can be useful for debugging but they do not
|
||||
indicate any special condition.
|
||||
|
||||
The message about authenticating user with blank password is
|
||||
still just LOG_DEBUG priority but it is logged unconditionally
|
||||
because it is somewhat extraordinary condition to have an user
|
||||
with blank password.
|
||||
|
||||
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
|
||||
D() macro calls which are not enabled on production builds with
|
||||
regular pam_syslog() calls.
|
||||
---
|
||||
modules/pam_unix/pam_unix_auth.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
|
||||
index 681e49d..3fca945 100644
|
||||
--- a/modules/pam_unix/pam_unix_auth.c
|
||||
+++ b/modules/pam_unix/pam_unix_auth.c
|
||||
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
AUTH_RETURN;
|
||||
}
|
||||
if (on(UNIX_DEBUG, ctrl))
|
||||
- D(("username [%s] obtained", name));
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
|
||||
} else {
|
||||
- D(("trouble reading username"));
|
||||
if (retval == PAM_CONV_AGAIN) {
|
||||
D(("pam_get_user/conv() function is not ready yet"));
|
||||
/* it is safe to resume this function so we translate this
|
||||
* retval to the value that indicates we're happy to resume.
|
||||
*/
|
||||
retval = PAM_INCOMPLETE;
|
||||
+ } else if (on(UNIX_DEBUG, ctrl)) {
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
|
||||
}
|
||||
AUTH_RETURN;
|
||||
}
|
||||
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
/* if this user does not have a password... */
|
||||
|
||||
if (_unix_blankpasswd(pamh, ctrl, name)) {
|
||||
- D(("user '%s' has blank passwd", name));
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
|
||||
name = NULL;
|
||||
retval = PAM_SUCCESS;
|
||||
AUTH_RETURN;
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,134 @@
|
||||
From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Wed, 26 Aug 2020 14:44:23 +0200
|
||||
Subject: [PATCH 1/3] pam_wheel: improve coding style
|
||||
|
||||
modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
|
||||
condition statements
|
||||
---
|
||||
modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++-----------------
|
||||
1 file changed, 19 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
||||
index a025ebaf..94cb7d89 100644
|
||||
--- a/modules/pam_wheel/pam_wheel.c
|
||||
+++ b/modules/pam_wheel/pam_wheel.c
|
||||
@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
||||
}
|
||||
|
||||
if (ctrl & PAM_USE_UID_ARG) {
|
||||
- tpwd = pam_modutil_getpwuid (pamh, getuid());
|
||||
- if (!tpwd) {
|
||||
- if (ctrl & PAM_DEBUG_ARG) {
|
||||
+ tpwd = pam_modutil_getpwuid (pamh, getuid());
|
||||
+ if (tpwd == NULL) {
|
||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
||||
pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
||||
- }
|
||||
- return PAM_SERVICE_ERR;
|
||||
- }
|
||||
- fromsu = tpwd->pw_name;
|
||||
+ }
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+ fromsu = tpwd->pw_name;
|
||||
} else {
|
||||
- fromsu = pam_modutil_getlogin(pamh);
|
||||
- if (fromsu) {
|
||||
- tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
||||
- }
|
||||
- if (!fromsu || !tpwd) {
|
||||
- if (ctrl & PAM_DEBUG_ARG) {
|
||||
- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
||||
- }
|
||||
- return PAM_SERVICE_ERR;
|
||||
- }
|
||||
+ fromsu = pam_modutil_getlogin(pamh);
|
||||
+
|
||||
+ if (fromsu != NULL) {
|
||||
+ tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
||||
+ }
|
||||
+
|
||||
+ if (fromsu == NULL || tpwd == NULL) {
|
||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
||||
+ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
||||
+ }
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
||||
From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Thu, 27 Aug 2020 09:16:15 +0200
|
||||
Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER
|
||||
|
||||
modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
|
||||
ID, then try with PAM_RUSER.
|
||||
|
||||
Resolves:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1866866
|
||||
---
|
||||
modules/pam_wheel/pam_wheel.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
||||
index 94cb7d89..7fa3cfa9 100644
|
||||
--- a/modules/pam_wheel/pam_wheel.c
|
||||
+++ b/modules/pam_wheel/pam_wheel.c
|
||||
@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
||||
} else {
|
||||
fromsu = pam_modutil_getlogin(pamh);
|
||||
|
||||
+ /* if getlogin fails try a fallback to PAM_RUSER */
|
||||
+ if (fromsu == NULL) {
|
||||
+ const char *rhostname;
|
||||
+
|
||||
+ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
|
||||
+ if (retval != PAM_SUCCESS || rhostname == NULL) {
|
||||
+ retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (fromsu != NULL) {
|
||||
tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
||||
From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Wed, 9 Sep 2020 10:32:03 +0200
|
||||
Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page
|
||||
|
||||
modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
|
||||
real uid of the calling process.
|
||||
---
|
||||
modules/pam_wheel/pam_wheel.8.xml | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
|
||||
index b32f5e2b..ee8c7d26 100644
|
||||
--- a/modules/pam_wheel/pam_wheel.8.xml
|
||||
+++ b/modules/pam_wheel/pam_wheel.8.xml
|
||||
@@ -122,9 +122,9 @@
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- The check for wheel membership will be done against
|
||||
- the current uid instead of the original one (useful when
|
||||
- jumping with su from one account to another for example).
|
||||
+ The check will be done against the real uid of the calling process,
|
||||
+ instead of trying to obtain the user from the login session
|
||||
+ associated with the terminal in use.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 10086bc69663fa819277af244eeb5b629a2403b8 Mon Sep 17 00:00:00 2001
|
||||
From: Deepak Das <ddas@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 21:21:35 +0530
|
||||
Subject: [PATCH] pam_faillock: avoid logging an erroneous consecutive login
|
||||
failure message
|
||||
|
||||
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
|
||||
a consecutive login failure message for the root user in case when
|
||||
even_deny_root is not set.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
||||
---
|
||||
modules/pam_faillock/pam_faillock.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
||||
index ddbb90e7..ca1c7035 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.c
|
||||
+++ b/modules/pam_faillock/pam_faillock.c
|
||||
@@ -374,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
||||
}
|
||||
close(audit_fd);
|
||||
#endif
|
||||
- if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
|
||||
- pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
|
||||
- opts->user);
|
||||
+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) &&
|
||||
+ ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) {
|
||||
+ pam_syslog(pamh, LOG_INFO,
|
||||
+ "Consecutive login failures for user %s account temporarily locked",
|
||||
+ opts->user);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,53 @@
|
||||
From bcbf145ce925934214e48200c27c9ff736452549 Mon Sep 17 00:00:00 2001
|
||||
From: Deepak Das <ddas@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 17:55:53 +0530
|
||||
Subject: [PATCH] pam_faillock: Clarify missing user faillock files after
|
||||
reboot
|
||||
|
||||
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
|
||||
user specific faillock files after reboot.
|
||||
|
||||
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
|
||||
user specific faillock files after reboot.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
||||
---
|
||||
modules/pam_faillock/faillock.conf.5.xml | 4 ++++
|
||||
modules/pam_faillock/pam_faillock.8.xml | 6 ++++++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml
|
||||
index 04a84107..8faa5915 100644
|
||||
--- a/modules/pam_faillock/faillock.conf.5.xml
|
||||
+++ b/modules/pam_faillock/faillock.conf.5.xml
|
||||
@@ -44,6 +44,10 @@
|
||||
The directory where the user files with the failure records are kept. The
|
||||
default is <filename>/var/run/faillock</filename>.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Note: These files will disappear after reboot on systems configured with
|
||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
|
||||
index 79bcbbd0..b7b7b0db 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.8.xml
|
||||
+++ b/modules/pam_faillock/pam_faillock.8.xml
|
||||
@@ -327,6 +327,12 @@ session required pam_selinux.so open
|
||||
<term><filename>/var/run/faillock/*</filename></term>
|
||||
<listitem>
|
||||
<para>the files logging the authentication failures for users</para>
|
||||
+ <para>
|
||||
+ Note: These files will disappear after reboot on systems configured with
|
||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
||||
+ For persistent storage use the option <emphasis>dir=</emphasis> in
|
||||
+ file <filename>/etc/security/faillock.conf</filename>.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 40c271164dbcebfc5304d0537a42fb42e6b6803c Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Mon, 26 Sep 2022 12:16:53 +0200
|
||||
Subject: [PATCH] pam_lastlog: check localtime_r() return value
|
||||
|
||||
Check the return value of localtime_r() before calling strftime(). This
|
||||
function crashes if the argument is NULL.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||
index abd048df..121e7560 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||
@@ -573,12 +573,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
|
||||
time_t lf_time;
|
||||
|
||||
lf_time = utuser.ut_tv.tv_sec;
|
||||
- tm = localtime_r (&lf_time, &tm_buf);
|
||||
- strftime (the_time, sizeof (the_time),
|
||||
- /* TRANSLATORS: "strftime options for date of last login" */
|
||||
- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
||||
-
|
||||
- date = the_time;
|
||||
+ if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) {
|
||||
+ strftime (the_time, sizeof (the_time),
|
||||
+ /* TRANSLATORS: "strftime options for date of last login" */
|
||||
+ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
||||
+ date = the_time;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* we want & have the host? */
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,4 @@
|
||||
d /run/console 0755 root root -
|
||||
d /run/faillock 0755 root root -
|
||||
d /run/sepermit 0755 root root -
|
||||
d /run/motd.d 0755 root root -
|
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
@ -0,0 +1,46 @@
|
||||
.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
postlogin \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/postlogin
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this PAM configuration file is to provide a common
|
||||
place for all PAM modules which should be called after the stack
|
||||
configured in
|
||||
.BR system-auth
|
||||
or the other common PAM configuration files.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR postlogin
|
||||
configuration file is included from all individual service configuration
|
||||
files that provide login service with shell or file access.
|
||||
|
||||
.SH NOTES
|
||||
The modules in the postlogin configuration file are executed regardless
|
||||
of the success or failure of the modules in the
|
||||
.BR system-auth
|
||||
configuration file.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
Sometimes it would be useful to be able to skip the postlogin modules in
|
||||
case the substack of the
|
||||
.BR system-auth
|
||||
modules failed. Unfortunately the current Linux-PAM library does not
|
||||
provide any way how to achieve this.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), system-auth(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
||||
session optional pam_lastlog.so silent noupdate showfailed
|
@ -0,0 +1,4 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth sufficient pam_sss.so allow_missing_name
|
@ -0,0 +1,58 @@
|
||||
.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
system-auth \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/system-auth
|
||||
.B /etc/pam.d/password-auth
|
||||
.B /etc/pam.d/fingerprint-auth
|
||||
.B /etc/pam.d/smartcard-auth
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of these configuration files are to provide a common
|
||||
interface for all applications and service daemons calling into
|
||||
the PAM library.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR system-auth
|
||||
configuration file is included from nearly all individual service configuration
|
||||
files with the help of the
|
||||
.BR substack
|
||||
directive.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR password-auth
|
||||
.BR fingerprint-auth
|
||||
.BR smartcard-auth
|
||||
configuration files are for applications which handle authentication from
|
||||
different types of devices via simultaneously running individual conversations
|
||||
instead of one aggregate conversation.
|
||||
|
||||
.SH NOTES
|
||||
Previously these common configuration files were included with the help
|
||||
of the
|
||||
.BR include
|
||||
directive. This limited the use of the different action types of modules.
|
||||
With the use of
|
||||
.BR substack
|
||||
directive to include these common configuration files this limitation
|
||||
no longer applies.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), postlogin(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue