commit
d6e5e4d8fd
@ -0,0 +1,2 @@
|
||||
SOURCES/Linux-PAM-1.5.1.tar.xz
|
||||
SOURCES/pam-redhat-1.1.4.tar.bz2
|
@ -0,0 +1,2 @@
|
||||
ad43b7fbdfdd38886fdf27e098b49f2db1c2a13d SOURCES/Linux-PAM-1.5.1.tar.xz
|
||||
bf661c44f34c2d4d34eaee695b36e638f4d44ba8 SOURCES/pam-redhat-1.1.4.tar.bz2
|
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCAAGBQJfvo0CAAoJEKgEH6g54W42L+0P/19bgVH4cRd7ONZLwYvWvWlQ
|
||||
NXkjwn26MEXElWESlKnQQz08W5QASWCz3vgAn9NGDmS+lJ38i4Li4aGpn3COPE2g
|
||||
BAN9LEaAErK60b3ZkWwDEARDs1JntA1vUuuHx0EoLEMtFEeU20h5PPMrsDwu7LGF
|
||||
sD6KYdM6TWLMXcRybqGOeWmWxfp8S8MVNwVN3C3q0aVIOMxky0i4rzCL7zRTJztQ
|
||||
q7FaX2xrTGfUiAI7smT/KGoK7pbQTzZtoR67uE/2WZ4bSyWMZcuDkt16WP/L6x9v
|
||||
c5DnVaLazM9xYUAOn4tlPiG8LLmfXo1MjD+KOS9byAx+uTij3avxaC/vv0BDcATH
|
||||
jywxH8iTPkvYXP0uJIa4Gbs1qi3vNZn+gaQt/T+rCVNo3dfFZZxBvLbTQ8AN1hKr
|
||||
MnoQbIQh0buuSuwmAxF0EDIefX3bDCurKOTQrRajK7huFm0w2NgBqL8WR8f1Wmm9
|
||||
mGSdKuVpWSk5uEygCUFOfwviYbi1I1K2Dmo3TsLBgNPKvAF3LAGJC7KzD+Q+Nmos
|
||||
XBOljilcAfdJ7t2P8W7xTSMEnXu7nI1TM+Er80ukfu0fipJEP0xyi+XWh+2n0Bx+
|
||||
3wwt8fSL7rmI4I4l6GRb3Jk/Gq1bKy956tgm3TE6gXTXVGZqNs0E28rNRURXDqZu
|
||||
XrjVwhlpsH/Auk17hU65
|
||||
=E0ev
|
||||
-----END PGP SIGNATURE-----
|
@ -0,0 +1,36 @@
|
||||
.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
config-util \- Common PAM configuration file for configuration utilities
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/config-util
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this configuration file is to provide common
|
||||
configuration file for all configuration utilities which must be run
|
||||
from the supervisor account and use the userhelper wrapper application.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR config-util
|
||||
configuration file is included from all individual configuration
|
||||
files of such utilities with the help of the
|
||||
.BR include
|
||||
directive.
|
||||
There are not usually any other modules in the individual configuration
|
||||
files of these utilities.
|
||||
|
||||
.sp
|
||||
It is possible for example to modify duration of the validity of the
|
||||
authentication timestamp there. See
|
||||
.BR pam_timestamp(8)
|
||||
for details.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), pam_timestamp(8)
|
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth sufficient pam_timestamp.so
|
||||
auth include system-auth
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
session optional pam_xauth.so
|
||||
session optional pam_timestamp.so
|
@ -0,0 +1,75 @@
|
||||
#!/bin/sh
|
||||
|
||||
tempdir=`mktemp -d /tmp/dlopenXXXXXX`
|
||||
test -n "$tempdir" || exit 1
|
||||
cat >> $tempdir/dlopen.c << _EOF
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <sys/stat.h>
|
||||
/* Simple program to see if dlopen() would succeed. */
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int i;
|
||||
struct stat st;
|
||||
char buf[PATH_MAX];
|
||||
for (i = 1; i < argc; i++) {
|
||||
if (dlopen(argv[i], RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
|
||||
argv[i]);
|
||||
} else {
|
||||
snprintf(buf, sizeof(buf), "./%s", argv[i]);
|
||||
if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"./%s\" "
|
||||
"succeeded.\n", argv[i]);
|
||||
} else {
|
||||
fprintf(stdout, "dlopen() of \"%s\" failed: "
|
||||
"%s\n", argv[i], dlerror());
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
_EOF
|
||||
|
||||
for arg in $@ ; do
|
||||
case "$arg" in
|
||||
"")
|
||||
;;
|
||||
-I*|-D*|-f*|-m*|-g*|-O*|-W*)
|
||||
cflags="$cflags $arg"
|
||||
;;
|
||||
-l*|-L*)
|
||||
ldflags="$ldflags $arg"
|
||||
;;
|
||||
/*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
|
||||
|
||||
retval=0
|
||||
for module in $modules ; do
|
||||
case "$module" in
|
||||
"")
|
||||
;;
|
||||
/*)
|
||||
$tempdir/dlopen "$module"
|
||||
retval=$?
|
||||
;;
|
||||
*)
|
||||
$tempdir/dlopen ./"$module"
|
||||
retval=$?
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
rm -f $tempdir/dlopen $tempdir/dlopen.c
|
||||
rmdir $tempdir
|
||||
exit $retval
|
@ -0,0 +1,19 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_fprintd.so
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
@ -0,0 +1,339 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License.
|
@ -0,0 +1,5 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_deny.so
|
||||
account required pam_deny.so
|
||||
password required pam_deny.so
|
||||
session required pam_deny.so
|
@ -0,0 +1,16 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
|
||||
@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
return PAM_SUCCESS;
|
||||
} else if (off(UNIX__IAMROOT, ctrl) ||
|
||||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
||||
- /* instruct user what is happening */
|
||||
- if (off(UNIX__QUIET, ctrl)) {
|
||||
- retval = pam_info(pamh, _("Changing password for %s."), user);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
@ -0,0 +1,24 @@
|
||||
diff -up Linux-PAM-1.5.0/doc/Makefile.am.noflex Linux-PAM-1.5.0/doc/Makefile.am
|
||||
--- Linux-PAM-1.5.0/doc/Makefile.am.noflex 2020-11-10 16:46:13.000000000 +0100
|
||||
+++ Linux-PAM-1.5.0/doc/Makefile.am 2020-11-11 11:39:00.980421433 +0100
|
||||
@@ -2,7 +2,7 @@
|
||||
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
||||
#
|
||||
|
||||
-SUBDIRS = man specs sag adg mwg
|
||||
+SUBDIRS = man sag adg mwg
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
diff -up Linux-PAM-1.5.0/Makefile.am.noflex Linux-PAM-1.5.0/Makefile.am
|
||||
--- Linux-PAM-1.5.0/Makefile.am.noflex 2020-11-11 11:39:00.980421433 +0100
|
||||
+++ Linux-PAM-1.5.0/Makefile.am 2020-11-11 11:39:15.887625418 +0100
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
|
||||
|
||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
|
||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
||||
|
||||
if HAVE_DOC
|
||||
SUBDIRS += doc
|
@ -0,0 +1,25 @@
|
||||
diff -up Linux-PAM-1.5.0/configure.ac.redhat-modules Linux-PAM-1.5.0/configure.ac
|
||||
--- Linux-PAM-1.5.0/configure.ac.redhat-modules 2020-11-11 11:21:21.947857371 +0100
|
||||
+++ Linux-PAM-1.5.0/configure.ac 2020-11-11 11:22:58.638193747 +0100
|
||||
@@ -639,6 +639,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||
po/Makefile.in \
|
||||
Make.xml.rules \
|
||||
modules/Makefile \
|
||||
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
||||
+ modules/pam_postgresok/Makefile \
|
||||
modules/pam_access/Makefile \
|
||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||
diff -up Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules Linux-PAM-1.5.0/modules/Makefile.am
|
||||
--- Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules 2020-11-10 16:46:13.000000000 +0100
|
||||
+++ Linux-PAM-1.5.0/modules/Makefile.am 2020-11-11 11:21:21.947857371 +0100
|
||||
@@ -47,6 +47,9 @@ SUBDIRS := \
|
||||
pam_debug \
|
||||
pam_deny \
|
||||
pam_echo \
|
||||
+ pam_chroot \
|
||||
+ pam_console \
|
||||
+ pam_postgresok \
|
||||
pam_env \
|
||||
pam_exec \
|
||||
pam_faildelay \
|
@ -0,0 +1,848 @@
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml 2022-05-25 15:30:33.700518571 +0200
|
||||
@@ -57,12 +57,29 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>
|
||||
+ <option>--conf <replaceable>/path/to/config-file</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The file where the configuration is located. The default is
|
||||
+ <filename>/etc/security/faillock.conf</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
<option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- The directory where the user files with the failure records are kept. The
|
||||
- default is <filename>/var/run/faillock</filename>.
|
||||
+ The directory where the user files with the failure records are kept.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The priority to set this option is to use the value provided
|
||||
+ from the command line. If this isn't provided, then the value
|
||||
+ from the configuration file is used. Finally, if neither of
|
||||
+ them has been provided, then
|
||||
+ <filename>/var/run/faillock</filename> is used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file 2022-05-25 15:30:33.699518564 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c 2022-05-25 15:30:33.700518571 +0200
|
||||
@@ -0,0 +1,263 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <ctype.h>
|
||||
+#include <errno.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+
|
||||
+#include <security/pam_modules.h>
|
||||
+
|
||||
+#include "faillock_config.h"
|
||||
+#include "faillock.h"
|
||||
+
|
||||
+#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
|
||||
+
|
||||
+static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
|
||||
+config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...)
|
||||
+{
|
||||
+ va_list args;
|
||||
+
|
||||
+ va_start(args, fmt);
|
||||
+ if (pamh) {
|
||||
+ pam_vsyslog(pamh, priority, fmt, args);
|
||||
+ } else {
|
||||
+ char *buf = NULL;
|
||||
+
|
||||
+ if (vasprintf(&buf, fmt, args) < 0) {
|
||||
+ fprintf(stderr, "vasprintf: %m");
|
||||
+ va_end(args);
|
||||
+ return;
|
||||
+ }
|
||||
+ fprintf(stderr, "%s\n", buf);
|
||||
+ free(buf);
|
||||
+ }
|
||||
+ va_end(args);
|
||||
+}
|
||||
+
|
||||
+/* parse a single configuration file */
|
||||
+int
|
||||
+read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
|
||||
+{
|
||||
+ char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
|
||||
+ const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF;
|
||||
+ FILE *f = fopen(fname, "r");
|
||||
+
|
||||
+#ifdef VENDOR_FAILLOCK_DEFAULT_CONF
|
||||
+ if (f == NULL && errno == ENOENT && cfgfile == NULL) {
|
||||
+ /*
|
||||
+ * If the default configuration file in /etc does not exist,
|
||||
+ * try the vendor configuration file as fallback.
|
||||
+ */
|
||||
+ f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r");
|
||||
+ }
|
||||
+#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */
|
||||
+
|
||||
+ if (f == NULL) {
|
||||
+ /* ignore non-existent default config file */
|
||||
+ if (errno == ENOENT && cfgfile == NULL)
|
||||
+ return PAM_SUCCESS;
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
|
||||
+ size_t len;
|
||||
+ char *ptr;
|
||||
+ char *name;
|
||||
+ int eq;
|
||||
+
|
||||
+ len = strlen(linebuf);
|
||||
+ /* len cannot be 0 unless there is a bug in fgets */
|
||||
+ if (len && linebuf[len - 1] != '\n' && !feof(f)) {
|
||||
+ (void) fclose(f);
|
||||
+ return PAM_SERVICE_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if ((ptr=strchr(linebuf, '#')) != NULL) {
|
||||
+ *ptr = '\0';
|
||||
+ } else {
|
||||
+ ptr = linebuf + len;
|
||||
+ }
|
||||
+
|
||||
+ /* drop terminating whitespace including the \n */
|
||||
+ while (ptr > linebuf) {
|
||||
+ if (!isspace(*(ptr-1))) {
|
||||
+ *ptr = '\0';
|
||||
+ break;
|
||||
+ }
|
||||
+ --ptr;
|
||||
+ }
|
||||
+
|
||||
+ /* skip initial whitespace */
|
||||
+ for (ptr = linebuf; isspace(*ptr); ptr++);
|
||||
+ if (*ptr == '\0')
|
||||
+ continue;
|
||||
+
|
||||
+ /* grab the key name */
|
||||
+ eq = 0;
|
||||
+ name = ptr;
|
||||
+ while (*ptr != '\0') {
|
||||
+ if (isspace(*ptr) || *ptr == '=') {
|
||||
+ eq = *ptr == '=';
|
||||
+ *ptr = '\0';
|
||||
+ ++ptr;
|
||||
+ break;
|
||||
+ }
|
||||
+ ++ptr;
|
||||
+ }
|
||||
+
|
||||
+ /* grab the key value */
|
||||
+ while (*ptr != '\0') {
|
||||
+ if (*ptr != '=' || eq) {
|
||||
+ if (!isspace(*ptr)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ } else {
|
||||
+ eq = 1;
|
||||
+ }
|
||||
+ ++ptr;
|
||||
+ }
|
||||
+
|
||||
+ /* set the key:value pair on opts */
|
||||
+ set_conf_opt(pamh, opts, name, ptr);
|
||||
+ }
|
||||
+
|
||||
+ (void)fclose(f);
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
|
||||
+ const char *value)
|
||||
+{
|
||||
+ if (strcmp(name, "dir") == 0) {
|
||||
+ if (value[0] != '/') {
|
||||
+ config_log(pamh, LOG_ERR,
|
||||
+ "Tally directory is not absolute path (%s); keeping value",
|
||||
+ value);
|
||||
+ } else {
|
||||
+ free(opts->dir);
|
||||
+ opts->dir = strdup(value);
|
||||
+ if (opts->dir == NULL) {
|
||||
+ opts->fatal_error = 1;
|
||||
+ config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "deny") == 0) {
|
||||
+ if (sscanf(value, "%hu", &opts->deny) != 1) {
|
||||
+ config_log(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for deny argument");
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "fail_interval") == 0) {
|
||||
+ unsigned int temp;
|
||||
+ if (sscanf(value, "%u", &temp) != 1 ||
|
||||
+ temp > MAX_TIME_INTERVAL) {
|
||||
+ config_log(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for fail_interval argument");
|
||||
+ } else {
|
||||
+ opts->fail_interval = temp;
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "unlock_time") == 0) {
|
||||
+ unsigned int temp;
|
||||
+
|
||||
+ if (strcmp(value, "never") == 0) {
|
||||
+ opts->unlock_time = 0;
|
||||
+ }
|
||||
+ else if (sscanf(value, "%u", &temp) != 1 ||
|
||||
+ temp > MAX_TIME_INTERVAL) {
|
||||
+ config_log(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for unlock_time argument");
|
||||
+ }
|
||||
+ else {
|
||||
+ opts->unlock_time = temp;
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "root_unlock_time") == 0) {
|
||||
+ unsigned int temp;
|
||||
+
|
||||
+ if (strcmp(value, "never") == 0) {
|
||||
+ opts->root_unlock_time = 0;
|
||||
+ }
|
||||
+ else if (sscanf(value, "%u", &temp) != 1 ||
|
||||
+ temp > MAX_TIME_INTERVAL) {
|
||||
+ config_log(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for root_unlock_time argument");
|
||||
+ } else {
|
||||
+ opts->root_unlock_time = temp;
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "admin_group") == 0) {
|
||||
+ free(opts->admin_group);
|
||||
+ opts->admin_group = strdup(value);
|
||||
+ if (opts->admin_group == NULL) {
|
||||
+ opts->fatal_error = 1;
|
||||
+ config_log(pamh, LOG_CRIT, "Error allocating memory: %m");
|
||||
+ }
|
||||
+ }
|
||||
+ else if (strcmp(name, "even_deny_root") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
|
||||
+ }
|
||||
+ else if (strcmp(name, "audit") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_AUDIT;
|
||||
+ }
|
||||
+ else if (strcmp(name, "silent") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_SILENT;
|
||||
+ }
|
||||
+ else if (strcmp(name, "no_log_info") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
|
||||
+ }
|
||||
+ else if (strcmp(name, "local_users_only") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
|
||||
+ }
|
||||
+ else if (strcmp(name, "nodelay") == 0) {
|
||||
+ opts->flags |= FAILLOCK_FLAG_NO_DELAY;
|
||||
+ }
|
||||
+ else {
|
||||
+ config_log(pamh, LOG_ERR, "Unknown option: %s", name);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+const char *get_tally_dir(const struct options *opts)
|
||||
+{
|
||||
+ return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR;
|
||||
+}
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file 2022-05-25 15:30:33.699518564 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h 2022-05-25 15:30:33.700518571 +0200
|
||||
@@ -0,0 +1,89 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Tomas Mraz <tm@t8m.info>
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * faillock_config.h - load configuration options from file
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#ifndef _FAILLOCK_CONFIG_H
|
||||
+#define _FAILLOCK_CONFIG_H
|
||||
+
|
||||
+#include <limits.h>
|
||||
+#include <stdint.h>
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#include <security/pam_ext.h>
|
||||
+
|
||||
+#define FAILLOCK_FLAG_DENY_ROOT 0x1
|
||||
+#define FAILLOCK_FLAG_AUDIT 0x2
|
||||
+#define FAILLOCK_FLAG_SILENT 0x4
|
||||
+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
|
||||
+#define FAILLOCK_FLAG_UNLOCKED 0x10
|
||||
+#define FAILLOCK_FLAG_LOCAL_ONLY 0x20
|
||||
+#define FAILLOCK_FLAG_NO_DELAY 0x40
|
||||
+
|
||||
+#define FAILLOCK_CONF_MAX_LINELEN 1023
|
||||
+#define MAX_TIME_INTERVAL 604800 /* 7 days */
|
||||
+
|
||||
+struct options {
|
||||
+ unsigned int action;
|
||||
+ unsigned int flags;
|
||||
+ unsigned short deny;
|
||||
+ unsigned int fail_interval;
|
||||
+ unsigned int unlock_time;
|
||||
+ unsigned int root_unlock_time;
|
||||
+ char *dir;
|
||||
+ const char *user;
|
||||
+ char *admin_group;
|
||||
+ int failures;
|
||||
+ uint64_t latest_time;
|
||||
+ uid_t uid;
|
||||
+ int is_admin;
|
||||
+ uint64_t now;
|
||||
+ int fatal_error;
|
||||
+
|
||||
+ unsigned int reset;
|
||||
+ const char *progname;
|
||||
+};
|
||||
+
|
||||
+int read_config_file(pam_handle_t *pamh, struct options *opts,
|
||||
+ const char *cfgfile);
|
||||
+void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name,
|
||||
+ const char *value);
|
||||
+const char *get_tally_dir(const struct options *opts);
|
||||
+
|
||||
+#endif /* _FAILLOCK_CONFIG_H */
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/main.c
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/main.c 2022-05-25 15:37:05.801216176 +0200
|
||||
@@ -51,33 +51,40 @@
|
||||
#define AUDIT_NO_ID ((unsigned int) -1)
|
||||
#endif
|
||||
|
||||
+#include "pam_inline.h"
|
||||
#include "faillock.h"
|
||||
-
|
||||
-struct options {
|
||||
- unsigned int reset;
|
||||
- const char *dir;
|
||||
- const char *user;
|
||||
- const char *progname;
|
||||
-};
|
||||
+#include "faillock_config.h"
|
||||
|
||||
static int
|
||||
args_parse(int argc, char **argv, struct options *opts)
|
||||
{
|
||||
int i;
|
||||
+ int rv;
|
||||
+ const char *dir = NULL;
|
||||
+ const char *conf = NULL;
|
||||
+
|
||||
memset(opts, 0, sizeof(*opts));
|
||||
|
||||
- opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
|
||||
opts->progname = argv[0];
|
||||
|
||||
for (i = 1; i < argc; ++i) {
|
||||
-
|
||||
- if (strcmp(argv[i], "--dir") == 0) {
|
||||
+ if (strcmp(argv[i], "--conf") == 0) {
|
||||
+ ++i;
|
||||
+ if (i >= argc || strlen(argv[i]) == 0) {
|
||||
+ fprintf(stderr, "%s: No configuration file supplied.\n",
|
||||
+ argv[0]);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ conf = argv[i];
|
||||
+ }
|
||||
+ else if (strcmp(argv[i], "--dir") == 0) {
|
||||
++i;
|
||||
if (i >= argc || strlen(argv[i]) == 0) {
|
||||
- fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
|
||||
+ fprintf(stderr, "%s: No records directory supplied.\n",
|
||||
+ argv[0]);
|
||||
return -1;
|
||||
}
|
||||
- opts->dir = argv[i];
|
||||
+ dir = argv[i];
|
||||
}
|
||||
else if (strcmp(argv[i], "--user") == 0) {
|
||||
++i;
|
||||
@@ -85,7 +92,7 @@ args_parse(int argc, char **argv, struct
|
||||
fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
|
||||
return -1;
|
||||
}
|
||||
- opts->user = argv[i];
|
||||
+ opts->user = argv[i];
|
||||
}
|
||||
else if (strcmp(argv[i], "--reset") == 0) {
|
||||
opts->reset = 1;
|
||||
@@ -95,6 +102,21 @@ args_parse(int argc, char **argv, struct
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) {
|
||||
+ fprintf(stderr, "Configuration file missing or broken");
|
||||
+ return rv;
|
||||
+ }
|
||||
+
|
||||
+ if (dir != NULL) {
|
||||
+ free(opts->dir);
|
||||
+ opts->dir = strdup(dir);
|
||||
+ if (opts->dir == NULL) {
|
||||
+ fprintf(stderr, "Error allocating memory: %m");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -112,10 +134,11 @@ do_user(struct options *opts, const char
|
||||
int rv;
|
||||
struct tally_data tallies;
|
||||
struct passwd *pwd;
|
||||
+ const char *dir = get_tally_dir(opts);
|
||||
|
||||
pwd = getpwnam(user);
|
||||
|
||||
- fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
|
||||
+ fd = open_tally(dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
|
||||
|
||||
if (fd == -1) {
|
||||
if (errno == ENOENT) {
|
||||
@@ -191,8 +214,9 @@ do_allusers(struct options *opts)
|
||||
{
|
||||
struct dirent **userlist;
|
||||
int rv, i;
|
||||
+ const char *dir = get_tally_dir(opts);
|
||||
|
||||
- rv = scandir(opts->dir, &userlist, NULL, alphasort);
|
||||
+ rv = scandir(dir, &userlist, NULL, alphasort);
|
||||
if (rv < 0) {
|
||||
fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname);
|
||||
return 2;
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am 2022-05-25 15:30:33.700518571 +0200
|
||||
@@ -20,7 +20,7 @@ TESTS = $(dist_check_SCRIPTS)
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
-noinst_HEADERS = faillock.h
|
||||
+noinst_HEADERS = faillock.h faillock_config.h
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
$(WARN_CFLAGS)
|
||||
@@ -41,8 +41,8 @@ dist_secureconf_DATA = faillock.conf
|
||||
securelib_LTLIBRARIES = pam_faillock.la
|
||||
sbin_PROGRAMS = faillock
|
||||
|
||||
-pam_faillock_la_SOURCES = pam_faillock.c faillock.c
|
||||
-faillock_SOURCES = main.c faillock.c
|
||||
+pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c
|
||||
+faillock_SOURCES = main.c faillock.c faillock_config.c
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
||||
dist_noinst_DATA = README
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c 2022-05-25 15:33:03.885551825 +0200
|
||||
@@ -38,7 +38,6 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
-#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <errno.h>
|
||||
#include <time.h>
|
||||
@@ -56,55 +55,12 @@
|
||||
|
||||
#include "pam_inline.h"
|
||||
#include "faillock.h"
|
||||
+#include "faillock_config.h"
|
||||
|
||||
#define FAILLOCK_ACTION_PREAUTH 0
|
||||
#define FAILLOCK_ACTION_AUTHSUCC 1
|
||||
#define FAILLOCK_ACTION_AUTHFAIL 2
|
||||
|
||||
-#define FAILLOCK_FLAG_DENY_ROOT 0x1
|
||||
-#define FAILLOCK_FLAG_AUDIT 0x2
|
||||
-#define FAILLOCK_FLAG_SILENT 0x4
|
||||
-#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
|
||||
-#define FAILLOCK_FLAG_UNLOCKED 0x10
|
||||
-#define FAILLOCK_FLAG_LOCAL_ONLY 0x20
|
||||
-#define FAILLOCK_FLAG_NO_DELAY 0x40
|
||||
-
|
||||
-#define MAX_TIME_INTERVAL 604800 /* 7 days */
|
||||
-#define FAILLOCK_CONF_MAX_LINELEN 1023
|
||||
-
|
||||
-static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF;
|
||||
-
|
||||
-struct options {
|
||||
- unsigned int action;
|
||||
- unsigned int flags;
|
||||
- unsigned short deny;
|
||||
- unsigned int fail_interval;
|
||||
- unsigned int unlock_time;
|
||||
- unsigned int root_unlock_time;
|
||||
- char *dir;
|
||||
- const char *user;
|
||||
- char *admin_group;
|
||||
- int failures;
|
||||
- uint64_t latest_time;
|
||||
- uid_t uid;
|
||||
- int is_admin;
|
||||
- uint64_t now;
|
||||
- int fatal_error;
|
||||
-};
|
||||
-
|
||||
-static int read_config_file(
|
||||
- pam_handle_t *pamh,
|
||||
- struct options *opts,
|
||||
- const char *cfgfile
|
||||
-);
|
||||
-
|
||||
-static void set_conf_opt(
|
||||
- pam_handle_t *pamh,
|
||||
- struct options *opts,
|
||||
- const char *name,
|
||||
- const char *value
|
||||
-);
|
||||
-
|
||||
static int
|
||||
args_parse(pam_handle_t *pamh, int argc, const char **argv,
|
||||
int flags, struct options *opts)
|
||||
@@ -112,11 +68,10 @@ args_parse(pam_handle_t *pamh, int argc,
|
||||
int i;
|
||||
int config_arg_index = -1;
|
||||
int rv;
|
||||
- const char *conf = default_faillock_conf;
|
||||
+ const char *conf = NULL;
|
||||
|
||||
memset(opts, 0, sizeof(*opts));
|
||||
|
||||
- opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR);
|
||||
opts->deny = 3;
|
||||
opts->fail_interval = 900;
|
||||
opts->unlock_time = 600;
|
||||
@@ -174,185 +129,11 @@ args_parse(pam_handle_t *pamh, int argc,
|
||||
if (flags & PAM_SILENT)
|
||||
opts->flags |= FAILLOCK_FLAG_SILENT;
|
||||
|
||||
- if (opts->dir == NULL) {
|
||||
- pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
|
||||
- opts->fatal_error = 1;
|
||||
- }
|
||||
-
|
||||
if (opts->fatal_error)
|
||||
return PAM_BUF_ERR;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
-/* parse a single configuration file */
|
||||
-static int
|
||||
-read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
|
||||
-{
|
||||
- FILE *f;
|
||||
- char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
|
||||
-
|
||||
- f = fopen(cfgfile, "r");
|
||||
- if (f == NULL) {
|
||||
- /* ignore non-existent default config file */
|
||||
- if (errno == ENOENT && cfgfile == default_faillock_conf)
|
||||
- return PAM_SUCCESS;
|
||||
- return PAM_SERVICE_ERR;
|
||||
- }
|
||||
-
|
||||
- while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
|
||||
- size_t len;
|
||||
- char *ptr;
|
||||
- char *name;
|
||||
- int eq;
|
||||
-
|
||||
- len = strlen(linebuf);
|
||||
- /* len cannot be 0 unless there is a bug in fgets */
|
||||
- if (len && linebuf[len - 1] != '\n' && !feof(f)) {
|
||||
- (void) fclose(f);
|
||||
- return PAM_SERVICE_ERR;
|
||||
- }
|
||||
-
|
||||
- if ((ptr=strchr(linebuf, '#')) != NULL) {
|
||||
- *ptr = '\0';
|
||||
- } else {
|
||||
- ptr = linebuf + len;
|
||||
- }
|
||||
-
|
||||
- /* drop terminating whitespace including the \n */
|
||||
- while (ptr > linebuf) {
|
||||
- if (!isspace(*(ptr-1))) {
|
||||
- *ptr = '\0';
|
||||
- break;
|
||||
- }
|
||||
- --ptr;
|
||||
- }
|
||||
-
|
||||
- /* skip initial whitespace */
|
||||
- for (ptr = linebuf; isspace(*ptr); ptr++);
|
||||
- if (*ptr == '\0')
|
||||
- continue;
|
||||
-
|
||||
- /* grab the key name */
|
||||
- eq = 0;
|
||||
- name = ptr;
|
||||
- while (*ptr != '\0') {
|
||||
- if (isspace(*ptr) || *ptr == '=') {
|
||||
- eq = *ptr == '=';
|
||||
- *ptr = '\0';
|
||||
- ++ptr;
|
||||
- break;
|
||||
- }
|
||||
- ++ptr;
|
||||
- }
|
||||
-
|
||||
- /* grab the key value */
|
||||
- while (*ptr != '\0') {
|
||||
- if (*ptr != '=' || eq) {
|
||||
- if (!isspace(*ptr)) {
|
||||
- break;
|
||||
- }
|
||||
- } else {
|
||||
- eq = 1;
|
||||
- }
|
||||
- ++ptr;
|
||||
- }
|
||||
-
|
||||
- /* set the key:value pair on opts */
|
||||
- set_conf_opt(pamh, opts, name, ptr);
|
||||
- }
|
||||
-
|
||||
- (void)fclose(f);
|
||||
- return PAM_SUCCESS;
|
||||
-}
|
||||
-
|
||||
-static void
|
||||
-set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value)
|
||||
-{
|
||||
- if (strcmp(name, "dir") == 0) {
|
||||
- if (value[0] != '/') {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "Tally directory is not absolute path (%s); keeping default", value);
|
||||
- } else {
|
||||
- free(opts->dir);
|
||||
- opts->dir = strdup(value);
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "deny") == 0) {
|
||||
- if (sscanf(value, "%hu", &opts->deny) != 1) {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "Bad number supplied for deny argument");
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "fail_interval") == 0) {
|
||||
- unsigned int temp;
|
||||
- if (sscanf(value, "%u", &temp) != 1 ||
|
||||
- temp > MAX_TIME_INTERVAL) {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "Bad number supplied for fail_interval argument");
|
||||
- } else {
|
||||
- opts->fail_interval = temp;
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "unlock_time") == 0) {
|
||||
- unsigned int temp;
|
||||
-
|
||||
- if (strcmp(value, "never") == 0) {
|
||||
- opts->unlock_time = 0;
|
||||
- }
|
||||
- else if (sscanf(value, "%u", &temp) != 1 ||
|
||||
- temp > MAX_TIME_INTERVAL) {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "Bad number supplied for unlock_time argument");
|
||||
- }
|
||||
- else {
|
||||
- opts->unlock_time = temp;
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "root_unlock_time") == 0) {
|
||||
- unsigned int temp;
|
||||
-
|
||||
- if (strcmp(value, "never") == 0) {
|
||||
- opts->root_unlock_time = 0;
|
||||
- }
|
||||
- else if (sscanf(value, "%u", &temp) != 1 ||
|
||||
- temp > MAX_TIME_INTERVAL) {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "Bad number supplied for root_unlock_time argument");
|
||||
- } else {
|
||||
- opts->root_unlock_time = temp;
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "admin_group") == 0) {
|
||||
- free(opts->admin_group);
|
||||
- opts->admin_group = strdup(value);
|
||||
- if (opts->admin_group == NULL) {
|
||||
- opts->fatal_error = 1;
|
||||
- pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
|
||||
- }
|
||||
- }
|
||||
- else if (strcmp(name, "even_deny_root") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
|
||||
- }
|
||||
- else if (strcmp(name, "audit") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_AUDIT;
|
||||
- }
|
||||
- else if (strcmp(name, "silent") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_SILENT;
|
||||
- }
|
||||
- else if (strcmp(name, "no_log_info") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
|
||||
- }
|
||||
- else if (strcmp(name, "local_users_only") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
|
||||
- }
|
||||
- else if (strcmp(name, "nodelay") == 0) {
|
||||
- opts->flags |= FAILLOCK_FLAG_NO_DELAY;
|
||||
- }
|
||||
- else {
|
||||
- pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name);
|
||||
- }
|
||||
-}
|
||||
-
|
||||
static int
|
||||
check_local_user (pam_handle_t *pamh, const char *user)
|
||||
{
|
||||
@@ -406,10 +187,11 @@ check_tally(pam_handle_t *pamh, struct o
|
||||
unsigned int i;
|
||||
uint64_t latest_time;
|
||||
int failures;
|
||||
+ const char *dir = get_tally_dir(opts);
|
||||
|
||||
opts->now = time(NULL);
|
||||
|
||||
- tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
|
||||
+ tfd = open_tally(dir, opts->user, opts->uid, 0);
|
||||
|
||||
*fd = tfd;
|
||||
|
||||
@@ -483,9 +265,10 @@ static void
|
||||
reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
|
||||
{
|
||||
int rv;
|
||||
+ const char *dir = get_tally_dir(opts);
|
||||
|
||||
if (*fd == -1) {
|
||||
- *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||
+ *fd = open_tally(dir, opts->user, opts->uid, 1);
|
||||
}
|
||||
else {
|
||||
while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
|
||||
@@ -504,9 +287,10 @@ write_tally(pam_handle_t *pamh, struct o
|
||||
unsigned int oldest;
|
||||
uint64_t oldtime;
|
||||
const void *source = NULL;
|
||||
+ const char *dir = get_tally_dir(opts);
|
||||
|
||||
if (*fd == -1) {
|
||||
- *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
|
||||
+ *fd = open_tally(dir, opts->user, opts->uid, 1);
|
||||
}
|
||||
if (*fd == -1) {
|
||||
if (errno == EACCES) {
|
||||
diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h
|
||||
index b22a9dfb..0ea0ffba 100644
|
||||
--- a/modules/pam_faillock/faillock.h
|
||||
+++ b/modules/pam_faillock/faillock.h
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.h
|
||||
--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.h 2022-05-25 15:33:03.885551825 +0200
|
||||
@@ -67,7 +67,6 @@ struct tally_data {
|
||||
};
|
||||
|
||||
#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
||||
-#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
|
||||
|
||||
int open_tally(const char *dir, const char *user, uid_t uid, int create);
|
||||
int read_tally(int fd, struct tally_data *tallies);
|
@ -0,0 +1,37 @@
|
||||
From 10086bc69663fa819277af244eeb5b629a2403b8 Mon Sep 17 00:00:00 2001
|
||||
From: Deepak Das <ddas@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 21:21:35 +0530
|
||||
Subject: [PATCH] pam_faillock: avoid logging an erroneous consecutive login
|
||||
failure message
|
||||
|
||||
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
|
||||
a consecutive login failure message for the root user in case when
|
||||
even_deny_root is not set.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
||||
---
|
||||
modules/pam_faillock/pam_faillock.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
||||
index ddbb90e7..ca1c7035 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.c
|
||||
+++ b/modules/pam_faillock/pam_faillock.c
|
||||
@@ -374,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
||||
}
|
||||
close(audit_fd);
|
||||
#endif
|
||||
- if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
|
||||
- pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
|
||||
- opts->user);
|
||||
+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) &&
|
||||
+ ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) {
|
||||
+ pam_syslog(pamh, LOG_INFO,
|
||||
+ "Consecutive login failures for user %s account temporarily locked",
|
||||
+ opts->user);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,53 @@
|
||||
From bcbf145ce925934214e48200c27c9ff736452549 Mon Sep 17 00:00:00 2001
|
||||
From: Deepak Das <ddas@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 17:55:53 +0530
|
||||
Subject: [PATCH] pam_faillock: Clarify missing user faillock files after
|
||||
reboot
|
||||
|
||||
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
|
||||
user specific faillock files after reboot.
|
||||
|
||||
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
|
||||
user specific faillock files after reboot.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
||||
---
|
||||
modules/pam_faillock/faillock.conf.5.xml | 4 ++++
|
||||
modules/pam_faillock/pam_faillock.8.xml | 6 ++++++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml
|
||||
index 04a84107..8faa5915 100644
|
||||
--- a/modules/pam_faillock/faillock.conf.5.xml
|
||||
+++ b/modules/pam_faillock/faillock.conf.5.xml
|
||||
@@ -44,6 +44,10 @@
|
||||
The directory where the user files with the failure records are kept. The
|
||||
default is <filename>/var/run/faillock</filename>.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Note: These files will disappear after reboot on systems configured with
|
||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
|
||||
index 79bcbbd0..b7b7b0db 100644
|
||||
--- a/modules/pam_faillock/pam_faillock.8.xml
|
||||
+++ b/modules/pam_faillock/pam_faillock.8.xml
|
||||
@@ -327,6 +327,12 @@ session required pam_selinux.so open
|
||||
<term><filename>/var/run/faillock/*</filename></term>
|
||||
<listitem>
|
||||
<para>the files logging the authentication failures for users</para>
|
||||
+ <para>
|
||||
+ Note: These files will disappear after reboot on systems configured with
|
||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
||||
+ For persistent storage use the option <emphasis>dir=</emphasis> in
|
||||
+ file <filename>/etc/security/faillock.conf</filename>.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,150 @@
|
||||
From a35e092e24ee7632346a0e1b4a203c04d4cd2c62 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Mon, 24 Jan 2022 15:43:23 +0100
|
||||
Subject: [PATCH] pam_keyinit: thread-safe implementation
|
||||
|
||||
* modules/pam_keyinit/pam_keyinit.c: Bypass setre*id() C library calls
|
||||
with kernel calls and change global variables definitions to be
|
||||
thread-safe.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1997969
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Co-Authored-By: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
modules/pam_keyinit/pam_keyinit.c | 60 ++++++++++++++++++++++---------
|
||||
1 file changed, 44 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
|
||||
index 92e4953b..df9804b9 100644
|
||||
--- a/modules/pam_keyinit/pam_keyinit.c
|
||||
+++ b/modules/pam_keyinit/pam_keyinit.c
|
||||
@@ -21,6 +21,7 @@
|
||||
#include <security/pam_modutil.h>
|
||||
#include <security/pam_ext.h>
|
||||
#include <sys/syscall.h>
|
||||
+#include <stdatomic.h>
|
||||
|
||||
#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */
|
||||
#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */
|
||||
@@ -31,12 +32,12 @@
|
||||
#define KEYCTL_REVOKE 3 /* revoke a key */
|
||||
#define KEYCTL_LINK 8 /* link a key into a keyring */
|
||||
|
||||
-static int my_session_keyring = 0;
|
||||
-static int session_counter = 0;
|
||||
-static int do_revoke = 0;
|
||||
-static uid_t revoke_as_uid;
|
||||
-static gid_t revoke_as_gid;
|
||||
-static int xdebug = 0;
|
||||
+static _Thread_local int my_session_keyring = 0;
|
||||
+static _Atomic int session_counter = 0;
|
||||
+static _Thread_local int do_revoke = 0;
|
||||
+static _Thread_local uid_t revoke_as_uid;
|
||||
+static _Thread_local gid_t revoke_as_gid;
|
||||
+static _Thread_local int xdebug = 0;
|
||||
|
||||
static void debug(pam_handle_t *pamh, const char *fmt, ...)
|
||||
__attribute__((format(printf, 2, 3)));
|
||||
@@ -64,6 +65,33 @@ static void error(pam_handle_t *pamh, const char *fmt, ...)
|
||||
va_end(va);
|
||||
}
|
||||
|
||||
+static int pam_setreuid(uid_t ruid, uid_t euid)
|
||||
+{
|
||||
+#if defined(SYS_setreuid32)
|
||||
+ return syscall(SYS_setreuid32, ruid, euid);
|
||||
+#else
|
||||
+ return syscall(SYS_setreuid, ruid, euid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static int pam_setregid(gid_t rgid, gid_t egid)
|
||||
+{
|
||||
+#if defined(SYS_setregid32)
|
||||
+ return syscall(SYS_setregid32, rgid, egid);
|
||||
+#else
|
||||
+ return syscall(SYS_setregid, rgid, egid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
||||
+{
|
||||
+#if defined(SYS_setresuid32)
|
||||
+ return syscall(SYS_setresuid32, ruid, euid, suid);
|
||||
+#else
|
||||
+ return syscall(SYS_setresuid, ruid, euid, suid);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* initialise the session keyring for this process
|
||||
*/
|
||||
@@ -140,14 +168,14 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret)
|
||||
|
||||
/* switch to the real UID and GID so that we have permission to
|
||||
* revoke the key */
|
||||
- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) {
|
||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0) {
|
||||
error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid);
|
||||
return error_ret;
|
||||
}
|
||||
|
||||
- if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) {
|
||||
+ if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0) {
|
||||
error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid);
|
||||
- if (getegid() != old_gid && setregid(-1, old_gid) < 0)
|
||||
+ if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0)
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
return error_ret;
|
||||
}
|
||||
@@ -157,12 +185,12 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret)
|
||||
}
|
||||
|
||||
/* return to the original UID and GID (probably root) */
|
||||
- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) {
|
||||
+ if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0) {
|
||||
error(pamh, "Unable to change UID back to %d\n", old_uid);
|
||||
ret = error_ret;
|
||||
}
|
||||
|
||||
- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) {
|
||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0) {
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
ret = error_ret;
|
||||
}
|
||||
@@ -215,14 +243,14 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error
|
||||
|
||||
/* switch to the real UID and GID so that the keyring ends up owned by
|
||||
* the right user */
|
||||
- if (gid != old_gid && setregid(gid, -1) < 0) {
|
||||
+ if (gid != old_gid && pam_setregid(gid, -1) < 0) {
|
||||
error(pamh, "Unable to change GID to %d temporarily\n", gid);
|
||||
return error_ret;
|
||||
}
|
||||
|
||||
- if (uid != old_uid && setreuid(uid, -1) < 0) {
|
||||
+ if (uid != old_uid && pam_setreuid(uid, -1) < 0) {
|
||||
error(pamh, "Unable to change UID to %d temporarily\n", uid);
|
||||
- if (setregid(old_gid, -1) < 0)
|
||||
+ if (pam_setregid(old_gid, -1) < 0)
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
return error_ret;
|
||||
}
|
||||
@@ -230,12 +258,12 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error
|
||||
ret = init_keyrings(pamh, force, error_ret);
|
||||
|
||||
/* return to the original UID and GID (probably root) */
|
||||
- if (uid != old_uid && setreuid(old_uid, -1) < 0) {
|
||||
+ if (uid != old_uid && pam_setreuid(old_uid, -1) < 0) {
|
||||
error(pamh, "Unable to change UID back to %d\n", old_uid);
|
||||
ret = error_ret;
|
||||
}
|
||||
|
||||
- if (gid != old_gid && setregid(old_gid, -1) < 0) {
|
||||
+ if (gid != old_gid && pam_setregid(old_gid, -1) < 0) {
|
||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
||||
ret = error_ret;
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 40c271164dbcebfc5304d0537a42fb42e6b6803c Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Mon, 26 Sep 2022 12:16:53 +0200
|
||||
Subject: [PATCH] pam_lastlog: check localtime_r() return value
|
||||
|
||||
Check the return value of localtime_r() before calling strftime(). This
|
||||
function crashes if the argument is NULL.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
modules/pam_lastlog/pam_lastlog.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||
index abd048df..121e7560 100644
|
||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||
@@ -573,12 +573,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
|
||||
time_t lf_time;
|
||||
|
||||
lf_time = utuser.ut_tv.tv_sec;
|
||||
- tm = localtime_r (&lf_time, &tm_buf);
|
||||
- strftime (the_time, sizeof (the_time),
|
||||
- /* TRANSLATORS: "strftime options for date of last login" */
|
||||
- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
||||
-
|
||||
- date = the_time;
|
||||
+ if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) {
|
||||
+ strftime (the_time, sizeof (the_time),
|
||||
+ /* TRANSLATORS: "strftime options for date of last login" */
|
||||
+ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
||||
+ date = the_time;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* we want & have the host? */
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,99 @@
|
||||
From 3234488f2c52a021eec87df1990d256314c21bff Mon Sep 17 00:00:00 2001
|
||||
From: Josef Moellers <jmoellers@suse.de>
|
||||
Date: Wed, 14 Apr 2021 16:39:28 +0200
|
||||
Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for
|
||||
RLIMIT_NOFILE.
|
||||
|
||||
Replace it with a value obtained from /proc/sys/fs/nr_open
|
||||
|
||||
* modules/pam_limits/limits.conf.5.xml: Document the replacement.
|
||||
* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
|
||||
value with a value obtained from /proc/sys/fs/nr_open
|
||||
---
|
||||
modules/pam_limits/limits.conf.5.xml | 2 ++
|
||||
modules/pam_limits/pam_limits.c | 49 ++++++++++++++++++++++++++++
|
||||
2 files changed, 51 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
|
||||
index cd64ac90..c5bd6768 100644
|
||||
--- a/modules/pam_limits/limits.conf.5.xml
|
||||
+++ b/modules/pam_limits/limits.conf.5.xml
|
||||
@@ -283,6 +283,8 @@
|
||||
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
|
||||
except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
|
||||
and <emphasis remap='B'>nonewprivs</emphasis>.
|
||||
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
|
||||
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
||||
</para>
|
||||
<para>
|
||||
If a hard limit or soft limit of a resource is set to a valid value,
|
||||
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
||||
index 10049973..7cc45d77 100644
|
||||
--- a/modules/pam_limits/pam_limits.c
|
||||
+++ b/modules/pam_limits/pam_limits.c
|
||||
@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
|
||||
return retval;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Read the contents of <pathname> and return it in *valuep
|
||||
+ * return 1 if conversion succeeds, result is in *valuep
|
||||
+ * return 0 if conversion fails, *valuep is untouched.
|
||||
+ */
|
||||
+static int
|
||||
+value_from_file(const char *pathname, rlim_t *valuep)
|
||||
+{
|
||||
+ char buf[128];
|
||||
+ FILE *fp;
|
||||
+ int retval;
|
||||
+
|
||||
+ retval = 0;
|
||||
+
|
||||
+ if ((fp = fopen(pathname, "r")) != NULL) {
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ char *endptr;
|
||||
+ unsigned long long value;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ value = strtoull(buf, &endptr, 10);
|
||||
+ if (endptr != buf &&
|
||||
+ (value != ULLONG_MAX || errno == 0) &&
|
||||
+ (unsigned long long) (rlim_t) value == value) {
|
||||
+ *valuep = (rlim_t) value;
|
||||
+ retval = 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ fclose(fp);
|
||||
+ }
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
||||
const char *lim_item, const char *lim_value,
|
||||
@@ -666,6 +701,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
||||
rlimit_value = 20 - int_value;
|
||||
break;
|
||||
#endif
|
||||
+ case RLIMIT_NOFILE:
|
||||
+ /*
|
||||
+ * If nofile is to be set to "unlimited", try to set it to
|
||||
+ * the value in /proc/sys/fs/nr_open instead.
|
||||
+ */
|
||||
+ if (rlimit_value == RLIM_INFINITY) {
|
||||
+ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "Cannot set \"nofile\" to a sensible value");
|
||||
+ else if (ctrl & PAM_DEBUG_ARG)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
|
||||
+ (unsigned long long) rlimit_value);
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
|
||||
if ( (limit_item != LIMIT_LOGIN)
|
||||
--
|
||||
2.33.1
|
||||
|
@ -0,0 +1,489 @@
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am 2022-08-22 09:08:48.916487811 +0200
|
||||
@@ -9,9 +9,10 @@ MAINTAINERCLEANFILES = $(MANS) README
|
||||
EXTRA_DIST = $(XMLS)
|
||||
|
||||
if HAVE_DOC
|
||||
-dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
||||
+dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
|
||||
endif
|
||||
-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
|
||||
+ pwhistory.conf.5.xml
|
||||
dist_check_SCRIPTS = tst-pam_pwhistory
|
||||
TESTS = $(dist_check_SCRIPTS)
|
||||
|
||||
@@ -26,12 +27,14 @@ if HAVE_VERSIONING
|
||||
pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
-noinst_HEADERS = opasswd.h
|
||||
+noinst_HEADERS = opasswd.h pwhistory_config.h
|
||||
+
|
||||
+dist_secureconf_DATA = pwhistory.conf
|
||||
|
||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
||||
pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
||||
-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
||||
+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
|
||||
|
||||
sbin_PROGRAMS = pwhistory_helper
|
||||
pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml 2022-08-22 09:13:08.715628372 +0200
|
||||
@@ -36,6 +36,9 @@
|
||||
<arg choice="opt">
|
||||
authtok_type=<replaceable>STRING</replaceable>
|
||||
</arg>
|
||||
+ <arg choice="opt">
|
||||
+ conf=<replaceable>/path/to/config-file</replaceable>
|
||||
+ </arg>
|
||||
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@@ -104,7 +107,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
The last <replaceable>N</replaceable> passwords for each
|
||||
- user are saved in <filename>/etc/security/opasswd</filename>.
|
||||
+ user are saved.
|
||||
The default is <emphasis>10</emphasis>. Value of
|
||||
<emphasis>0</emphasis> makes the module to keep the existing
|
||||
contents of the <filename>opasswd</filename> file unchanged.
|
||||
@@ -137,7 +140,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>conf=<replaceable>/path/to/config-file</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Use another configuration file instead of the default
|
||||
+ <filename>/etc/security/pwhistory.conf</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
+ <para>
|
||||
+ The options for configuring the module behavior are described in the
|
||||
+ <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum></citerefentry> manual page. The options
|
||||
+ specified on the module command line override the values from the
|
||||
+ configuration file.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="pam_pwhistory-types">
|
||||
@@ -223,6 +245,9 @@ password required pam_unix.so
|
||||
<title>SEE ALSO</title>
|
||||
<para>
|
||||
<citerefentry>
|
||||
+ <refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c 2022-08-22 09:11:34.949855242 +0200
|
||||
@@ -63,14 +63,8 @@
|
||||
|
||||
#include "opasswd.h"
|
||||
#include "pam_inline.h"
|
||||
+#include "pwhistory_config.h"
|
||||
|
||||
-struct options_t {
|
||||
- int debug;
|
||||
- int enforce_for_root;
|
||||
- int remember;
|
||||
- int tries;
|
||||
-};
|
||||
-typedef struct options_t options_t;
|
||||
|
||||
|
||||
static void
|
||||
@@ -299,6 +293,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
options.remember = 10;
|
||||
options.tries = 1;
|
||||
|
||||
+ parse_config_file(pamh, argc, argv, &options);
|
||||
+
|
||||
/* Parse parameters for module */
|
||||
for ( ; argc-- > 0; argv++)
|
||||
parse_option (pamh, *argv, &options);
|
||||
@@ -306,7 +302,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
if (options.debug)
|
||||
pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
|
||||
|
||||
-
|
||||
if (options.remember == 0)
|
||||
return PAM_IGNORE;
|
||||
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml 2022-08-22 09:08:48.916487811 +0200
|
||||
@@ -0,0 +1,155 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+
|
||||
+<refentry id="pwhistory.conf">
|
||||
+
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>pwhistory.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id="pwhistory.conf-name">
|
||||
+ <refname>pwhistory.conf</refname>
|
||||
+ <refpurpose>pam_pwhistory configuration file</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-description">
|
||||
+
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para>
|
||||
+ <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
|
||||
+ default settings for saving the last passwords for each user.
|
||||
+ This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
|
||||
+ preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The file has a very simple <emphasis>name = value</emphasis> format with possible comments
|
||||
+ starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
|
||||
+ of line, and around the <emphasis>=</emphasis> sign is ignored.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-options">
|
||||
+
|
||||
+ <title>OPTIONS</title>
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>debug</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Turns on debugging via
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>enforce_for_root</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If this option is set, the check is enforced for root, too.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>remember=<replaceable>N</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The last <replaceable>N</replaceable> passwords for each
|
||||
+ user are saved.
|
||||
+ The default is <emphasis>10</emphasis>. Value of
|
||||
+ <emphasis>0</emphasis> makes the module to keep the existing
|
||||
+ contents of the <filename>opasswd</filename> file unchanged.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>retry=<replaceable>N</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Prompt user at most <replaceable>N</replaceable> times
|
||||
+ before returning with error. The default is 1.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>file=<replaceable>/path/filename</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Store password history in file
|
||||
+ <replaceable>/path/filename</replaceable> rather than the default
|
||||
+ location. The default location is
|
||||
+ <filename>/etc/security/opasswd</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-examples'>
|
||||
+ <title>EXAMPLES</title>
|
||||
+ <para>
|
||||
+ /etc/security/pwhistory.conf file example:
|
||||
+ </para>
|
||||
+ <programlisting>
|
||||
+debug
|
||||
+remember=5
|
||||
+file=/tmp/opasswd
|
||||
+ </programlisting>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id="pwhistory.conf-files">
|
||||
+ <title>FILES</title>
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term><filename>/etc/security/pwhistory.conf</filename></term>
|
||||
+ <listitem>
|
||||
+ <para>the config file for custom options</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory.conf-author'>
|
||||
+ <title>AUTHOR</title>
|
||||
+ <para>
|
||||
+ pam_pwhistory was written by Thorsten Kukuk. The support for
|
||||
+ pwhistory.conf was written by Iker Pedrosa.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+</refentry>
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c 2022-08-22 09:08:48.916487811 +0200
|
||||
@@ -0,0 +1,115 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+
|
||||
+#include <security/pam_modutil.h>
|
||||
+
|
||||
+#include "pam_inline.h"
|
||||
+#include "pwhistory_config.h"
|
||||
+
|
||||
+#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
|
||||
+
|
||||
+void
|
||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
||||
+ struct options_t *options)
|
||||
+{
|
||||
+ const char *fname = NULL;
|
||||
+ int i;
|
||||
+ char *val;
|
||||
+
|
||||
+ for (i = 0; i < argc; ++i) {
|
||||
+ const char *str = pam_str_skip_prefix(argv[i], "conf=");
|
||||
+
|
||||
+ if (str != NULL) {
|
||||
+ fname = str;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (fname == NULL) {
|
||||
+ fname = PWHISTORY_DEFAULT_CONF;
|
||||
+ }
|
||||
+
|
||||
+ val = pam_modutil_search_key (pamh, fname, "debug");
|
||||
+ if (val != NULL) {
|
||||
+ options->debug = 1;
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pam_modutil_search_key (pamh, fname, "enforce_for_root");
|
||||
+ if (val != NULL) {
|
||||
+ options->enforce_for_root = 1;
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pam_modutil_search_key (pamh, fname, "remember");
|
||||
+ if (val != NULL) {
|
||||
+ unsigned int temp;
|
||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for remember argument");
|
||||
+ } else {
|
||||
+ options->remember = temp;
|
||||
+ }
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pam_modutil_search_key (pamh, fname, "retry");
|
||||
+ if (val != NULL) {
|
||||
+ unsigned int temp;
|
||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "Bad number supplied for retry argument");
|
||||
+ } else {
|
||||
+ options->tries = temp;
|
||||
+ }
|
||||
+ free(val);
|
||||
+ }
|
||||
+
|
||||
+ val = pam_modutil_search_key (pamh, fname, "file");
|
||||
+ if (val != NULL) {
|
||||
+ if (*val != '/') {
|
||||
+ pam_syslog (pamh, LOG_ERR,
|
||||
+ "File path should be absolute: %s", val);
|
||||
+ } else {
|
||||
+ options->filename = val;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h 2022-08-22 09:08:48.916487811 +0200
|
||||
@@ -0,0 +1,54 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef _PWHISTORY_CONFIG_H
|
||||
+#define _PWHISTORY_CONFIG_H
|
||||
+
|
||||
+#include <security/pam_ext.h>
|
||||
+
|
||||
+struct options_t {
|
||||
+ int debug;
|
||||
+ int enforce_for_root;
|
||||
+ int remember;
|
||||
+ int tries;
|
||||
+ const char *filename;
|
||||
+};
|
||||
+typedef struct options_t options_t;
|
||||
+
|
||||
+void
|
||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
||||
+ struct options_t *options);
|
||||
+
|
||||
+#endif /* _PWHISTORY_CONFIG_H */
|
||||
diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf
|
||||
--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200
|
||||
+++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf 2022-08-22 09:08:48.916487811 +0200
|
||||
@@ -0,0 +1,21 @@
|
||||
+# Configuration for remembering the last passwords used by a user.
|
||||
+#
|
||||
+# Enable the debugging logs.
|
||||
+# Enabled if option is present.
|
||||
+# debug
|
||||
+#
|
||||
+# root account's passwords are also remembered.
|
||||
+# Enabled if option is present.
|
||||
+# enforce_for_root
|
||||
+#
|
||||
+# Number of passwords to remember.
|
||||
+# The default is 10.
|
||||
+# remember = 10
|
||||
+#
|
||||
+# Number of times to prompt for the password.
|
||||
+# The default is 1.
|
||||
+# retry = 1
|
||||
+#
|
||||
+# The directory where the last passwords are kept.
|
||||
+# The default is /etc/security/opasswd.
|
||||
+# file = /etc/security/opasswd
|
@ -0,0 +1,100 @@
|
||||
From 370064ef6f99581b08d473a42bb3417d5dda3e4e Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 17 Feb 2022 10:24:03 +0100
|
||||
Subject: [PATCH] pam_usertype: only use SYS_UID_MAX for system users
|
||||
|
||||
* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
|
||||
using SYS_UID_MIN to check if it is a system account, because all
|
||||
accounts below the SYS_UID_MAX are system users.
|
||||
* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
|
||||
as it is no longer used to calculate the system accounts.
|
||||
* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
configure.ac | 5 -----
|
||||
modules/pam_usertype/pam_usertype.8.xml | 2 +-
|
||||
modules/pam_usertype/pam_usertype.c | 15 ++++++---------
|
||||
3 files changed, 7 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 639fc1ad..79113ad1 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -632,11 +632,6 @@ test -n "$opt_uidmin" ||
|
||||
opt_uidmin=1000
|
||||
AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
||||
|
||||
-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
||||
-test -n "$opt_sysuidmin" ||
|
||||
- opt_sysuidmin=101
|
||||
-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
||||
-
|
||||
AC_ARG_WITH([kernel-overflow-uid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
||||
test -n "$opt_kerneloverflowuid" ||
|
||||
opt_kerneloverflowuid=65534
|
||||
diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml
|
||||
index 7651da6e..d9307ba3 100644
|
||||
--- a/modules/pam_usertype/pam_usertype.8.xml
|
||||
+++ b/modules/pam_usertype/pam_usertype.8.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
pam_usertype.so is designed to succeed or fail authentication
|
||||
based on type of the account of the authenticated user.
|
||||
The type of the account is decided with help of
|
||||
- <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
||||
+ <emphasis>SYS_UID_MAX</emphasis>
|
||||
settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
||||
whether to load other modules based on this test.
|
||||
</para>
|
||||
diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c
|
||||
index d03b73b5..cfd9c8bb 100644
|
||||
--- a/modules/pam_usertype/pam_usertype.c
|
||||
+++ b/modules/pam_usertype/pam_usertype.c
|
||||
@@ -194,7 +194,6 @@ static int
|
||||
pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
||||
{
|
||||
uid_t uid_min;
|
||||
- uid_t sys_min;
|
||||
uid_t sys_max;
|
||||
|
||||
if (uid == (uid_t)-1) {
|
||||
@@ -202,21 +201,19 @@ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
|
||||
- if (uid <= 99) {
|
||||
- /* Reserved. */
|
||||
- return PAM_SUCCESS;
|
||||
- }
|
||||
-
|
||||
if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
||||
/* nobody */
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
||||
- sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
||||
sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
||||
|
||||
- return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
||||
+ if (uid <= sys_max && uid < uid_min) {
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -253,7 +250,7 @@ pam_usertype_evaluate(struct pam_usertype_opts *opts,
|
||||
|
||||
/**
|
||||
* Arguments:
|
||||
- * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
||||
+ * - issystem: uid less than SYS_UID_MAX
|
||||
* - isregular: not issystem
|
||||
* - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
||||
* - audit: log unknown users to syslog
|
||||
--
|
||||
2.36.1
|
||||
|
@ -0,0 +1,42 @@
|
||||
From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 1 Jul 2021 12:14:29 +0200
|
||||
Subject: [PATCH] pam_filter: Close file after controlling tty
|
||||
|
||||
Failing to check the descriptor value meant that there was a bug in the
|
||||
attempt to close the controlling tty. Moreover, this would lead to a
|
||||
file descriptor leak as pointed out by the static analyzer tool:
|
||||
|
||||
Error: RESOURCE_LEAK (CWE-772): [#def26]
|
||||
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
|
||||
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
|
||||
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero.
|
||||
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
|
||||
Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
|
||||
365| pam_syslog(pamh, LOG_ERR,
|
||||
366| "child cannot become new session: %m");
|
||||
367|-> return PAM_ABORT;
|
||||
368| }
|
||||
369|
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
modules/pam_filter/pam_filter.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
|
||||
index 2f0af4fb..6e6def37 100644
|
||||
--- a/modules/pam_filter/pam_filter.c
|
||||
+++ b/modules/pam_filter/pam_filter.c
|
||||
@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
|
||||
int t = open("/dev/tty", O_RDWR|O_NOCTTY);
|
||||
#else
|
||||
int t = open("/dev/tty",O_RDWR);
|
||||
- if (t > 0) {
|
||||
+ if (t >= 0) {
|
||||
(void) ioctl(t, TIOCNOTTY, NULL);
|
||||
close(t);
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,738 @@
|
||||
From b3bb13e18a74e9ece825b7de1b81db97ebb107a0 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 25 Mar 2021 09:43:30 +0100
|
||||
Subject: [PATCH] pam_timestamp: replace hmac implementation
|
||||
|
||||
sha1 is no longer recommended as a cryptographic algorithm for
|
||||
authentication. Thus, the idea of this change is to replace the
|
||||
implementation provided by hmacsha1 included in pam_timestamp module by
|
||||
the one in the openssl library. This way, there's no need to maintain
|
||||
the cryptographic algorithm implementation and it can be easily changed
|
||||
with a single configuration change.
|
||||
|
||||
modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
|
||||
functions around openssl's hmac implementation. Moreover, manage the key
|
||||
generation and its read and write in a file. Include an option to
|
||||
configure the cryptographic algorithm in login.defs file.
|
||||
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
|
||||
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
|
||||
provided by hmacsha1 by functions provided by openssl's wrapper.
|
||||
configure.ac: include openssl dependecy if it is enabled.
|
||||
modules/pam_timestamp/Makefile.am: include new files and openssl library
|
||||
to compilation.
|
||||
ci/install-dependencies.sh: include openssl library to dependencies.
|
||||
NEWS: add new item to next release.
|
||||
Make.xml.rules.in: add stringparam profiling for hmac
|
||||
doc/custom-man.xsl: change import docbook to one with profiling
|
||||
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
|
||||
indicate the value in /etc/login.defs that holds the value for the
|
||||
encryption algorithm
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
|
||||
---
|
||||
Make.xml.rules.in | 2 +-
|
||||
NEWS | 5 +
|
||||
configure.ac | 16 +
|
||||
doc/custom-man.xsl | 2 +-
|
||||
modules/pam_timestamp/Makefile.am | 15 +-
|
||||
modules/pam_timestamp/hmac_openssl_wrapper.c | 381 +++++++++++++++++++
|
||||
modules/pam_timestamp/hmac_openssl_wrapper.h | 57 +++
|
||||
modules/pam_timestamp/pam_timestamp.8.xml | 5 +
|
||||
modules/pam_timestamp/pam_timestamp.c | 53 ++-
|
||||
10 files changed, 524 insertions(+), 13 deletions(-)
|
||||
create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.c
|
||||
create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.h
|
||||
|
||||
diff --git a/Make.xml.rules.in b/Make.xml.rules.in
|
||||
index daa1b97b..27bb510e 100644
|
||||
--- a/Make.xml.rules.in
|
||||
+++ b/Make.xml.rules.in
|
||||
@@ -21,6 +21,6 @@ README: README.xml
|
||||
|
||||
%.8: %.8.xml
|
||||
$(XMLLINT) --nonet --xinclude --postvalid --noout $<
|
||||
- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $<
|
||||
+ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ @STRINGPARAM_HMAC@ --nonet $(top_srcdir)/doc/custom-man.xsl $<
|
||||
|
||||
#CLEANFILES += $(man_MANS) README
|
||||
diff --git a/NEWS b/NEWS
|
||||
index 2d49ec39..f4d11303 100644
|
||||
--- a/NEWS
|
||||
+++ b/NEWS
|
||||
@@ -1,5 +1,10 @@
|
||||
Linux-PAM NEWS -- history of user-visible changes.
|
||||
|
||||
+Release next
|
||||
+* pam_timestamp: change hmac algorithm to call openssl instead of the bundled
|
||||
+ sha1 implementation if selected. Add option to select the hash
|
||||
+ algorithm to use with HMAC.
|
||||
+
|
||||
Release 1.5.1
|
||||
* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
|
||||
doesn't exist and root password is blank
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index bd806473..9c92d0de 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -504,6 +504,22 @@ else
|
||||
fi
|
||||
AC_SUBST([STRINGPARAM_VENDORDIR])
|
||||
|
||||
+AC_ARG_ENABLE([openssl],
|
||||
+ AS_HELP_STRING([--enable-openssl],[use OpenSSL crypto libraries]),
|
||||
+ [OPENSSL_ENABLED=$enableval], OPENSSL_ENABLED=no)
|
||||
+if test "$OPENSSL_ENABLED" = "yes" ; then
|
||||
+ AC_CHECK_LIB([crypto], [EVP_MAC_CTX_new],
|
||||
+ [CRYPTO_LIBS="-lcrypto"
|
||||
+ use_openssl=yes
|
||||
+ AC_DEFINE([WITH_OPENSSL], 1, [OpenSSL provides crypto algorithm for hmac])
|
||||
+ STRINGPARAM_HMAC="--stringparam profile.condition 'openssl_hmac'"],
|
||||
+ [CRYPTO_LIBS=""
|
||||
+ STRINGPARAM_HMAC="--stringparam profile.condition 'no_openssl_hmac'"])
|
||||
+fi
|
||||
+AC_SUBST([CRYPTO_LIBS])
|
||||
+AC_SUBST([STRINGPARAM_HMAC])
|
||||
+AM_CONDITIONAL([COND_USE_OPENSSL], [test "x$use_openssl" = "xyes"])
|
||||
+
|
||||
dnl Checks for header files.
|
||||
AC_HEADER_DIRENT
|
||||
AC_HEADER_STDC
|
||||
diff --git a/doc/custom-man.xsl b/doc/custom-man.xsl
|
||||
index 4c35e839..a3408e6c 100644
|
||||
--- a/doc/custom-man.xsl
|
||||
+++ b/doc/custom-man.xsl
|
||||
@@ -1,6 +1,6 @@
|
||||
<?xml version='1.0'?>
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ss="http://docbook.sf.net/xmlns/string.subst/1.0" version="1.0">
|
||||
- <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"/>
|
||||
+ <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl"/>
|
||||
<xsl:param name="vendordir"/>
|
||||
|
||||
<xsl:param name="man.string.subst.map.local.pre">
|
||||
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am
|
||||
index 1faa324a..d290b85f 100644
|
||||
--- a/modules/pam_timestamp/Makefile.am
|
||||
+++ b/modules/pam_timestamp/Makefile.am
|
||||
@@ -18,12 +18,12 @@ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
-noinst_HEADERS = hmacsha1.h sha1.h
|
||||
+noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
$(WARN_CFLAGS)
|
||||
|
||||
-pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS)
|
||||
+pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS)
|
||||
pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la
|
||||
if HAVE_VERSIONING
|
||||
pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
@@ -32,7 +32,12 @@ endif
|
||||
securelib_LTLIBRARIES = pam_timestamp.la
|
||||
sbin_PROGRAMS = pam_timestamp_check
|
||||
|
||||
-pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c
|
||||
+pam_timestamp_la_SOURCES = pam_timestamp.c
|
||||
+if COND_USE_OPENSSL
|
||||
+pam_timestamp_la_SOURCES += hmac_openssl_wrapper.c
|
||||
+else
|
||||
+pam_timestamp_la_SOURCES += hmacsha1.c sha1.c
|
||||
+endif
|
||||
pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||
|
||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||
@@ -40,7 +45,11 @@ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@
|
||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@
|
||||
|
||||
+if COND_USE_OPENSSL
|
||||
+hmacfile_SOURCES = hmac_openssl_wrapper.c
|
||||
+else
|
||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||
+endif
|
||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
check_PROGRAMS = hmacfile
|
||||
diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c
|
||||
new file mode 100644
|
||||
index 00000000..926c2fb9
|
||||
--- /dev/null
|
||||
+++ b/modules/pam_timestamp/hmac_openssl_wrapper.c
|
||||
@@ -0,0 +1,381 @@
|
||||
+/* Wrapper for hmac openssl implementation.
|
||||
+ *
|
||||
+ * Copyright (c) 2021 Red Hat, Inc.
|
||||
+ * Written by Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+#include <sys/stat.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <syslog.h>
|
||||
+#include <unistd.h>
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/params.h>
|
||||
+#include <openssl/core_names.h>
|
||||
+
|
||||
+#include <security/pam_ext.h>
|
||||
+#include <security/pam_modutil.h>
|
||||
+
|
||||
+#include "hmac_openssl_wrapper.h"
|
||||
+
|
||||
+#define LOGIN_DEFS "/etc/login.defs"
|
||||
+#define CRYPTO_KEY "HMAC_CRYPTO_ALGO"
|
||||
+#define DEFAULT_ALGORITHM "SHA512"
|
||||
+#define MAX_HMAC_LENGTH 512
|
||||
+#define MAX_KEY_LENGTH EVP_MAX_KEY_LENGTH
|
||||
+
|
||||
+static char *
|
||||
+get_crypto_algorithm(pam_handle_t *pamh, int debug){
|
||||
+ char *config_value = NULL;
|
||||
+
|
||||
+ config_value = pam_modutil_search_key(pamh, LOGIN_DEFS, CRYPTO_KEY);
|
||||
+
|
||||
+ if (config_value == NULL) {
|
||||
+ config_value = strdup(DEFAULT_ALGORITHM);
|
||||
+ if (debug) {
|
||||
+ pam_syslog(pamh, LOG_DEBUG,
|
||||
+ "Key [%s] not found, falling back to default algorithm [%s]\n",
|
||||
+ CRYPTO_KEY, DEFAULT_ALGORITHM);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return config_value;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+generate_key(pam_handle_t *pamh, char **key, size_t key_size)
|
||||
+{
|
||||
+ int fd = 0;
|
||||
+ size_t bytes_read = 0;
|
||||
+ char * tmp = NULL;
|
||||
+
|
||||
+ fd = open("/dev/urandom", O_RDONLY);
|
||||
+ if (fd == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m");
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ tmp = malloc(key_size);
|
||||
+ if (!tmp) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "Not enough memory");
|
||||
+ close(fd);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ bytes_read = pam_modutil_read(fd, tmp, key_size);
|
||||
+ close(fd);
|
||||
+
|
||||
+ if (bytes_read < key_size) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Short read on random device");
|
||||
+ free(tmp);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ *key = tmp;
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length)
|
||||
+{
|
||||
+ struct stat st;
|
||||
+ size_t bytes_read = 0;
|
||||
+ char *tmp = NULL;
|
||||
+
|
||||
+ if (fstat(fd, &st) == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to stat file: %m");
|
||||
+ close(fd);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (st.st_size == 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Key file size cannot be 0");
|
||||
+ close(fd);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ tmp = malloc(st.st_size);
|
||||
+ if (!tmp) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "Not enough memory");
|
||||
+ close(fd);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ bytes_read = pam_modutil_read(fd, tmp, st.st_size);
|
||||
+ close(fd);
|
||||
+
|
||||
+ if (bytes_read < (size_t)st.st_size) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Short read on key file");
|
||||
+ memset(tmp, 0, st.st_size);
|
||||
+ free(tmp);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ *text = tmp;
|
||||
+ *text_length = st.st_size;
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+write_file(pam_handle_t *pamh, const char *file_name, char *text,
|
||||
+ size_t text_length, uid_t owner, gid_t group)
|
||||
+{
|
||||
+ int fd = 0;
|
||||
+ size_t bytes_written = 0;
|
||||
+
|
||||
+ fd = open(file_name,
|
||||
+ O_WRONLY | O_CREAT | O_TRUNC,
|
||||
+ S_IRUSR | S_IWUSR);
|
||||
+ if (fd == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name);
|
||||
+ memset(text, 0, text_length);
|
||||
+ free(text);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (fchown(fd, owner, group) == -1) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name);
|
||||
+ memset(text, 0, text_length);
|
||||
+ free(text);
|
||||
+ close(fd);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ bytes_written = pam_modutil_write(fd, text, text_length);
|
||||
+ close(fd);
|
||||
+
|
||||
+ if (bytes_written < text_length) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Short write on %s", file_name);
|
||||
+ free(text);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+key_management(pam_handle_t *pamh, const char *file_name, char **text,
|
||||
+ size_t text_length, uid_t owner, gid_t group)
|
||||
+{
|
||||
+ int fd = 0;
|
||||
+
|
||||
+ fd = open(file_name, O_RDONLY | O_NOFOLLOW);
|
||||
+ if (fd == -1) {
|
||||
+ if (errno == ENOENT) {
|
||||
+ if (generate_key(pamh, text, text_length)) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to generate key");
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (write_file(pamh, file_name, *text, text_length, owner, group)) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to write key");
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+ } else {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to open %s: %m", file_name);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (read_file(pamh, fd, text, &text_length)) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Error reading key file %s\n", file_name);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+hmac_management(pam_handle_t *pamh, int debug, void **out, size_t *out_length,
|
||||
+ char *key, size_t key_length,
|
||||
+ const void *text, size_t text_length)
|
||||
+{
|
||||
+ int ret = PAM_AUTH_ERR;
|
||||
+ EVP_MAC *evp_mac = NULL;
|
||||
+ EVP_MAC_CTX *ctx = NULL;
|
||||
+ unsigned char *hmac_message = NULL;
|
||||
+ size_t hmac_length;
|
||||
+ char *algo = NULL;
|
||||
+ OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END };
|
||||
+
|
||||
+ algo = get_crypto_algorithm(pamh, debug);
|
||||
+
|
||||
+ subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
|
||||
+ algo,
|
||||
+ 0);
|
||||
+
|
||||
+ evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
|
||||
+ if (evp_mac == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ctx = EVP_MAC_CTX_new(evp_mac);
|
||||
+ if (ctx == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to create hmac context");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EVP_MAC_init(ctx, (const unsigned char *)key, key_length, subalg_param);
|
||||
+ if (ret == 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EVP_MAC_update(ctx, (const unsigned char *)text, text_length);
|
||||
+ if (ret == 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to update hmac context");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ hmac_message = (unsigned char*)malloc(sizeof(unsigned char) * MAX_HMAC_LENGTH);
|
||||
+ if (!hmac_message) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "Not enough memory");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EVP_MAC_final(ctx, hmac_message, &hmac_length, MAX_HMAC_LENGTH);
|
||||
+ if (ret == 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to calculate hmac message");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ *out_length = hmac_length;
|
||||
+ *out = malloc(*out_length);
|
||||
+ if (*out == NULL) {
|
||||
+ pam_syslog(pamh, LOG_CRIT, "Not enough memory");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(*out, hmac_message, *out_length);
|
||||
+ ret = PAM_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+ if (hmac_message != NULL) {
|
||||
+ free(hmac_message);
|
||||
+ }
|
||||
+ if (key != NULL) {
|
||||
+ memset(key, 0, key_length);
|
||||
+ free(key);
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ EVP_MAC_CTX_free(ctx);
|
||||
+ }
|
||||
+ if (evp_mac != NULL) {
|
||||
+ EVP_MAC_free(evp_mac);
|
||||
+ }
|
||||
+ free(algo);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length)
|
||||
+{
|
||||
+ int ret = PAM_AUTH_ERR;
|
||||
+ EVP_MAC *evp_mac = NULL;
|
||||
+ EVP_MAC_CTX *ctx = NULL;
|
||||
+ const unsigned char key[] = "ThisIsJustAKey";
|
||||
+ size_t key_length = MAX_KEY_LENGTH;
|
||||
+ char *algo = NULL;
|
||||
+ OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END };
|
||||
+
|
||||
+ algo = get_crypto_algorithm(pamh, debug);
|
||||
+
|
||||
+ subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
|
||||
+ algo,
|
||||
+ 0);
|
||||
+
|
||||
+ evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
|
||||
+ if (evp_mac == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ctx = EVP_MAC_CTX_new(evp_mac);
|
||||
+ if (ctx == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to create hmac context");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EVP_MAC_init(ctx, key, key_length, subalg_param);
|
||||
+ if (ret == 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ *hmac_length = EVP_MAC_CTX_get_mac_size(ctx);
|
||||
+ ret = PAM_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+ if (ctx != NULL) {
|
||||
+ EVP_MAC_CTX_free(ctx);
|
||||
+ }
|
||||
+ if (evp_mac != NULL) {
|
||||
+ EVP_MAC_free(evp_mac);
|
||||
+ }
|
||||
+ free(algo);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length,
|
||||
+ const char *key_file, uid_t owner, gid_t group,
|
||||
+ const void *text, size_t text_length)
|
||||
+{
|
||||
+ char *key = NULL;
|
||||
+ size_t key_length = MAX_KEY_LENGTH;
|
||||
+
|
||||
+ if (key_management(pamh, key_file, &key, key_length, owner, group)) {
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (hmac_management(pamh, debug, mac, mac_length, key, key_length,
|
||||
+ text, text_length)) {
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+
|
||||
+ return PAM_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+#endif /* WITH_OPENSSL */
|
||||
diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.h b/modules/pam_timestamp/hmac_openssl_wrapper.h
|
||||
new file mode 100644
|
||||
index 00000000..cc27c811
|
||||
--- /dev/null
|
||||
+++ b/modules/pam_timestamp/hmac_openssl_wrapper.h
|
||||
@@ -0,0 +1,57 @@
|
||||
+/* Wrapper for hmac openssl implementation.
|
||||
+ *
|
||||
+ * Copyright (c) 2021 Red Hat, Inc.
|
||||
+ * Written by Iker Pedrosa <ipedrosa@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ */
|
||||
+#ifndef PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H
|
||||
+#define PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <security/pam_modules.h>
|
||||
+
|
||||
+int
|
||||
+hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length);
|
||||
+
|
||||
+int
|
||||
+hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length,
|
||||
+ const char *key_file, uid_t owner, gid_t group,
|
||||
+ const void *text, size_t text_length);
|
||||
+
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+#endif /* PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H */
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml
|
||||
index e19a0bcf..83e5aea8 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.8.xml
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.8.xml
|
||||
@@ -50,6 +50,11 @@ for the user. When an application attempts to authenticate the user, a
|
||||
<emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp
|
||||
file as grounds for succeeding.
|
||||
</para>
|
||||
+ <para condition="openssl_hmac">
|
||||
+ The default encryption hash is taken from the
|
||||
+ <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from
|
||||
+ <emphasis>/etc/login.defs</emphasis>.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="pam_timestamp-options">
|
||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||
index 30be883c..01dd1385 100644
|
||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||
@@ -56,7 +56,11 @@
|
||||
#include <utmp.h>
|
||||
#include <syslog.h>
|
||||
#include <paths.h>
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include "hmac_openssl_wrapper.h"
|
||||
+#else
|
||||
#include "hmacsha1.h"
|
||||
+#endif /* WITH_OPENSSL */
|
||||
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/_pam_macros.h>
|
||||
@@ -79,6 +83,9 @@
|
||||
#define BUFLEN PATH_MAX
|
||||
#endif
|
||||
|
||||
+#define ROOT_USER 0
|
||||
+#define ROOT_GROUP 0
|
||||
+
|
||||
/* Return PAM_SUCCESS if the given directory looks "safe". */
|
||||
static int
|
||||
check_dir_perms(pam_handle_t *pamh, const char *tdir)
|
||||
@@ -449,6 +456,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ if (hmac_size(pamh, debug, &maclen)) {
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+#else
|
||||
+ maclen = hmac_sha1_size();
|
||||
+#endif /* WITH_OPENSSL */
|
||||
/* Check that the file is the expected size. */
|
||||
if (st.st_size == 0) {
|
||||
/* Invalid, but may have been created by sudo. */
|
||||
@@ -456,7 +470,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
if (st.st_size !=
|
||||
- (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) {
|
||||
+ (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) {
|
||||
pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' "
|
||||
"appears to be corrupted", path);
|
||||
close(fd);
|
||||
@@ -487,8 +501,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
message_end = message + strlen(path) + 1 + sizeof(then);
|
||||
|
||||
/* Regenerate the MAC. */
|
||||
- hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0,
|
||||
- message, message_end - message);
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY,
|
||||
+ ROOT_USER, ROOT_GROUP, message, message_end - message)) {
|
||||
+ close(fd);
|
||||
+ free(message);
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+#else
|
||||
+ hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY,
|
||||
+ ROOT_USER, ROOT_GROUP, message, message_end - message);
|
||||
+#endif /* WITH_OPENSSL */
|
||||
if ((mac == NULL) ||
|
||||
(memcmp(path, message, strlen(path)) != 0) ||
|
||||
(memcmp(mac, message_end, maclen) != 0)) {
|
||||
@@ -605,8 +628,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char *
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ if (hmac_size(pamh, debug, &maclen)) {
|
||||
+ return PAM_SESSION_ERR;
|
||||
+ }
|
||||
+#else
|
||||
+ maclen = hmac_sha1_size();
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+
|
||||
/* Generate the message. */
|
||||
- text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size());
|
||||
+ text = malloc(strlen(path) + 1 + sizeof(now) + maclen);
|
||||
if (text == NULL) {
|
||||
pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m");
|
||||
return PAM_SESSION_ERR;
|
||||
@@ -621,15 +652,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char *
|
||||
p += sizeof(now);
|
||||
|
||||
/* Generate the MAC and append it to the plaintext. */
|
||||
- hmac_sha1_generate_file(pamh, &mac, &maclen,
|
||||
- TIMESTAMPKEY,
|
||||
- 0, 0,
|
||||
- text, p - text);
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY,
|
||||
+ ROOT_USER, ROOT_GROUP, text, p - text)) {
|
||||
+ free(text);
|
||||
+ return PAM_SESSION_ERR;
|
||||
+ }
|
||||
+#else
|
||||
+ hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY,
|
||||
+ ROOT_USER, ROOT_GROUP, text, p - text);
|
||||
if (mac == NULL) {
|
||||
pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m");
|
||||
free(text);
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
+#endif /* WITH_OPENSSL */
|
||||
memmove(p, mac, maclen);
|
||||
p += maclen;
|
||||
free(mac);
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,5 @@
|
||||
d /run/console 0755 root root -
|
||||
d /run/faillock 0755 root root -
|
||||
d /run/sepermit 0755 root root -
|
||||
d /run/motd.d 0755 root root -
|
||||
f /var/log/tallylog 0600 root root -
|
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
@ -0,0 +1,46 @@
|
||||
.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
postlogin \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/postlogin
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this PAM configuration file is to provide a common
|
||||
place for all PAM modules which should be called after the stack
|
||||
configured in
|
||||
.BR system-auth
|
||||
or the other common PAM configuration files.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR postlogin
|
||||
configuration file is included from all individual service configuration
|
||||
files that provide login service with shell or file access.
|
||||
|
||||
.SH NOTES
|
||||
The modules in the postlogin configuration file are executed regardless
|
||||
of the success or failure of the modules in the
|
||||
.BR system-auth
|
||||
configuration file.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
Sometimes it would be useful to be able to skip the postlogin modules in
|
||||
case the substack of the
|
||||
.BR system-auth
|
||||
modules failed. Unfortunately the current Linux-PAM library does not
|
||||
provide any way how to achieve this.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), system-auth(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
||||
session optional pam_lastlog.so silent noupdate showfailed
|
@ -0,0 +1,19 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password optional pam_pkcs11.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
@ -0,0 +1,58 @@
|
||||
.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
system-auth \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/system-auth
|
||||
.B /etc/pam.d/password-auth
|
||||
.B /etc/pam.d/fingerprint-auth
|
||||
.B /etc/pam.d/smartcard-auth
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of these configuration files are to provide a common
|
||||
interface for all applications and service daemons calling into
|
||||
the PAM library.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR system-auth
|
||||
configuration file is included from nearly all individual service configuration
|
||||
files with the help of the
|
||||
.BR substack
|
||||
directive.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR password-auth
|
||||
.BR fingerprint-auth
|
||||
.BR smartcard-auth
|
||||
configuration files are for applications which handle authentication from
|
||||
different types of devices via simultaneously running individual conversations
|
||||
instead of one aggregate conversation.
|
||||
|
||||
.SH NOTES
|
||||
Previously these common configuration files were included with the help
|
||||
of the
|
||||
.BR include
|
||||
directive. This limited the use of the different action types of modules.
|
||||
With the use of
|
||||
.BR substack
|
||||
directive to include these common configuration files this limitation
|
||||
no longer applies.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), postlogin(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue