Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
7
.gitignore
vendored
7
.gitignore
vendored
@ -1,2 +1,5 @@
|
|||||||
SOURCES/Linux-PAM-1.3.1.tar.xz
|
/*.src.rpm
|
||||||
SOURCES/pam-redhat-0.99.11.tar.bz2
|
/Linux-PAM-*.tar.xz
|
||||||
|
/Linux-PAM-*.tar.xz.asc
|
||||||
|
/pam-redhat-*.tar.bz2
|
||||||
|
/pam-redhat-*.tar.xz
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
e89b6d279c9bf8cb495dfc0b3f3931eb50f818e9 SOURCES/Linux-PAM-1.3.1.tar.xz
|
|
||||||
42206fe8319723ef23ab646b2eab496c86de3f5b SOURCES/pam-redhat-0.99.11.tar.bz2
|
|
@ -1,7 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v2
|
|
||||||
|
|
||||||
iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg
|
|
||||||
+DaNc8W13E4Z2ZEUSsgUGe4=
|
|
||||||
=aSTW
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,19 +0,0 @@
|
|||||||
#%PAM-1.0
|
|
||||||
# This file is auto-generated.
|
|
||||||
# User changes will be destroyed the next time authselect is run.
|
|
||||||
auth required pam_env.so
|
|
||||||
auth sufficient pam_fprintd.so
|
|
||||||
auth required pam_deny.so
|
|
||||||
|
|
||||||
account required pam_unix.so
|
|
||||||
account sufficient pam_localuser.so
|
|
||||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
|
||||||
account required pam_permit.so
|
|
||||||
|
|
||||||
password required pam_deny.so
|
|
||||||
|
|
||||||
session optional pam_keyinit.so revoke
|
|
||||||
session required pam_limits.so
|
|
||||||
-session optional pam_systemd.so
|
|
||||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
||||||
session required pam_unix.so
|
|
@ -1,26 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
|
|
||||||
--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200
|
|
||||||
@@ -15,5 +15,3 @@
|
|
||||||
# touch unlock wait /var/run/console-unlocked
|
|
||||||
|
|
||||||
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
|
||||||
-/sbin/pam_console_apply lock logfail wait -t tty -s
|
|
||||||
-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
|
|
||||||
diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200
|
|
||||||
@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
|
|
||||||
|
|
||||||
|
|
||||||
secureconf_DATA = console.perms console.handlers
|
|
||||||
-permsd_DATA = 50-default.perms
|
|
||||||
|
|
||||||
FLEX_OPTS = -Cr
|
|
||||||
BISON_OPTS = -d
|
|
||||||
@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
|
|
||||||
|
|
||||||
install-data-local:
|
|
||||||
mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
|
|
||||||
+ mkdir -p $(DESTDIR)$(permsddir)
|
|
||||||
mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200
|
|
||||||
@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
|
|
||||||
pam_mkhomedir pam_motd pam_namespace pam_nologin \
|
|
||||||
pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
|
|
||||||
pam_selinux pam_sepermit pam_shells pam_stress \
|
|
||||||
- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
|
|
||||||
+ pam_succeed_if pam_time pam_timestamp \
|
|
||||||
pam_tty_audit pam_umask \
|
|
||||||
pam_unix pam_userdb pam_warn pam_wheel pam_xauth
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
|
|
||||||
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
|
|
||||||
@@ -65,7 +65,7 @@ parse_files(void)
|
|
||||||
on system locale */
|
|
||||||
oldlocale = setlocale(LC_COLLATE, "C");
|
|
||||||
|
|
||||||
- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
|
|
||||||
+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
|
|
||||||
setlocale(LC_COLLATE, oldlocale);
|
|
||||||
if (rc)
|
|
||||||
return;
|
|
@ -1,27 +0,0 @@
|
|||||||
diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
|
|
||||||
--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
|
||||||
+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
|
|
||||||
@@ -10,7 +10,7 @@
|
|
||||||
#define DEFAULT_READ_ENVFILE 1
|
|
||||||
|
|
||||||
#define DEFAULT_USER_ENVFILE ".pam_environment"
|
|
||||||
-#define DEFAULT_USER_READ_ENVFILE 1
|
|
||||||
+#define DEFAULT_USER_READ_ENVFILE 0
|
|
||||||
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
|
|
||||||
--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
|
||||||
+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
|
|
||||||
@@ -147,7 +147,10 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Turns on or off the reading of the user specific environment
|
|
||||||
- file. 0 is off, 1 is on. By default this option is on.
|
|
||||||
+ file. 0 is off, 1 is on. By default this option is off as user
|
|
||||||
+ supplied environment variables in the PAM environment could affect
|
|
||||||
+ behavior of subsequent modules in the stack without the consent
|
|
||||||
+ of the system administrator.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
@ -1,20 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
|
|
||||||
@@ -1,5 +1,16 @@
|
|
||||||
# /etc/security/limits.conf
|
|
||||||
#
|
|
||||||
+#This file sets the resource limits for the users logged in via PAM.
|
|
||||||
+#It does not affect resource limits of the system services.
|
|
||||||
+#
|
|
||||||
+#Also note that configuration files in /etc/security/limits.d directory,
|
|
||||||
+#which are read in alphabetical order, override the settings in this
|
|
||||||
+#file in case the domain is the same or more specific.
|
|
||||||
+#That means for example that setting a limit for wildcard domain here
|
|
||||||
+#can be overriden with a wildcard setting in a config file in the
|
|
||||||
+#subdirectory, but a user specific setting here can be overriden only
|
|
||||||
+#with a user specific setting in the subdirectory.
|
|
||||||
+#
|
|
||||||
#Each line describes a limit for a user in the form:
|
|
||||||
#
|
|
||||||
#<domain> <type> <item> <value>
|
|
@ -1,31 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
|
|
||||||
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
char buf[64];
|
|
||||||
int audit_fd = audit_open();
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
|
|
||||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
|
||||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
|
|
||||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
|
||||||
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
if (audit_fd >=0)
|
|
||||||
close(audit_fd);
|
|
||||||
#endif
|
|
||||||
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
|
|
||||||
}
|
|
||||||
else if ( !cline_reset ) {
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
- char buf[64];
|
|
||||||
int audit_fd = audit_open();
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
|
|
||||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
|
||||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
|
||||||
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
|
|
||||||
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
if (audit_fd >=0)
|
|
||||||
close(audit_fd);
|
|
||||||
#endif
|
|
@ -1,88 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
|
|
||||||
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
|
|
||||||
|
|
||||||
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
|
|
||||||
|
|
||||||
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
+
|
|
||||||
securelib_LTLIBRARIES = pam_console.la
|
|
||||||
sbin_PROGRAMS = pam_console_apply
|
|
||||||
|
|
||||||
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
|
|
||||||
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
|
|
||||||
|
|
||||||
pam_console_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
|
|
||||||
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
|
|
||||||
configfile.tab.c: configfile.y
|
|
||||||
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
|
|
||||||
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
|
|
||||||
|
|
||||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
|
||||||
-I$(srcdir)/.. @PIE_CFLAGS@
|
|
||||||
-AM_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
|
|
||||||
securelibfilter_PROGRAMS = upperLOWER
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
|
|
||||||
@@ -30,6 +30,8 @@ endif
|
|
||||||
|
|
||||||
sbin_PROGRAMS = mkhomedir_helper
|
|
||||||
mkhomedir_helper_SOURCES = mkhomedir_helper.c
|
|
||||||
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
|
|
||||||
if ENABLE_REGENERATE_MAN
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
|
|
||||||
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
|
|
||||||
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
endif
|
|
||||||
|
|
||||||
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
|
|
||||||
|
|
||||||
securelib_LTLIBRARIES = pam_tally2.la
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
|
||||||
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
|
||||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
|
|
||||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
|
||||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
|
||||||
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
|
||||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
|
||||||
passverify.c
|
|
||||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
|
||||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
|
||||||
|
|
||||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
|
||||||
passverify.c
|
|
||||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
|
||||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
|
||||||
|
|
||||||
if ENABLE_REGENERATE_MAN
|
|
@ -1,23 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
|
|
||||||
--- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200
|
|
||||||
@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
|
||||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
|
||||||
po/Makefile.in \
|
|
||||||
modules/Makefile \
|
|
||||||
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
|
||||||
+ modules/pam_postgresok/Makefile \
|
|
||||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
|
||||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
|
||||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
|
||||||
diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
|
|
||||||
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200
|
|
||||||
@@ -3,6 +3,7 @@
|
|
||||||
#
|
|
||||||
|
|
||||||
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
|
|
||||||
+ pam_chroot pam_console pam_postgresok \
|
|
||||||
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
|
||||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
|
||||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
|
@ -1,73 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
|
|
||||||
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200
|
|
||||||
@@ -284,11 +284,10 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
When a user changes their password next,
|
|
||||||
- encrypt it with the SHA256 algorithm. If the
|
|
||||||
- SHA256 algorithm is not known to the <citerefentry>
|
|
||||||
+ encrypt it with the SHA256 algorithm. The
|
|
||||||
+ SHA256 algorithm must be supported by the <citerefentry>
|
|
||||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
|
||||||
- </citerefentry> function,
|
|
||||||
- fall back to MD5.
|
|
||||||
+ </citerefentry> function.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
@@ -299,11 +298,10 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
When a user changes their password next,
|
|
||||||
- encrypt it with the SHA512 algorithm. If the
|
|
||||||
- SHA512 algorithm is not known to the <citerefentry>
|
|
||||||
+ encrypt it with the SHA512 algorithm. The
|
|
||||||
+ SHA512 algorithm must be supported by the <citerefentry>
|
|
||||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
|
||||||
- </citerefentry> function,
|
|
||||||
- fall back to MD5.
|
|
||||||
+ </citerefentry> function.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
@@ -314,11 +312,10 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
When a user changes their password next,
|
|
||||||
- encrypt it with the blowfish algorithm. If the
|
|
||||||
- blowfish algorithm is not known to the <citerefentry>
|
|
||||||
+ encrypt it with the blowfish algorithm. The
|
|
||||||
+ blowfish algorithm must be supported by the <citerefentry>
|
|
||||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
|
||||||
- </citerefentry> function,
|
|
||||||
- fall back to MD5.
|
|
||||||
+ </citerefentry> function.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
|
|
||||||
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200
|
|
||||||
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200
|
|
||||||
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
|
|
||||||
sp = crypt(password, salt);
|
|
||||||
#endif
|
|
||||||
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
|
|
||||||
- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
|
|
||||||
+ /* libxcrypt/libc doesn't know the algorithm, error out */
|
|
||||||
pam_syslog(pamh, LOG_ERR,
|
|
||||||
- "Algo %s not supported by the crypto backend, "
|
|
||||||
- "falling back to MD5\n",
|
|
||||||
+ "Algo %s not supported by the crypto backend.\n",
|
|
||||||
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
|
||||||
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
|
||||||
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
|
||||||
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
|
|
||||||
#ifdef HAVE_CRYPT_R
|
|
||||||
free(cdata);
|
|
||||||
#endif
|
|
||||||
- return crypt_md5_wrapper(password);
|
|
||||||
+ return NULL;
|
|
||||||
}
|
|
||||||
sp = x_strdup(sp);
|
|
||||||
#ifdef HAVE_CRYPT_R
|
|
@ -1,9 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname Linux-PAM-1.2.1/modules/pam_console/console.handlers
|
|
||||||
--- Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname 2015-10-16 14:15:48.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.2.1/modules/pam_console/console.handlers 2016-02-05 17:47:26.056787517 +0100
|
|
||||||
@@ -14,4 +14,4 @@
|
|
||||||
# echo lock wait Locking console for user on tty
|
|
||||||
# touch unlock wait /var/run/console-unlocked
|
|
||||||
|
|
||||||
-console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
|
||||||
+console consoledevs /dev/tty[0-9][0-9]* tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
|
@ -1,133 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
|
||||||
+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -78,9 +78,11 @@ struct options {
|
|
||||||
unsigned int root_unlock_time;
|
|
||||||
const char *dir;
|
|
||||||
const char *user;
|
|
||||||
+ const char *admin_group;
|
|
||||||
int failures;
|
|
||||||
uint64_t latest_time;
|
|
||||||
uid_t uid;
|
|
||||||
+ int is_admin;
|
|
||||||
uint64_t now;
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
|
|
||||||
opts->root_unlock_time = temp;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
|
|
||||||
+ opts->admin_group = argv[i] + 12;
|
|
||||||
+ }
|
|
||||||
else if (strcmp(argv[i], "preauth") == 0) {
|
|
||||||
opts->action = FAILLOCK_ACTION_PREAUTH;
|
|
||||||
}
|
|
||||||
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
|
|
||||||
}
|
|
||||||
opts->user = user;
|
|
||||||
opts->uid = pwd->pw_uid;
|
|
||||||
+
|
|
||||||
+ if (pwd->pw_uid == 0) {
|
|
||||||
+ opts->is_admin = 1;
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (opts->admin_group && *opts->admin_group) {
|
|
||||||
+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
|
|
||||||
+ pwd->pw_uid, opts->admin_group);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
|
|
||||||
return PAM_SYSTEM_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
||||||
+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
|
|
||||||
|
|
||||||
opts->failures = failures;
|
|
||||||
|
|
||||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (opts->deny && failures >= opts->deny) {
|
|
||||||
- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
|
||||||
- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
|
||||||
+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
|
||||||
+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
|
||||||
char buf[64];
|
|
||||||
@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
|
|
||||||
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
|
||||||
NULL, NULL, NULL, 1);
|
|
||||||
|
|
||||||
- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
||||||
+ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
|
||||||
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
|
||||||
NULL, NULL, NULL, 1);
|
|
||||||
}
|
|
||||||
@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
|
|
||||||
int64_t left;
|
|
||||||
|
|
||||||
if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
|
|
||||||
- if (opts->uid) {
|
|
||||||
- left = opts->latest_time + opts->unlock_time - opts->now;
|
|
||||||
+ if (opts->is_admin) {
|
|
||||||
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- left = opts->latest_time + opts->root_unlock_time - opts->now;
|
|
||||||
+ left = opts->latest_time + opts->unlock_time - opts->now;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (left > 0) {
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200
|
|
||||||
@@ -40,6 +40,9 @@
|
|
||||||
root_unlock_time=<replaceable>n</replaceable>
|
|
||||||
</arg>
|
|
||||||
<arg choice="opt">
|
|
||||||
+ admin_group=<replaceable>name</replaceable>
|
|
||||||
+ </arg>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
audit
|
|
||||||
</arg>
|
|
||||||
<arg choice="opt">
|
|
||||||
@@ -243,6 +246,20 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>admin_group=<replaceable>name</replaceable></option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ If a group name is specified with this option, members
|
|
||||||
+ of the group will be handled by this module the same as
|
|
||||||
+ the root account (the options <option>even_deny_root></option>
|
|
||||||
+ and <option>root_unlock_time</option> will apply to them.
|
|
||||||
+ By default the option is not set.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,806 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
#
|
|
||||||
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+# Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
|
||||||
|
|
||||||
TESTS = tst-pam_pwhistory
|
|
||||||
|
|
||||||
-man_MANS = pam_pwhistory.8
|
|
||||||
+man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
|
||||||
|
|
||||||
-XMLS = README.xml pam_pwhistory.8.xml
|
|
||||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
|
||||||
|
|
||||||
securelibdir = $(SECUREDIR)
|
|
||||||
secureconfdir = $(SCONFIGDIR)
|
|
||||||
|
|
||||||
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
|
||||||
-AM_LDFLAGS = -no-undefined -avoid-version -module
|
|
||||||
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
|
||||||
+ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
|
|
||||||
+
|
|
||||||
+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
|
|
||||||
if HAVE_VERSIONING
|
|
||||||
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
endif
|
|
||||||
|
|
||||||
noinst_HEADERS = opasswd.h
|
|
||||||
|
|
||||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
|
||||||
-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
|
||||||
+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
|
||||||
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
|
||||||
|
|
||||||
+sbin_PROGRAMS = pwhistory_helper
|
|
||||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
|
||||||
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
|
|
||||||
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
|
||||||
+
|
|
||||||
if ENABLE_REGENERATE_MAN
|
|
||||||
noinst_DATA = README
|
|
||||||
README: pam_pwhistory.8.xml
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -38,6 +39,7 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include <pwd.h>
|
|
||||||
+#include <shadow.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -47,6 +49,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
|
|
||||||
#if defined (HAVE_XCRYPT_H)
|
|
||||||
@@ -55,7 +58,14 @@
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+#define pam_modutil_getpwnam(h,n) getpwnam(n)
|
|
||||||
+#define pam_modutil_getspnam(h,n) getspnam(n)
|
|
||||||
+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
|
|
||||||
+#else
|
|
||||||
+#include <security/pam_modutil.h>
|
|
||||||
#include <security/pam_ext.h>
|
|
||||||
+#endif
|
|
||||||
#include <security/pam_modules.h>
|
|
||||||
|
|
||||||
#include "opasswd.h"
|
|
||||||
@@ -76,6 +86,19 @@ typedef struct {
|
|
||||||
char *old_passwords;
|
|
||||||
} opwd;
|
|
||||||
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+void
|
|
||||||
+helper_log_err(int err, const char *format, ...)
|
|
||||||
+{
|
|
||||||
+ va_list args;
|
|
||||||
+
|
|
||||||
+ va_start(args, format);
|
|
||||||
+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
|
|
||||||
+ vsyslog(err, format, args);
|
|
||||||
+ va_end(args);
|
|
||||||
+ closelog();
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
static int
|
|
||||||
parse_entry (char *line, opwd *data)
|
|
||||||
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check, if the new password is already in the opasswd file. */
|
|
||||||
-int
|
|
||||||
-check_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+check_old_pass, const char *user,
|
|
||||||
const char *newpass, int debug)
|
|
||||||
{
|
|
||||||
int retval = PAM_SUCCESS;
|
|
||||||
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
|
|
||||||
opwd entry;
|
|
||||||
int found = 0;
|
|
||||||
|
|
||||||
+#ifndef HELPER_COMPILE
|
|
||||||
+ if (SELINUX_ENABLED)
|
|
||||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
|
||||||
{
|
|
||||||
if (errno != ENOENT)
|
|
||||||
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int
|
|
||||||
-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
|
||||||
- const char *oldpass, int howmany, int debug UNUSED)
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+save_old_pass, const char *user,
|
|
||||||
+ int howmany, int debug UNUSED)
|
|
||||||
{
|
|
||||||
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
|
||||||
struct stat opasswd_stat;
|
|
||||||
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
|
|
||||||
char *buf = NULL;
|
|
||||||
size_t buflen = 0;
|
|
||||||
int found = 0;
|
|
||||||
+ struct passwd *pwd;
|
|
||||||
+ const char *oldpass;
|
|
||||||
+
|
|
||||||
+ pwd = pam_modutil_getpwnam (pamh, user);
|
|
||||||
+ if (pwd == NULL)
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
|
|
||||||
if (howmany <= 0)
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
|
|
||||||
+#ifndef HELPER_COMPILE
|
|
||||||
+ if (SELINUX_ENABLED)
|
|
||||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
|
||||||
+ ((pwd->pw_passwd[0] == '#') &&
|
|
||||||
+ (pwd->pw_passwd[1] == '#') &&
|
|
||||||
+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
|
||||||
+ {
|
|
||||||
+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
|
||||||
+
|
|
||||||
+ if (spw == NULL)
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ oldpass = spw->sp_pwdp;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ oldpass = pwd->pw_passwd;
|
|
||||||
+
|
|
||||||
if (oldpass == NULL || *oldpass == '\0')
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
|
|
||||||
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
|
|
||||||
{
|
|
||||||
char *out;
|
|
||||||
|
|
||||||
- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
|
|
||||||
+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
|
|
||||||
{
|
|
||||||
retval = PAM_AUTHTOK_ERR;
|
|
||||||
if (oldpf)
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -36,10 +37,32 @@
|
|
||||||
#ifndef __OPASSWD_H__
|
|
||||||
#define __OPASSWD_H__
|
|
||||||
|
|
||||||
-extern int check_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
- const char *newpass, int debug);
|
|
||||||
-extern int save_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
- uid_t uid, const char *oldpass,
|
|
||||||
- int howmany, int debug);
|
|
||||||
+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
|
|
||||||
+
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#define SELINUX_ENABLED is_selinux_enabled()>0
|
|
||||||
+#else
|
|
||||||
+#define SELINUX_ENABLED 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
|
|
||||||
+#define PAMH_ARG(...) __VA_ARGS__
|
|
||||||
+#else
|
|
||||||
+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
|
|
||||||
+#define PAMH_ARG(...) pamh, __VA_ARGS__
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+void
|
|
||||||
+helper_log_err(int err, const char *format, ...);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+check_old_pass, const char *user, const char *newpass, int debug);
|
|
||||||
+
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+save_old_pass, const char *user, int howmany, int debug);
|
|
||||||
|
|
||||||
#endif /* __OPASSWD_H__ */
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
|
|
||||||
@@ -1,6 +1,7 @@
|
|
||||||
/*
|
|
||||||
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
|
||||||
* Author: Thorsten Kukuk <kukuk@thkukuk.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -46,10 +47,14 @@
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
-#include <shadow.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
+#include <sys/time.h>
|
|
||||||
+#include <sys/resource.h>
|
|
||||||
+#include <sys/wait.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
|
|
||||||
#include <security/pam_modules.h>
|
|
||||||
#include <security/pam_modutil.h>
|
|
||||||
@@ -59,6 +64,7 @@
|
|
||||||
#include "opasswd.h"
|
|
||||||
|
|
||||||
#define DEFAULT_BUFLEN 2048
|
|
||||||
+#define MAX_FD_NO 20000
|
|
||||||
|
|
||||||
struct options_t {
|
|
||||||
int debug;
|
|
||||||
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
|
|
||||||
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+run_save_helper(pam_handle_t *pamh, const char *user,
|
|
||||||
+ int howmany, int debug)
|
|
||||||
+{
|
|
||||||
+ int retval, child;
|
|
||||||
+ struct sigaction newsa, oldsa;
|
|
||||||
+
|
|
||||||
+ memset(&newsa, '\0', sizeof(newsa));
|
|
||||||
+ newsa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
|
||||||
+
|
|
||||||
+ child = fork();
|
|
||||||
+ if (child == 0)
|
|
||||||
+ {
|
|
||||||
+ int i = 0;
|
|
||||||
+ struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
+ static char *envp[] = { NULL };
|
|
||||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
|
|
||||||
+
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
|
||||||
+ {
|
|
||||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
|
||||||
+ {
|
|
||||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
+ rlim.rlim_max = MAX_FD_NO;
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
|
||||||
+ {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* exec binary helper */
|
|
||||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
|
||||||
+ args[1] = strdup("save");
|
|
||||||
+ args[2] = x_strdup(user);
|
|
||||||
+ asprintf(&args[3], "%d", howmany);
|
|
||||||
+ asprintf(&args[4], "%d", debug);
|
|
||||||
+
|
|
||||||
+ execve(args[0], args, envp);
|
|
||||||
+
|
|
||||||
+ _exit(PAM_SYSTEM_ERR);
|
|
||||||
+ }
|
|
||||||
+ else if (child > 0)
|
|
||||||
+ {
|
|
||||||
+ /* wait for child */
|
|
||||||
+ int rc = 0;
|
|
||||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else if (!WIFEXITED(retval))
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = WEXITSTATUS(retval);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+run_check_helper(pam_handle_t *pamh, const char *user,
|
|
||||||
+ const char *newpass, int debug)
|
|
||||||
+{
|
|
||||||
+ int retval, child, fds[2];
|
|
||||||
+ struct sigaction newsa, oldsa;
|
|
||||||
+
|
|
||||||
+ /* create a pipe for the password */
|
|
||||||
+ if (pipe(fds) != 0)
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+
|
|
||||||
+ memset(&newsa, '\0', sizeof(newsa));
|
|
||||||
+ newsa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
|
||||||
+
|
|
||||||
+ child = fork();
|
|
||||||
+ if (child == 0)
|
|
||||||
+ {
|
|
||||||
+ int i = 0;
|
|
||||||
+ struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
+ static char *envp[] = { NULL };
|
|
||||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
|
|
||||||
+
|
|
||||||
+ /* reopen stdin as pipe */
|
|
||||||
+ dup2(fds[0], STDIN_FILENO);
|
|
||||||
+
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
|
||||||
+ {
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
|
||||||
+ {
|
|
||||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
+ rlim.rlim_max = MAX_FD_NO;
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
|
||||||
+ {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* exec binary helper */
|
|
||||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
|
||||||
+ args[1] = strdup("check");
|
|
||||||
+ args[2] = x_strdup(user);
|
|
||||||
+ asprintf(&args[3], "%d", debug);
|
|
||||||
+
|
|
||||||
+ execve(args[0], args, envp);
|
|
||||||
+
|
|
||||||
+ _exit(PAM_SYSTEM_ERR);
|
|
||||||
+ }
|
|
||||||
+ else if (child > 0)
|
|
||||||
+ {
|
|
||||||
+ /* wait for child */
|
|
||||||
+ int rc = 0;
|
|
||||||
+ if (newpass == NULL)
|
|
||||||
+ newpass = "";
|
|
||||||
+
|
|
||||||
+ /* send the password to the child */
|
|
||||||
+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ newpass = NULL;
|
|
||||||
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
|
|
||||||
+ close(fds[1]);
|
|
||||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else if (!WIFEXITED(retval))
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = WEXITSTATUS(retval);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ close(fds[0]);
|
|
||||||
+ close(fds[1]);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
|
|
||||||
/* This module saves the current crypted password in /etc/security/opasswd
|
|
||||||
and then compares the new password with all entries in this file. */
|
|
||||||
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
|
|
||||||
int
|
|
||||||
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
- struct passwd *pwd;
|
|
||||||
const char *newpass;
|
|
||||||
const char *user;
|
|
||||||
int retval, tries;
|
|
||||||
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pwd = pam_modutil_getpwnam (pamh, user);
|
|
||||||
- if (pwd == NULL)
|
|
||||||
- return PAM_USER_UNKNOWN;
|
|
||||||
-
|
|
||||||
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
|
||||||
- ((pwd->pw_passwd[0] == '#') &&
|
|
||||||
- (pwd->pw_passwd[1] == '#') &&
|
|
||||||
- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
|
||||||
- {
|
|
||||||
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
|
||||||
- if (spw == NULL)
|
|
||||||
- return PAM_USER_UNKNOWN;
|
|
||||||
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
|
||||||
|
|
||||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
|
||||||
- options.remember, options.debug);
|
|
||||||
- if (retval != PAM_SUCCESS)
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
|
|
||||||
- options.remember, options.debug);
|
|
||||||
- if (retval != PAM_SUCCESS)
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
|
||||||
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
|
||||||
+
|
|
||||||
+ if (retval != PAM_SUCCESS)
|
|
||||||
+ return retval;
|
|
||||||
|
|
||||||
newpass = NULL;
|
|
||||||
tries = 0;
|
|
||||||
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
if (options.debug)
|
|
||||||
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
|
||||||
|
|
||||||
- if (check_old_pass (pamh, user, newpass,
|
|
||||||
- options.debug) != PAM_SUCCESS)
|
|
||||||
+ retval = check_old_pass (pamh, user, newpass, options.debug);
|
|
||||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
|
||||||
+ retval = run_check_helper(pamh, user, newpass, options.debug);
|
|
||||||
+
|
|
||||||
+ if (retval != PAM_SUCCESS)
|
|
||||||
{
|
|
||||||
if (getuid() || options.enforce_for_root ||
|
|
||||||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
|
|
||||||
@@ -0,0 +1,209 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
+ * Author: Tomas Mraz <tmraz@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <security/_pam_types.h>
|
|
||||||
+#include <security/_pam_macros.h>
|
|
||||||
+#include "opasswd.h"
|
|
||||||
+
|
|
||||||
+#define MAXPASS 200
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+su_sighandler(int sig)
|
|
||||||
+{
|
|
||||||
+#ifndef SA_RESETHAND
|
|
||||||
+ /* emulate the behaviour of the SA_RESETHAND flag */
|
|
||||||
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
|
|
||||||
+ struct sigaction sa;
|
|
||||||
+ memset(&sa, '\0', sizeof(sa));
|
|
||||||
+ sa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(sig, &sa, NULL);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ if (sig > 0) {
|
|
||||||
+ _exit(sig);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+setup_signals(void)
|
|
||||||
+{
|
|
||||||
+ struct sigaction action; /* posix signal structure */
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Setup signal handlers
|
|
||||||
+ */
|
|
||||||
+ (void) memset((void *) &action, 0, sizeof(action));
|
|
||||||
+ action.sa_handler = su_sighandler;
|
|
||||||
+#ifdef SA_RESETHAND
|
|
||||||
+ action.sa_flags = SA_RESETHAND;
|
|
||||||
+#endif
|
|
||||||
+ (void) sigaction(SIGILL, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGTRAP, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGBUS, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGSEGV, &action, NULL);
|
|
||||||
+ action.sa_handler = SIG_IGN;
|
|
||||||
+ action.sa_flags = 0;
|
|
||||||
+ (void) sigaction(SIGTERM, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGHUP, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGINT, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGQUIT, &action, NULL);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+read_passwords(int fd, int npass, char **passwords)
|
|
||||||
+{
|
|
||||||
+ int rbytes = 0;
|
|
||||||
+ int offset = 0;
|
|
||||||
+ int i = 0;
|
|
||||||
+ char *pptr;
|
|
||||||
+ while (npass > 0)
|
|
||||||
+ {
|
|
||||||
+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
|
|
||||||
+
|
|
||||||
+ if (rbytes < 0)
|
|
||||||
+ {
|
|
||||||
+ if (errno == EINTR) continue;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ if (rbytes == 0)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
|
|
||||||
+ != NULL)
|
|
||||||
+ {
|
|
||||||
+ rbytes -= pptr - (passwords[i]+offset) + 1;
|
|
||||||
+ i++;
|
|
||||||
+ offset = 0;
|
|
||||||
+ npass--;
|
|
||||||
+ if (rbytes > 0)
|
|
||||||
+ {
|
|
||||||
+ if (npass > 0)
|
|
||||||
+ memcpy(passwords[i], pptr+1, rbytes);
|
|
||||||
+ memset(pptr+1, '\0', rbytes);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ offset += rbytes;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* clear up */
|
|
||||||
+ if (offset > 0 && npass > 0)
|
|
||||||
+ memset(passwords[i], '\0', offset);
|
|
||||||
+
|
|
||||||
+ return i;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+check_history(const char *user, const char *debug)
|
|
||||||
+{
|
|
||||||
+ char pass[MAXPASS + 1];
|
|
||||||
+ char *passwords[] = { pass };
|
|
||||||
+ int npass;
|
|
||||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
|
|
||||||
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
|
|
||||||
+
|
|
||||||
+ if (npass != 1)
|
|
||||||
+ { /* is it a valid password? */
|
|
||||||
+ helper_log_err(LOG_DEBUG, "no password supplied");
|
|
||||||
+ return PAM_AUTHTOK_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ retval = check_old_pass(user, pass, dbg);
|
|
||||||
+
|
|
||||||
+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+save_history(const char *user, const char *howmany, const char *debug)
|
|
||||||
+{
|
|
||||||
+ int num = atoi(howmany);
|
|
||||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ retval = save_old_pass(user, num, dbg);
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ const char *option;
|
|
||||||
+ const char *user;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Catch or ignore as many signal as possible.
|
|
||||||
+ */
|
|
||||||
+ setup_signals();
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * we establish that this program is running with non-tty stdin.
|
|
||||||
+ * this is to discourage casual use.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ if (isatty(STDIN_FILENO) || argc < 4)
|
|
||||||
+ {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "This binary is not designed for running in this way.\n");
|
|
||||||
+ sleep(10); /* this should discourage/annoy the user */
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ option = argv[1];
|
|
||||||
+ user = argv[2];
|
|
||||||
+
|
|
||||||
+ if (strcmp(option, "check") == 0 && argc == 4)
|
|
||||||
+ return check_history(user, argv[3]);
|
|
||||||
+ else if (strcmp(option, "save") == 0 && argc == 5)
|
|
||||||
+ return save_history(user, argv[3], argv[4]);
|
|
||||||
+
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
|
|
||||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+
|
|
||||||
+<refentry id="pwhistory_helper">
|
|
||||||
+
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+
|
|
||||||
+ <refnamediv id="pwhistory_helper-name">
|
|
||||||
+ <refname>pwhistory_helper</refname>
|
|
||||||
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+ <refsynopsisdiv>
|
|
||||||
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
|
||||||
+ <command>pwhistory_helper</command>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ ...
|
|
||||||
+ </arg>
|
|
||||||
+ </cmdsynopsis>
|
|
||||||
+ </refsynopsisdiv>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory_helper-description">
|
|
||||||
+
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
|
||||||
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
|
||||||
+ from passwd or shadow file to the opasswd file and checks a password
|
|
||||||
+ supplied by user against the existing hashes in the opasswd file.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The purpose of the helper is to enable tighter confinement of
|
|
||||||
+ login and password changing services. The helper is thus called only
|
|
||||||
+ when SELinux is enabled on the system.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The interface of the helper - command line options, and input/output
|
|
||||||
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
|
||||||
+ module and it should not be called directly from applications.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-see_also'>
|
|
||||||
+ <title>SEE ALSO</title>
|
|
||||||
+ <para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-author'>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+ <para>
|
|
||||||
+ Written by Tomas Mraz based on the code originally in
|
|
||||||
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+</refentry>
|
|
@ -1,158 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames Linux-PAM-1.3.1/modules/pam_access/pam_access.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames 2024-01-19 16:45:18.319862531 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c 2024-01-19 16:50:34.239545948 +0100
|
|
||||||
@@ -683,7 +683,7 @@ string_match (pam_handle_t *pamh, const
|
|
||||||
/*
|
|
||||||
* If the token has the magic value "ALL" the match always succeeds.
|
|
||||||
* Otherwise, return YES if the token fully matches the string.
|
|
||||||
- * "NONE" token matches NULL string.
|
|
||||||
+ * "NONE" token matches NULL string.
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
|
|
||||||
@@ -701,7 +701,8 @@ string_match (pam_handle_t *pamh, const
|
|
||||||
|
|
||||||
/* network_netmask_match - match a string against one token
|
|
||||||
* where string is a hostname or ip (v4,v6) address and tok
|
|
||||||
- * represents either a single ip (v4,v6) address or a network/netmask
|
|
||||||
+ * represents either a hostname, a single ip (v4,v6) address
|
|
||||||
+ * or a network/netmask
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
network_netmask_match (pam_handle_t *pamh,
|
|
||||||
@@ -710,10 +711,12 @@ network_netmask_match (pam_handle_t *pam
|
|
||||||
char *netmask_ptr;
|
|
||||||
char netmask_string[MAXHOSTNAMELEN + 1];
|
|
||||||
int addr_type;
|
|
||||||
+ struct addrinfo *ai = NULL;
|
|
||||||
|
|
||||||
if (item->debug)
|
|
||||||
- pam_syslog (pamh, LOG_DEBUG,
|
|
||||||
+ pam_syslog (pamh, LOG_DEBUG,
|
|
||||||
"network_netmask_match: tok=%s, item=%s", tok, string);
|
|
||||||
+
|
|
||||||
/* OK, check if tok is of type addr/mask */
|
|
||||||
if ((netmask_ptr = strchr(tok, '/')) != NULL)
|
|
||||||
{
|
|
||||||
@@ -745,52 +748,109 @@ network_netmask_match (pam_handle_t *pam
|
|
||||||
netmask_ptr = number_to_netmask(netmask, addr_type,
|
|
||||||
netmask_string, MAXHOSTNAMELEN);
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Construct an addrinfo list from the IP address.
|
|
||||||
+ * This should not fail as the input is a correct IP address...
|
|
||||||
+ */
|
|
||||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
|
||||||
+ {
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
- /* NO, then check if it is only an addr */
|
|
||||||
- if (isipaddr(tok, NULL, NULL) != YES)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * It is either an IP address or a hostname.
|
|
||||||
+ * Let getaddrinfo sort everything out
|
|
||||||
+ */
|
|
||||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
|
||||||
{
|
|
||||||
+ if (item->debug)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
|
|
||||||
+
|
|
||||||
return NO;
|
|
||||||
}
|
|
||||||
+ netmask_ptr = NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (isipaddr(string, NULL, NULL) != YES)
|
|
||||||
{
|
|
||||||
- /* Assume network/netmask with a name of a host. */
|
|
||||||
struct addrinfo hint;
|
|
||||||
|
|
||||||
+ /* Assume network/netmask with a name of a host. */
|
|
||||||
memset (&hint, '\0', sizeof (hint));
|
|
||||||
hint.ai_flags = AI_CANONNAME;
|
|
||||||
hint.ai_family = AF_UNSPEC;
|
|
||||||
|
|
||||||
if (item->gai_rv != 0)
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
return NO;
|
|
||||||
+ }
|
|
||||||
else if (!item->res &&
|
|
||||||
(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
return NO;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
{
|
|
||||||
struct addrinfo *runp = item->res;
|
|
||||||
+ struct addrinfo *runp1;
|
|
||||||
|
|
||||||
while (runp != NULL)
|
|
||||||
{
|
|
||||||
char buf[INET6_ADDRSTRLEN];
|
|
||||||
|
|
||||||
- inet_ntop (runp->ai_family,
|
|
||||||
- runp->ai_family == AF_INET
|
|
||||||
- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
|
|
||||||
- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
|
|
||||||
- buf, sizeof (buf));
|
|
||||||
+ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (are_addresses_equal(buf, tok, netmask_ptr))
|
|
||||||
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
|
|
||||||
{
|
|
||||||
- return YES;
|
|
||||||
+ char buf1[INET6_ADDRSTRLEN];
|
|
||||||
+
|
|
||||||
+ if (runp->ai_family != runp1->ai_family)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (are_addresses_equal (buf, buf1, netmask_ptr))
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
+ return YES;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
runp = runp->ai_next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
- return (are_addresses_equal(string, tok, netmask_ptr));
|
|
||||||
+ {
|
|
||||||
+ struct addrinfo *runp1;
|
|
||||||
+
|
|
||||||
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
|
|
||||||
+ {
|
|
||||||
+ char buf1[INET6_ADDRSTRLEN];
|
|
||||||
+
|
|
||||||
+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
|
|
||||||
+
|
|
||||||
+ if (are_addresses_equal(string, buf1, netmask_ptr))
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
+ return YES;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
|
|
||||||
return NO;
|
|
||||||
}
|
|
@ -1,35 +0,0 @@
|
|||||||
From b429ea18b1c9c8953df5169c6a453b4255a6f23d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Iker Pedrosa <ikerpedrosam@gmail.com>
|
|
||||||
Date: Thu, 27 Feb 2020 11:48:47 +0100
|
|
||||||
Subject: [PATCH] pam_tty_audit: if kernel audit is disabled return PAM_IGNORE
|
|
||||||
|
|
||||||
If kernel audit is disabled the socket open will return
|
|
||||||
EPROTONOSUPPORT.
|
|
||||||
Return PAM_IGNORE from pam_tty_audit and log a warning
|
|
||||||
in this situation so login is not blocked by the module.
|
|
||||||
---
|
|
||||||
modules/pam_tty_audit/pam_tty_audit.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
|
|
||||||
index 7dbcada2..589c60a2 100644
|
|
||||||
--- a/modules/pam_tty_audit/pam_tty_audit.c
|
|
||||||
+++ b/modules/pam_tty_audit/pam_tty_audit.c
|
|
||||||
@@ -351,6 +351,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
|
|
||||||
fd = nl_open ();
|
|
||||||
if (fd == -1
|
|
||||||
+ && errno == EPROTONOSUPPORT)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not "
|
|
||||||
+ "supported; tty_audit skipped");
|
|
||||||
+ free (old_status);
|
|
||||||
+ return PAM_IGNORE;
|
|
||||||
+ }
|
|
||||||
+ else if (fd == -1
|
|
||||||
|| nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0
|
|
||||||
|| nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0)
|
|
||||||
{
|
|
||||||
--
|
|
||||||
2.25.2
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting 2024-03-11 16:21:51.928946604 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c 2024-03-11 16:21:51.934946609 +0100
|
|
||||||
@@ -334,7 +334,7 @@ check_tally(pam_handle_t *pamh, struct o
|
|
||||||
|
|
||||||
(void)pam_get_item(pamh, PAM_TTY, &tty);
|
|
||||||
(void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
|
||||||
+ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
|
|
||||||
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
|
||||||
rhost, NULL, tty, 1);
|
|
||||||
}
|
|
||||||
@@ -450,7 +450,7 @@ write_tally(pam_handle_t *pamh, struct o
|
|
||||||
errno == EAFNOSUPPORT))
|
|
||||||
return PAM_SYSTEM_ERR;
|
|
||||||
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
|
||||||
+ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
|
|
||||||
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
|
||||||
NULL, NULL, NULL, 1);
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting 2024-03-11 16:21:51.934946609 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c 2024-03-11 16:23:24.521025061 +0100
|
|
||||||
@@ -106,7 +106,7 @@ int send_audit_message(pam_handle_t *pam
|
|
||||||
pam_syslog(pamh, LOG_ERR, "Error translating selected context.");
|
|
||||||
selected_raw = NULL;
|
|
||||||
}
|
|
||||||
- if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
|
|
||||||
+ if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s",
|
|
||||||
default_raw ? default_raw : (default_context ? default_context : "?"),
|
|
||||||
selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
|
|
||||||
pam_syslog(pamh, LOG_ERR, "Error allocating memory.");
|
|
@ -1,88 +0,0 @@
|
|||||||
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Wed, 7 Aug 2019 12:22:55 +0200
|
|
||||||
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
|
|
||||||
|
|
||||||
If password was already verified by previous modules in the stack
|
|
||||||
it does not need to be verified by pam_get_authtok_verify either.
|
|
||||||
|
|
||||||
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
|
|
||||||
appropriately.
|
|
||||||
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
|
|
||||||
set it when the password is verified.
|
|
||||||
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
|
|
||||||
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
|
|
||||||
---
|
|
||||||
libpam/pam_get_authtok.c | 10 ++++++++++
|
|
||||||
libpam/pam_private.h | 1 +
|
|
||||||
libpam/pam_start.c | 1 +
|
|
||||||
3 files changed, 12 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
|
|
||||||
index 800c6e5..99eb25f 100644
|
|
||||||
--- a/libpam/pam_get_authtok.c
|
|
||||||
+++ b/libpam/pam_get_authtok.c
|
|
||||||
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
||||||
}
|
|
||||||
else if (chpass)
|
|
||||||
{
|
|
||||||
+ pamh->authtok_verified = 0;
|
|
||||||
+
|
|
||||||
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
|
|
||||||
PROMPT1, authtok_type,
|
|
||||||
strlen (authtok_type) > 0?" ":"");
|
|
||||||
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
||||||
if (retval != PAM_SUCCESS)
|
|
||||||
return retval;
|
|
||||||
|
|
||||||
+ if (chpass > 1)
|
|
||||||
+ pamh->authtok_verified = 1;
|
|
||||||
+
|
|
||||||
return pam_get_item(pamh, item, (const void **)authtok);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
|
||||||
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
|
|
||||||
return PAM_SYSTEM_ERR;
|
|
||||||
|
|
||||||
+ if (pamh->authtok_verified)
|
|
||||||
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
|
|
||||||
+
|
|
||||||
if (prompt != NULL)
|
|
||||||
{
|
|
||||||
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
|
|
||||||
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
|
||||||
if (retval != PAM_SUCCESS)
|
|
||||||
return retval;
|
|
||||||
|
|
||||||
+ pamh->authtok_verified = 1;
|
|
||||||
+
|
|
||||||
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
|
|
||||||
}
|
|
||||||
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
|
||||||
index 7ff9f75..58a26f5 100644
|
|
||||||
--- a/libpam/pam_private.h
|
|
||||||
+++ b/libpam/pam_private.h
|
|
||||||
@@ -172,6 +172,7 @@ struct pam_handle {
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
int audit_state; /* keep track of reported audit messages */
|
|
||||||
#endif
|
|
||||||
+ int authtok_verified;
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Values for select arg to _pam_dispatch() */
|
|
||||||
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
|
|
||||||
index 328416d..e27c64b 100644
|
|
||||||
--- a/libpam/pam_start.c
|
|
||||||
+++ b/libpam/pam_start.c
|
|
||||||
@@ -94,6 +94,7 @@ int pam_start (
|
|
||||||
#endif
|
|
||||||
(*pamh)->xdisplay = NULL;
|
|
||||||
(*pamh)->authtok_type = NULL;
|
|
||||||
+ (*pamh)->authtok_verified = 0;
|
|
||||||
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
|
|
||||||
|
|
||||||
if (((*pamh)->pam_conversation = (struct pam_conv *)
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build Linux-PAM-1.3.1/modules/pam_console/sed-static
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build 2014-01-31 14:17:53.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_console/sed-static 2018-09-10 15:06:04.115302315 +0200
|
|
||||||
@@ -13,6 +13,7 @@ sed '
|
|
||||||
/^YY_BUFFER_STATE yy_scan_buffer/s/^/STATIC /
|
|
||||||
/^YY_BUFFER_STATE yy_scan_string/s/^/STATIC /
|
|
||||||
/^void yy_switch_to_buffer/s/^/STATIC /
|
|
||||||
+/^extern int yylex/s/^extern /STATIC /
|
|
||||||
/define YY_DECL int yylex/s/YY_DECL /YY_DECL STATIC /
|
|
||||||
/^int yyparse/s/^/STATIC /
|
|
||||||
/^void yyrestart/s/^/STATIC /
|
|
@ -1,185 +0,0 @@
|
|||||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
|
||||||
index 106ef7c..b2e94c7 100644
|
|
||||||
--- a/libpam/pam_handlers.c
|
|
||||||
+++ b/libpam/pam_handlers.c
|
|
||||||
@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
|
|
||||||
{
|
|
||||||
char *p;
|
|
||||||
FILE *f;
|
|
||||||
- int err = 0;
|
|
||||||
|
|
||||||
/* Absolute path */
|
|
||||||
if (service[0] == '/') {
|
|
||||||
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
|
|
||||||
index be53f34..07dce36 100644
|
|
||||||
--- a/libpam_misc/misc_conv.c
|
|
||||||
+++ b/libpam_misc/misc_conv.c
|
|
||||||
@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
|
||||||
line[nc] = '\0';
|
|
||||||
}
|
|
||||||
*retstr = strdup(line);
|
|
||||||
- _pam_overwrite(line);
|
|
||||||
+ _pam_overwrite_n(line, sizeof(line));
|
|
||||||
if (!*retstr) {
|
|
||||||
D(("no memory for response string"));
|
|
||||||
nc = -1;
|
|
||||||
@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
|
||||||
D(("the timer appears to have expired"));
|
|
||||||
|
|
||||||
*retstr = NULL;
|
|
||||||
- _pam_overwrite(line);
|
|
||||||
+ _pam_overwrite_n(line, sizeof(line));
|
|
||||||
|
|
||||||
cleanexit:
|
|
||||||
|
|
||||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
|
||||||
index 80d885d..3801862 100644
|
|
||||||
--- a/modules/pam_access/pam_access.c
|
|
||||||
+++ b/modules/pam_access/pam_access.c
|
|
||||||
@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
|
|
||||||
const char *user=NULL;
|
|
||||||
const void *void_from=NULL;
|
|
||||||
const char *from;
|
|
||||||
- const char const *default_config = PAM_ACCESS_CONFIG;
|
|
||||||
+ const char * const default_config = PAM_ACCESS_CONFIG;
|
|
||||||
struct passwd *user_pw;
|
|
||||||
char hostname[MAXHOSTNAMELEN + 1];
|
|
||||||
int rv;
|
|
||||||
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
|
||||||
index 4bc4ae7..f8476b4 100644
|
|
||||||
--- a/modules/pam_limits/pam_limits.c
|
|
||||||
+++ b/modules/pam_limits/pam_limits.c
|
|
||||||
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
-static int str2rlimit(char *name) {
|
|
||||||
+static int str2rlimit(const char *name) {
|
|
||||||
int i;
|
|
||||||
if (!name || *name == '\0')
|
|
||||||
return -1;
|
|
||||||
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static rlim_t str2rlim_t(char *value) {
|
|
||||||
+static rlim_t str2rlim_t(const char *value) {
|
|
||||||
unsigned long long rlimit = 0;
|
|
||||||
|
|
||||||
if (!value) return (rlim_t)rlimit;
|
|
||||||
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
|
|
||||||
FILE *limitsfile;
|
|
||||||
const char *proclimits = "/proc/1/limits";
|
|
||||||
char line[256];
|
|
||||||
- char *units, *hard, *soft, *name;
|
|
||||||
+ const char *units, *hard, *soft, *name;
|
|
||||||
|
|
||||||
if (!(limitsfile = fopen(proclimits, "r"))) {
|
|
||||||
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
|
||||||
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
|
|
||||||
index 96bfd98..66d202c 100644
|
|
||||||
--- a/modules/pam_loginuid/pam_loginuid.c
|
|
||||||
+++ b/modules/pam_loginuid/pam_loginuid.c
|
|
||||||
@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
|
|
||||||
fd = open("/proc/self/uid_map", O_RDONLY);
|
|
||||||
if (fd >= 0) {
|
|
||||||
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
|
||||||
- if (strncmp(uid_map, host_uid_map, count) != 0)
|
|
||||||
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
|
|
||||||
rc = PAM_IGNORE;
|
|
||||||
close(fd);
|
|
||||||
}
|
|
||||||
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
|
|
||||||
index 9e204c1..4b8d6b7 100644
|
|
||||||
--- a/modules/pam_mkhomedir/mkhomedir_helper.c
|
|
||||||
+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
|
|
||||||
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
|
|
||||||
{
|
|
||||||
pam_syslog(NULL, LOG_DEBUG,
|
|
||||||
"unable to open or stat src file %s: %m", newsource);
|
|
||||||
+ if (srcfd >= 0)
|
|
||||||
+ close(srcfd);
|
|
||||||
closedir(d);
|
|
||||||
|
|
||||||
#ifndef PATH_MAX
|
|
||||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
|
||||||
index f541f89..85f5efa 100644
|
|
||||||
--- a/modules/pam_namespace/pam_namespace.c
|
|
||||||
+++ b/modules/pam_namespace/pam_namespace.c
|
|
||||||
@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
|
|
||||||
if (fstat(fd, &newstatbuf) < 0) {
|
|
||||||
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
|
|
||||||
ipath);
|
|
||||||
+ close(fd);
|
|
||||||
rmdir(ipath);
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
|
||||||
index e6cf346..813f579 100644
|
|
||||||
--- a/modules/pam_pwhistory/opasswd.c
|
|
||||||
+++ b/modules/pam_pwhistory/opasswd.c
|
|
||||||
@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
|
||||||
n = strlen (buf);
|
|
||||||
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
|
||||||
|
|
||||||
+ if (n < 1)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
cp = buf;
|
|
||||||
save = strdup (buf); /* Copy to write the original data back. */
|
|
||||||
if (save == NULL)
|
|
||||||
@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
|
||||||
goto error_opasswd;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (n < 1)
|
|
||||||
- break;
|
|
||||||
-
|
|
||||||
tmp = strchr (cp, '#'); /* remove comments */
|
|
||||||
if (tmp)
|
|
||||||
*tmp = '\0';
|
|
||||||
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
|
|
||||||
index 17baabe..a9d9140 100644
|
|
||||||
--- a/modules/pam_rootok/pam_rootok.c
|
|
||||||
+++ b/modules/pam_rootok/pam_rootok.c
|
|
||||||
@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
|
|
||||||
int audit_fd;
|
|
||||||
va_list ap;
|
|
||||||
|
|
||||||
- va_start(ap, fmt);
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
audit_fd = audit_open();
|
|
||||||
|
|
||||||
if (audit_fd >= 0) {
|
|
||||||
char *buf;
|
|
||||||
+ int ret;
|
|
||||||
|
|
||||||
- if (vasprintf (&buf, fmt, ap) < 0)
|
|
||||||
+ va_start(ap, fmt);
|
|
||||||
+ ret = vasprintf (&buf, fmt, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
+ if (ret < 0)
|
|
||||||
return 0;
|
|
||||||
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
|
||||||
NULL, 0);
|
|
||||||
@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
+ va_start(ap, fmt);
|
|
||||||
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
|
||||||
va_end(ap);
|
|
||||||
return 0;
|
|
||||||
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
|
|
||||||
index c653290..f37af0f 100644
|
|
||||||
--- a/modules/pam_sepermit/pam_sepermit.c
|
|
||||||
+++ b/modules/pam_sepermit/pam_sepermit.c
|
|
||||||
@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
|
|
||||||
if (*sense == PAM_SUCCESS) {
|
|
||||||
if (ignore)
|
|
||||||
*sense = PAM_IGNORE;
|
|
||||||
- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
|
|
||||||
+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
|
|
||||||
if (sepermit_lock(pamh, user, debug) < 0)
|
|
||||||
*sense = PAM_AUTH_ERR;
|
|
||||||
}
|
|
@ -1,13 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir Linux-PAM-1.3.1/modules/pam_faillock/faillock.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir 2024-01-08 11:32:02.122392119 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c 2024-01-08 11:33:10.916515943 +0100
|
|
||||||
@@ -74,6 +74,9 @@ open_tally (const char *dir, const char
|
|
||||||
|
|
||||||
if (create) {
|
|
||||||
flags |= O_CREAT;
|
|
||||||
+ if (access(dir, F_OK) != 0) {
|
|
||||||
+ mkdir(dir, 0755);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
fd = open(path, flags, 0600);
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,70 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
|
|
||||||
--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200
|
|
||||||
@@ -10,6 +10,7 @@
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <sys/resource.h>
|
|
||||||
+#include <dirent.h>
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Creates a pipe, closes its write end, redirects fd to its read end.
|
|
||||||
@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
|
|
||||||
static void
|
|
||||||
close_fds(void)
|
|
||||||
{
|
|
||||||
+ DIR *dir = NULL;
|
|
||||||
+ struct dirent *dent;
|
|
||||||
+ int dfd = -1;
|
|
||||||
+ int fd;
|
|
||||||
+ struct rlimit rlim;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* An arbitrary upper limit for the maximum file descriptor number
|
|
||||||
* returned by RLIMIT_NOFILE.
|
|
||||||
*/
|
|
||||||
- const int MAX_FD_NO = 65535;
|
|
||||||
+ const unsigned int MAX_FD_NO = 65535;
|
|
||||||
|
|
||||||
/* The lower limit is the same as for _POSIX_OPEN_MAX. */
|
|
||||||
- const int MIN_FD_NO = 20;
|
|
||||||
+ const unsigned int MIN_FD_NO = 20;
|
|
||||||
|
|
||||||
- int fd;
|
|
||||||
- struct rlimit rlim;
|
|
||||||
-
|
|
||||||
- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
|
||||||
- fd = MAX_FD_NO;
|
|
||||||
- else if (rlim.rlim_max < MIN_FD_NO)
|
|
||||||
- fd = MIN_FD_NO;
|
|
||||||
- else
|
|
||||||
- fd = rlim.rlim_max - 1;
|
|
||||||
+ /* If /proc is mounted, we can optimize which fd can be closed. */
|
|
||||||
+ if ((dir = opendir("/proc/self/fd")) != NULL) {
|
|
||||||
+ if ((dfd = dirfd(dir)) >= 0) {
|
|
||||||
+ while ((dent = readdir(dir)) != NULL) {
|
|
||||||
+ fd = atoi(dent->d_name);
|
|
||||||
+ if (fd > STDERR_FILENO && fd != dfd)
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ closedir(dir);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If /proc isn't available, fallback to the previous behavior. */
|
|
||||||
+ if (dfd < 0) {
|
|
||||||
+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
|
||||||
+ fd = MAX_FD_NO;
|
|
||||||
+ else if (rlim.rlim_max < MIN_FD_NO)
|
|
||||||
+ fd = MIN_FD_NO;
|
|
||||||
+ else
|
|
||||||
+ fd = rlim.rlim_max - 1;
|
|
||||||
|
|
||||||
- for (; fd > STDERR_FILENO; --fd)
|
|
||||||
- close(fd);
|
|
||||||
+ for (; fd > STDERR_FILENO; --fd)
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
@ -1,105 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.inline Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h
|
|
||||||
--- Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.inline 2022-05-26 10:44:31.702623614 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h 2022-05-26 10:44:31.703623621 +0200
|
|
||||||
@@ -44,4 +44,17 @@
|
|
||||||
# define DIAG_POP_IGNORE_CAST_ALIGN /* empty */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Evaluates to
|
|
||||||
+ * 1, if the given two types are known to be the same
|
|
||||||
+ * 0, otherwise.
|
|
||||||
+ */
|
|
||||||
+#if PAM_GNUC_PREREQ(3, 0)
|
|
||||||
+# define PAM_IS_SAME_TYPE(x_, y_) \
|
|
||||||
+ __builtin_types_compatible_p(__typeof__(x_), __typeof__(y_))
|
|
||||||
+#else
|
|
||||||
+/* Cannot tell whether these types are the same. */
|
|
||||||
+# define PAM_IS_SAME_TYPE(x_, y_) 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#endif /* PAM_CC_COMPAT_H */
|
|
||||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_inline.h.inline Linux-PAM-1.3.1/libpam/include/pam_inline.h
|
|
||||||
--- Linux-PAM-1.3.1/libpam/include/pam_inline.h.inline 2022-05-26 10:44:31.703623621 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/include/pam_inline.h 2022-05-26 10:44:31.703623621 +0200
|
|
||||||
@@ -0,0 +1,67 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org>
|
|
||||||
+ *
|
|
||||||
+ * Handy inline functions and macros providing some convenient functionality
|
|
||||||
+ * to libpam and its modules.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef PAM_INLINE_H
|
|
||||||
+#define PAM_INLINE_H
|
|
||||||
+
|
|
||||||
+#include "pam_cc_compat.h"
|
|
||||||
+#include <string.h>
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Evaluates to
|
|
||||||
+ * - a syntax error if the argument is 0,
|
|
||||||
+ * 0, otherwise.
|
|
||||||
+ */
|
|
||||||
+#define PAM_FAIL_BUILD_ON_ZERO(e_) (sizeof(int[-1 + 2 * !!(e_)]) * 0)
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Evaluates to
|
|
||||||
+ * 1, if the given type is known to be a non-array type
|
|
||||||
+ * 0, otherwise.
|
|
||||||
+ */
|
|
||||||
+#define PAM_IS_NOT_ARRAY(a_) PAM_IS_SAME_TYPE((a_), &(a_)[0])
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Evaluates to
|
|
||||||
+ * - a syntax error if the argument is not an array,
|
|
||||||
+ * 0, otherwise.
|
|
||||||
+ */
|
|
||||||
+#define PAM_MUST_BE_ARRAY(a_) PAM_FAIL_BUILD_ON_ZERO(!PAM_IS_NOT_ARRAY(a_))
|
|
||||||
+
|
|
||||||
+/* Evaluates to the number of elements in the specified array. */
|
|
||||||
+#define PAM_ARRAY_SIZE(a_) (sizeof(a_) / sizeof((a_)[0]) + PAM_MUST_BE_ARRAY(a_))
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Returns NULL if STR does not start with PREFIX,
|
|
||||||
+ * or a pointer to the first char in STR after PREFIX.
|
|
||||||
+ * The length of PREFIX is specified by PREFIX_LEN.
|
|
||||||
+ */
|
|
||||||
+static inline const char *
|
|
||||||
+pam_str_skip_prefix_len(const char *str, const char *prefix, size_t prefix_len)
|
|
||||||
+{
|
|
||||||
+ return strncmp(str, prefix, prefix_len) ? NULL : str + prefix_len;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define pam_str_skip_prefix(str_, prefix_) \
|
|
||||||
+ pam_str_skip_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_))
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Returns NULL if STR does not start with PREFIX
|
|
||||||
+ * (ignoring the case of the characters),
|
|
||||||
+ * or a pointer to the first char in STR after PREFIX.
|
|
||||||
+ * The length of PREFIX is specified by PREFIX_LEN.
|
|
||||||
+ */
|
|
||||||
+static inline const char *
|
|
||||||
+pam_str_skip_icase_prefix_len(const char *str, const char *prefix, size_t prefix_len)
|
|
||||||
+{
|
|
||||||
+ return strncasecmp(str, prefix, prefix_len) ? NULL : str + prefix_len;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define pam_str_skip_icase_prefix(str_, prefix_) \
|
|
||||||
+ pam_str_skip_icase_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_))
|
|
||||||
+
|
|
||||||
+#endif /* PAM_INLINE_H */
|
|
||||||
diff -up Linux-PAM-1.3.1/libpam/Makefile.am.inline Linux-PAM-1.3.1/libpam/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/libpam/Makefile.am.inline 2022-05-26 10:44:31.702623614 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/Makefile.am 2022-05-26 10:45:21.146977780 +0200
|
|
||||||
@@ -18,7 +18,8 @@ include_HEADERS = include/security/_pam_
|
|
||||||
include/security/pam_ext.h include/security/pam_modutil.h
|
|
||||||
|
|
||||||
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
|
|
||||||
- pam_modutil_private.h include/pam_cc_compat.h
|
|
||||||
+ pam_modutil_private.h include/pam_cc_compat.h \
|
|
||||||
+ include/pam_inline.h
|
|
||||||
|
|
||||||
libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84
|
|
||||||
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
|
|
@ -1,82 +0,0 @@
|
|||||||
From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nir Soffer <nsoffer@redhat.com>
|
|
||||||
Date: Wed, 9 Jan 2019 23:41:16 +0200
|
|
||||||
Subject: [PATCH] pam_lastlog: Improve silent option documentation
|
|
||||||
|
|
||||||
The silent option explicitly silents only the last login message and not
|
|
||||||
bad logins. Add a note to the manual to make this clear.
|
|
||||||
|
|
||||||
* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
|
|
||||||
---
|
|
||||||
modules/pam_lastlog/pam_lastlog.8.xml | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
index c8f247e..bc2e1be 100644
|
|
||||||
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
@@ -102,6 +102,7 @@
|
|
||||||
<para>
|
|
||||||
Don't inform the user about any previous login,
|
|
||||||
just update the <filename>/var/log/lastlog</filename> file.
|
|
||||||
+ This option does not affect display of bad login attempts.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
||||||
From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nir Soffer <nsoffer@redhat.com>
|
|
||||||
Date: Sun, 6 Jan 2019 00:36:27 +0200
|
|
||||||
Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag
|
|
||||||
|
|
||||||
pam_lastlog module will not log info about failed login if the session
|
|
||||||
was opened with PAM_SILENT flag.
|
|
||||||
|
|
||||||
Example use case enabled by this change:
|
|
||||||
|
|
||||||
sudo --non-interactive program
|
|
||||||
|
|
||||||
If this command is run by another program expecting specific output from
|
|
||||||
the command run by sudo, the unexpected info about failed logins will
|
|
||||||
break this program.
|
|
||||||
|
|
||||||
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
|
|
||||||
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
|
|
||||||
---
|
|
||||||
modules/pam_lastlog/pam_lastlog.c | 11 ++++++-----
|
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
index 18bf7be..e980c04 100644
|
|
||||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
|
|
||||||
|
|
||||||
- /* does the appliction require quiet? */
|
|
||||||
- if (flags & PAM_SILENT) {
|
|
||||||
- ctrl |= LASTLOG_QUIET;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* step through arguments */
|
|
||||||
for (; argc-- > 0; ++argv) {
|
|
||||||
|
|
||||||
@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* does the appliction require quiet? */
|
|
||||||
+ if (flags & PAM_SILENT) {
|
|
||||||
+ ctrl |= LASTLOG_QUIET;
|
|
||||||
+ ctrl &= ~LASTLOG_BTMP;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
D(("ctrl = %o", ctrl));
|
|
||||||
return ctrl;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,227 +0,0 @@
|
|||||||
From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Carlos Santos <casantos@redhat.com>
|
|
||||||
Date: Wed, 11 Sep 2019 11:50:28 -0300
|
|
||||||
Subject: [PATCH] pam_lastlog: document the 'unlimited' option
|
|
||||||
|
|
||||||
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
|
||||||
---
|
|
||||||
modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++
|
|
||||||
1 file changed, 18 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
index bc2e1be..f10e94a 100644
|
|
||||||
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
|
||||||
@@ -48,6 +48,9 @@
|
|
||||||
<arg choice="opt">
|
|
||||||
inactive=<days>
|
|
||||||
</arg>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ unlimited
|
|
||||||
+ </arg>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
@@ -196,6 +199,18 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>unlimited</option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
|
|
||||||
+ used to override it, preventing failures on systems with large UID
|
|
||||||
+ values that lead lastlog to become a huge sparse file.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
@@ -300,6 +315,9 @@
|
|
||||||
<refsect1 id='pam_lastlog-see_also'>
|
|
||||||
<title>SEE ALSO</title>
|
|
||||||
<para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
<citerefentry>
|
|
||||||
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
</citerefentry>,
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
||||||
From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Carlos Santos <casantos@redhat.com>
|
|
||||||
Date: Tue, 10 Sep 2019 23:08:30 -0300
|
|
||||||
Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit
|
|
||||||
|
|
||||||
It a reduced fsize limit is set in /etc/security/limits.conf and
|
|
||||||
pam_limits is in use pam_lastlog may cause a crash, e.g.
|
|
||||||
|
|
||||||
----- begin /etc/pam.d/su ----
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
auth required pam_wheel.so use_uid
|
|
||||||
auth required pam_env.so
|
|
||||||
auth required pam_unix.so nullok
|
|
||||||
account required pam_unix.so
|
|
||||||
password required pam_unix.so nullok
|
|
||||||
session required pam_limits.so
|
|
||||||
session required pam_env.so
|
|
||||||
session required pam_unix.so
|
|
||||||
session optional pam_lastlog.so
|
|
||||||
----- end /etc/pam.d/su -----
|
|
||||||
|
|
||||||
----- begin /etc/security/limits.d/fsize.conf -----
|
|
||||||
* soft fsize 1710
|
|
||||||
* hard fsize 1710
|
|
||||||
----- end /etc/security/limits.d/fsize.conf -----
|
|
||||||
|
|
||||||
# id user1
|
|
||||||
uid=1000(user1) gid=1000(user1) groups=1000(user1)
|
|
||||||
# su - user1
|
|
||||||
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
|
|
||||||
$ exit
|
|
||||||
# id user2
|
|
||||||
uid=60000(user2) gid=60000(user2) groups=60000(user2)
|
|
||||||
# su - user2
|
|
||||||
File size limit exceeded
|
|
||||||
|
|
||||||
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
|
|
||||||
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
|
|
||||||
|
|
||||||
In order to fix this, and an 'unlimited' option, which leads to saving
|
|
||||||
the 'fsize' limit and set it to unlimited before writing lastlog. After
|
|
||||||
that, restore the saved value. If 'fsize' is already unlimited nothing
|
|
||||||
is done.
|
|
||||||
|
|
||||||
Failing to set the 'fsize' limit is not a fatal error. With luck the
|
|
||||||
configured limit will suffice, so we try to write lastlog anyway, even
|
|
||||||
under the risk of dying due to a SIGXFSZ.
|
|
||||||
|
|
||||||
Failing to restore the 'fsize' limit is a fatal error, since we don't
|
|
||||||
want to keep it unlimited.
|
|
||||||
|
|
||||||
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
|
||||||
---
|
|
||||||
modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 57 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
index e980c04..a135c9f 100644
|
|
||||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
@@ -25,6 +25,8 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
+#include <sys/time.h>
|
|
||||||
+#include <sys/resource.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
|
|
||||||
@@ -82,15 +84,16 @@ struct lastlog {
|
|
||||||
|
|
||||||
/* argument parsing */
|
|
||||||
|
|
||||||
-#define LASTLOG_DATE 01 /* display the date of the last login */
|
|
||||||
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
|
||||||
-#define LASTLOG_LINE 04 /* display the last terminal used */
|
|
||||||
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
|
||||||
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
|
||||||
-#define LASTLOG_QUIET 040 /* keep quiet about things */
|
|
||||||
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
|
||||||
-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
|
||||||
-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
|
||||||
+#define LASTLOG_DATE 01 /* display the date of the last login */
|
|
||||||
+#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
|
||||||
+#define LASTLOG_LINE 04 /* display the last terminal used */
|
|
||||||
+#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
|
||||||
+#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
|
||||||
+#define LASTLOG_QUIET 040 /* keep quiet about things */
|
|
||||||
+#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
|
||||||
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
|
||||||
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
|
||||||
+#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */
|
|
||||||
|
|
||||||
static int
|
|
||||||
_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
|
|
||||||
@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
|
|
||||||
} else if (!strcmp(*argv,"showfailed")) {
|
|
||||||
ctrl |= LASTLOG_BTMP;
|
|
||||||
+ } else if (!strcmp(*argv,"unlimited")) {
|
|
||||||
+ ctrl |= LASTLOG_UNLIMITED;
|
|
||||||
} else {
|
|
||||||
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
|
|
||||||
}
|
|
||||||
@@ -373,6 +378,12 @@ static int
|
|
||||||
last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
|
||||||
uid_t uid, const char *user)
|
|
||||||
{
|
|
||||||
+ static struct rlimit no_limit = {
|
|
||||||
+ RLIM_INFINITY,
|
|
||||||
+ RLIM_INFINITY
|
|
||||||
+ };
|
|
||||||
+ struct rlimit old_limit;
|
|
||||||
+ int setrlimit_res;
|
|
||||||
struct flock last_lock;
|
|
||||||
struct lastlog last_login;
|
|
||||||
time_t ll_time;
|
|
||||||
@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
|
||||||
sleep(LASTLOG_IGNORE_LOCK_TIME);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Failing to set the 'fsize' limit is not a fatal error. We try to write
|
|
||||||
+ * lastlog anyway, under the risk of dying due to a SIGXFSZ.
|
|
||||||
+ */
|
|
||||||
+ D(("setting limit for 'fsize'"));
|
|
||||||
+
|
|
||||||
+ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */
|
|
||||||
+ setrlimit_res = -1;
|
|
||||||
+ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
|
|
||||||
+ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */
|
|
||||||
+ setrlimit_res = -1;
|
|
||||||
+ } else {
|
|
||||||
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
|
|
||||||
+ if (setrlimit_res != 0)
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ setrlimit_res = -1;
|
|
||||||
+ if (errno == EINVAL) {
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
|
|
||||||
+ } else {
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
D(("writing to the lastlog file"));
|
|
||||||
if (pam_modutil_write (last_fd, (char *) &last_login,
|
|
||||||
sizeof (last_login)) != sizeof(last_login)) {
|
|
||||||
@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
|
||||||
retval = PAM_SERVICE_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Failing to restore the 'fsize' limit is a fatal error.
|
|
||||||
+ */
|
|
||||||
+ D(("restoring limit for 'fsize'"));
|
|
||||||
+ if (setrlimit_res == 0) {
|
|
||||||
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
|
|
||||||
+ if (setrlimit_res != 0) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
|
|
||||||
+ retval = PAM_SERVICE_ERR;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
last_lock.l_type = F_UNLCK;
|
|
||||||
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
|
|
||||||
D(("unlocked"));
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage 2018-05-18 11:50:46.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml 2019-12-19 10:29:36.243558251 +0100
|
|
||||||
@@ -31,10 +31,19 @@
|
|
||||||
<para>
|
|
||||||
pam_motd is a PAM module that can be used to display
|
|
||||||
arbitrary motd (message of the day) files after a successful
|
|
||||||
- login. By default the <filename>/etc/motd</filename> file is
|
|
||||||
+ login. By default the <filename>/etc/motd</filename> file and
|
|
||||||
+ all files from <filename>/etc/motd.d</filename> are
|
|
||||||
shown. The message size is limited to 64KB.
|
|
||||||
</para>
|
|
||||||
-
|
|
||||||
+ <para>
|
|
||||||
+ To silence a message,
|
|
||||||
+ a symbolic link with target <filename>/dev/null</filename>
|
|
||||||
+ may be placed in <filename>/etc/motd.d</filename> with
|
|
||||||
+ the same filename as the message to be silenced. Example:
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ <command>ln -sfn /dev/null /etc/motd.d/my_motd</command>
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id="pam_motd-options">
|
|
@ -1,68 +0,0 @@
|
|||||||
From 491e5500b6b3913f531574208274358a2df88659 Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Mon, 5 Oct 2020 10:41:29 +0200
|
|
||||||
Subject: [PATCH] pam_namespace: polyinstantiation refer to gdm doc
|
|
||||||
|
|
||||||
modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
|
|
||||||
about polyinstantiation and refer to gdm's documentation.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
|
|
||||||
---
|
|
||||||
modules/pam_namespace/pam_namespace.8.xml | 41 ++---------------------
|
|
||||||
1 file changed, 2 insertions(+), 39 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
|
|
||||||
index f0f80d33..57c44c4b 100644
|
|
||||||
--- a/modules/pam_namespace/pam_namespace.8.xml
|
|
||||||
+++ b/modules/pam_namespace/pam_namespace.8.xml
|
|
||||||
@@ -343,45 +343,8 @@
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>
|
|
||||||
- To use polyinstantiation with graphical display manager gdm, insert the
|
|
||||||
- following line, before exit 0, in /etc/gdm/PostSession/Default:
|
|
||||||
- </para>
|
|
||||||
-
|
|
||||||
- <para>
|
|
||||||
- /usr/sbin/gdm-safe-restart
|
|
||||||
- </para>
|
|
||||||
-
|
|
||||||
- <para>
|
|
||||||
- This allows gdm to restart after each session and appropriately adjust
|
|
||||||
- namespaces of display manager and the X server. If polyinstantiation
|
|
||||||
- of /tmp is desired along with the graphical environment, then additional
|
|
||||||
- configuration changes are needed to address the interaction of X server
|
|
||||||
- and font server namespaces with their use of /tmp to create
|
|
||||||
- communication sockets. Please use the initialization script
|
|
||||||
- <filename>/etc/security/namespace.init</filename> to ensure that
|
|
||||||
- the X server and its clients can appropriately access the
|
|
||||||
- communication socket X0. Please refer to the sample instructions
|
|
||||||
- provided in the comment section of the instance initialization script
|
|
||||||
- <filename>/etc/security/namespace.init</filename>. In addition,
|
|
||||||
- perform the following changes to use graphical environment with
|
|
||||||
- polyinstantiation of /tmp:
|
|
||||||
- </para>
|
|
||||||
-
|
|
||||||
- <para>
|
|
||||||
- <literallayout>
|
|
||||||
- 1. Disable the use of font server by commenting out "FontPath"
|
|
||||||
- line in /etc/X11/xorg.conf. If you do want to use the font server
|
|
||||||
- then you will have to augment the instance initialization
|
|
||||||
- script to appropriately provide /tmp/.font-unix from the
|
|
||||||
- polyinstantiated /tmp.
|
|
||||||
- 2. Ensure that the gdm service is setup to use pam_namespace,
|
|
||||||
- as described above, by modifying /etc/pam.d/gdm.
|
|
||||||
- 3. Ensure that the display manager is configured to restart X server
|
|
||||||
- with each new session. This default setup can be verified by
|
|
||||||
- making sure that /usr/share/gdm/defaults.conf contains
|
|
||||||
- "AlwaysRestartServer=true", and it is not overridden by
|
|
||||||
- /etc/gdm/custom.conf.
|
|
||||||
- </literallayout>
|
|
||||||
+ To use polyinstantiation with graphical display manager gdm, please refer
|
|
||||||
+ to gdm's documentation.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
</refsect1>
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,131 +0,0 @@
|
|||||||
diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
|
|
||||||
index c7698cb..a94b49e 100644
|
|
||||||
--- a/modules/pam_namespace/namespace.conf.5.xml
|
|
||||||
+++ b/modules/pam_namespace/namespace.conf.5.xml
|
|
||||||
@@ -122,9 +122,14 @@
|
|
||||||
<para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
|
|
||||||
- value of this flag is passed to the mount call when the tmpfs mount is
|
|
||||||
done. It allows for example the specification of the maximum size of the
|
|
||||||
- tmpfs instance that is created by the mount call. See <citerefentry>
|
|
||||||
- <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry> for details.
|
|
||||||
+ tmpfs instance that is created by the mount call. In addition to
|
|
||||||
+ options specified in the <citerefentry>
|
|
||||||
+ <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry> manual the <emphasis>nosuid</emphasis>,
|
|
||||||
+ <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
|
|
||||||
+ can be used to respectively disable setuid bit effect, disable running
|
|
||||||
+ executables, and disable devices to be interpreted on the mounted
|
|
||||||
+ tmpfs filesystem.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>
|
|
||||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
|
||||||
index f541f89..660c7a1 100644
|
|
||||||
--- a/modules/pam_namespace/pam_namespace.c
|
|
||||||
+++ b/modules/pam_namespace/pam_namespace.c
|
|
||||||
@@ -230,6 +230,73 @@ static int parse_iscript_params(char *params, struct polydir_s *poly)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+struct mntflag {
|
|
||||||
+ const char *name;
|
|
||||||
+ size_t len;
|
|
||||||
+ unsigned long flag;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+#define LITERAL_AND_LEN(x) x, sizeof(x) - 1
|
|
||||||
+
|
|
||||||
+static const struct mntflag mntflags[] = {
|
|
||||||
+ { LITERAL_AND_LEN("noexec"), MS_NOEXEC },
|
|
||||||
+ { LITERAL_AND_LEN("nosuid"), MS_NOSUID },
|
|
||||||
+ { LITERAL_AND_LEN("nodev"), MS_NODEV }
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+static int filter_mntopts(const char *opts, char **filtered,
|
|
||||||
+ unsigned long *mountflags)
|
|
||||||
+{
|
|
||||||
+ size_t origlen = strlen(opts);
|
|
||||||
+ const char *end;
|
|
||||||
+ char *dest;
|
|
||||||
+
|
|
||||||
+ dest = *filtered = NULL;
|
|
||||||
+ *mountflags = 0;
|
|
||||||
+
|
|
||||||
+ if (origlen == 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ size_t len;
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ end = strchr(opts, ',');
|
|
||||||
+ if (end == NULL) {
|
|
||||||
+ len = strlen(opts);
|
|
||||||
+ } else {
|
|
||||||
+ len = end - opts;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) {
|
|
||||||
+ if (mntflags[i].len != len)
|
|
||||||
+ continue;
|
|
||||||
+ if (memcmp(mntflags[i].name, opts, len) == 0) {
|
|
||||||
+ *mountflags |= mntflags[i].flag;
|
|
||||||
+ opts = end;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (opts != end) {
|
|
||||||
+ if (dest != NULL) {
|
|
||||||
+ *dest = ',';
|
|
||||||
+ ++dest;
|
|
||||||
+ } else {
|
|
||||||
+ dest = *filtered = calloc(1, origlen + 1);
|
|
||||||
+ if (dest == NULL)
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ memcpy(dest, opts, len);
|
|
||||||
+ dest += len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ opts = end + 1;
|
|
||||||
+ } while (end != NULL);
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int parse_method(char *method, struct polydir_s *poly,
|
|
||||||
struct instance_data *idata)
|
|
||||||
{
|
|
||||||
@@ -289,7 +356,8 @@ static int parse_method(char *method, struct polydir_s *poly,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
free(poly->mount_opts); /* if duplicate mntopts specified */
|
|
||||||
- if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
|
|
||||||
+ poly->mount_opts = NULL;
|
|
||||||
+ if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) {
|
|
||||||
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
@@ -1484,7 +1552,7 @@ static int ns_setup(struct polydir_s *polyptr,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (polyptr->method == TMPFS) {
|
|
||||||
- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
|
|
||||||
+ if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) {
|
|
||||||
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
|
|
||||||
polyptr->dir);
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
|
|
||||||
index 47ebcc3..1522386 100644
|
|
||||||
--- a/modules/pam_namespace/pam_namespace.h
|
|
||||||
+++ b/modules/pam_namespace/pam_namespace.h
|
|
||||||
@@ -166,6 +166,7 @@ struct polydir_s {
|
|
||||||
unsigned int flags; /* polydir flags */
|
|
||||||
char *init_script; /* path to init script */
|
|
||||||
char *mount_opts; /* mount options for tmpfs mount */
|
|
||||||
+ unsigned long mount_flags; /* mount flags for tmpfs mount */
|
|
||||||
uid_t owner; /* user which should own the polydir */
|
|
||||||
gid_t group; /* group which should own the polydir */
|
|
||||||
mode_t mode; /* mode of the polydir */
|
|
@ -1,58 +0,0 @@
|
|||||||
From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
|
||||||
Date: Wed, 27 Dec 2023 14:01:59 +0100
|
|
||||||
Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
|
|
||||||
local DoS situations
|
|
||||||
|
|
||||||
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
|
|
||||||
being placed in user controlled directories, causing the PAM module to
|
|
||||||
block indefinitely during `openat()`.
|
|
||||||
|
|
||||||
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
|
|
||||||
refer to a directory.
|
|
||||||
|
|
||||||
With this the check whether the final path element is a directory
|
|
||||||
becomes unnecessary, drop it.
|
|
||||||
---
|
|
||||||
modules/pam_namespace/pam_namespace.c | 18 +-----------------
|
|
||||||
1 file changed, 1 insertion(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
|
||||||
index 2528cff8..f72d6718 100644
|
|
||||||
--- a/modules/pam_namespace/pam_namespace.c
|
|
||||||
+++ b/modules/pam_namespace/pam_namespace.c
|
|
||||||
@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
|
||||||
int dfd = AT_FDCWD;
|
|
||||||
int dfd_next;
|
|
||||||
int save_errno;
|
|
||||||
- int flags = O_RDONLY;
|
|
||||||
+ int flags = O_RDONLY | O_DIRECTORY;
|
|
||||||
int rv = -1;
|
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
|
||||||
rv = openat(dfd, dir, flags);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rv != -1) {
|
|
||||||
- if (fstat(rv, &st) != 0) {
|
|
||||||
- save_errno = errno;
|
|
||||||
- close(rv);
|
|
||||||
- rv = -1;
|
|
||||||
- errno = save_errno;
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
- if (!S_ISDIR(st.st_mode)) {
|
|
||||||
- close(rv);
|
|
||||||
- errno = ENOTDIR;
|
|
||||||
- rv = -1;
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (flags & O_NOFOLLOW) {
|
|
||||||
/* we are inside user-owned dir - protect */
|
|
||||||
if (protect_mount(rv, p, idata) == -1) {
|
|
||||||
--
|
|
||||||
2.43.0
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/doc/Makefile.am.noflex Linux-PAM-1.3.1/doc/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/doc/Makefile.am.noflex 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/doc/Makefile.am 2018-05-18 14:53:50.300997606 +0200
|
|
||||||
@@ -2,7 +2,7 @@
|
|
||||||
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
#
|
|
||||||
|
|
||||||
-SUBDIRS = man specs sag adg mwg
|
|
||||||
+SUBDIRS = man sag adg mwg
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/Makefile.am.noflex Linux-PAM-1.3.1/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/Makefile.am.noflex 2018-05-18 14:53:50.301997629 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/Makefile.am 2018-05-18 14:55:31.576353800 +0200
|
|
||||||
@@ -4,7 +4,7 @@
|
|
||||||
|
|
||||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
|
|
||||||
|
|
||||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
|
|
||||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
|
|
@ -1,63 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-cc-compat Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h
|
|
||||||
--- Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-cc-compat 2022-05-26 10:43:50.436328027 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h 2022-05-26 10:43:50.436328027 +0200
|
|
||||||
@@ -0,0 +1,47 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org>
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef PAM_CC_COMPAT_H
|
|
||||||
+#define PAM_CC_COMPAT_H
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+#include <security/_pam_types.h>
|
|
||||||
+
|
|
||||||
+#if defined __clang__ && defined __clang_major__ && defined __clang_minor__
|
|
||||||
+# define PAM_CLANG_PREREQ(maj, min) \
|
|
||||||
+ ((__clang_major__ << 16) + __clang_minor__ >= ((maj) << 16) + (min))
|
|
||||||
+#else
|
|
||||||
+# define PAM_CLANG_PREREQ(maj, min) 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#if PAM_GNUC_PREREQ(4, 6)
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL \
|
|
||||||
+ _Pragma("GCC diagnostic push"); \
|
|
||||||
+ _Pragma("GCC diagnostic ignored \"-Wcast-qual\"")
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_QUAL \
|
|
||||||
+ _Pragma("GCC diagnostic pop")
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN \
|
|
||||||
+ _Pragma("GCC diagnostic push"); \
|
|
||||||
+ _Pragma("GCC diagnostic ignored \"-Wcast-align\"")
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_ALIGN \
|
|
||||||
+ _Pragma("GCC diagnostic pop")
|
|
||||||
+#elif PAM_CLANG_PREREQ(2, 6)
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL \
|
|
||||||
+ _Pragma("clang diagnostic push"); \
|
|
||||||
+ _Pragma("clang diagnostic ignored \"-Wcast-qual\"")
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_QUAL \
|
|
||||||
+ _Pragma("clang diagnostic pop")
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN \
|
|
||||||
+ _Pragma("clang diagnostic push"); \
|
|
||||||
+ _Pragma("clang diagnostic ignored \"-Wcast-align\"")
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_ALIGN \
|
|
||||||
+ _Pragma("clang diagnostic pop")
|
|
||||||
+#else
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_QUAL /* empty */
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_QUAL /* empty */
|
|
||||||
+# define DIAG_PUSH_IGNORE_CAST_ALIGN /* empty */
|
|
||||||
+# define DIAG_POP_IGNORE_CAST_ALIGN /* empty */
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#endif /* PAM_CC_COMPAT_H */
|
|
||||||
diff -up Linux-PAM-1.3.1/libpam/Makefile.am.pam-cc-compat Linux-PAM-1.3.1/libpam/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/libpam/Makefile.am.pam-cc-compat 2022-05-26 10:43:50.436328027 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam/Makefile.am 2022-05-26 10:44:00.865402730 +0200
|
|
||||||
@@ -18,7 +18,7 @@ include_HEADERS = include/security/_pam_
|
|
||||||
include/security/pam_ext.h include/security/pam_modutil.h
|
|
||||||
|
|
||||||
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
|
|
||||||
- pam_modutil_private.h
|
|
||||||
+ pam_modutil_private.h include/pam_cc_compat.h
|
|
||||||
|
|
||||||
libpam_la_LDFLAGS = -no-undefined -version-info 84:2:84
|
|
||||||
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
|
|
@ -1,125 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c 2022-04-25 12:10:28.071240439 +0200
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
#include <security/pam_modutil.h>
|
|
||||||
#include <security/pam_ext.h>
|
|
||||||
#include <sys/syscall.h>
|
|
||||||
+#include <stdatomic.h>
|
|
||||||
|
|
||||||
#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */
|
|
||||||
#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */
|
|
||||||
@@ -30,12 +31,12 @@
|
|
||||||
#define KEYCTL_REVOKE 3 /* revoke a key */
|
|
||||||
#define KEYCTL_LINK 8 /* link a key into a keyring */
|
|
||||||
|
|
||||||
-static int my_session_keyring;
|
|
||||||
-static int session_counter;
|
|
||||||
-static int do_revoke;
|
|
||||||
-static int revoke_as_uid;
|
|
||||||
-static int revoke_as_gid;
|
|
||||||
-static int xdebug = 0;
|
|
||||||
+static _Thread_local int my_session_keyring = 0;
|
|
||||||
+static _Atomic int session_counter = 0;
|
|
||||||
+static _Thread_local int do_revoke = 0;
|
|
||||||
+static _Thread_local uid_t revoke_as_uid;
|
|
||||||
+static _Thread_local gid_t revoke_as_gid;
|
|
||||||
+static _Thread_local int xdebug = 0;
|
|
||||||
|
|
||||||
static void debug(pam_handle_t *pamh, const char *fmt, ...)
|
|
||||||
__attribute__((format(printf, 2, 3)));
|
|
||||||
@@ -65,6 +66,33 @@ static int error(pam_handle_t *pamh, con
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int pam_setreuid(uid_t ruid, uid_t euid)
|
|
||||||
+{
|
|
||||||
+#if defined(SYS_setreuid32)
|
|
||||||
+ return syscall(SYS_setreuid32, ruid, euid);
|
|
||||||
+#else
|
|
||||||
+ return syscall(SYS_setreuid, ruid, euid);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int pam_setregid(gid_t rgid, gid_t egid)
|
|
||||||
+{
|
|
||||||
+#if defined(SYS_setregid32)
|
|
||||||
+ return syscall(SYS_setregid32, rgid, egid);
|
|
||||||
+#else
|
|
||||||
+ return syscall(SYS_setregid, rgid, egid);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
||||||
+{
|
|
||||||
+#if defined(SYS_setresuid32)
|
|
||||||
+ return syscall(SYS_setresuid32, ruid, euid, suid);
|
|
||||||
+#else
|
|
||||||
+ return syscall(SYS_setresuid, ruid, euid, suid);
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* initialise the session keyring for this process
|
|
||||||
*/
|
|
||||||
@@ -139,23 +167,25 @@ static void kill_keyrings(pam_handle_t *
|
|
||||||
|
|
||||||
/* switch to the real UID and GID so that we have permission to
|
|
||||||
* revoke the key */
|
|
||||||
- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
|
|
||||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0)
|
|
||||||
error(pamh, "Unable to change GID to %d temporarily\n",
|
|
||||||
revoke_as_gid);
|
|
||||||
|
|
||||||
- if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0)
|
|
||||||
+ if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0)
|
|
||||||
error(pamh, "Unable to change UID to %d temporarily\n",
|
|
||||||
revoke_as_uid);
|
|
||||||
+ if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0)
|
|
||||||
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
||||||
|
|
||||||
syscall(__NR_keyctl,
|
|
||||||
KEYCTL_REVOKE,
|
|
||||||
my_session_keyring);
|
|
||||||
|
|
||||||
/* return to the orignal UID and GID (probably root) */
|
|
||||||
- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
|
|
||||||
+ if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0)
|
|
||||||
error(pamh, "Unable to change UID back to %d\n", old_uid);
|
|
||||||
|
|
||||||
- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
|
|
||||||
+ if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0)
|
|
||||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
||||||
|
|
||||||
my_session_keyring = 0;
|
|
||||||
@@ -210,14 +240,14 @@ int pam_sm_open_session(pam_handle_t *pa
|
|
||||||
|
|
||||||
/* switch to the real UID and GID so that the keyring ends up owned by
|
|
||||||
* the right user */
|
|
||||||
- if (gid != old_gid && setregid(gid, -1) < 0) {
|
|
||||||
+ if (gid != old_gid && pam_setregid(gid, -1) < 0) {
|
|
||||||
error(pamh, "Unable to change GID to %d temporarily\n", gid);
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (uid != old_uid && setreuid(uid, -1) < 0) {
|
|
||||||
+ if (uid != old_uid && pam_setreuid(uid, -1) < 0) {
|
|
||||||
error(pamh, "Unable to change UID to %d temporarily\n", uid);
|
|
||||||
- if (setregid(old_gid, -1) < 0)
|
|
||||||
+ if (pam_setregid(old_gid, -1) < 0)
|
|
||||||
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
@@ -225,10 +255,10 @@ int pam_sm_open_session(pam_handle_t *pa
|
|
||||||
ret = init_keyrings(pamh, force);
|
|
||||||
|
|
||||||
/* return to the orignal UID and GID (probably root) */
|
|
||||||
- if (uid != old_uid && setreuid(old_uid, -1) < 0)
|
|
||||||
+ if (uid != old_uid && pam_setreuid(old_uid, -1) < 0)
|
|
||||||
ret = error(pamh, "Unable to change UID back to %d\n", old_uid);
|
|
||||||
|
|
||||||
- if (gid != old_gid && setregid(old_gid, -1) < 0)
|
|
||||||
+ if (gid != old_gid && pam_setregid(old_gid, -1) < 0)
|
|
||||||
ret = error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
||||||
|
|
||||||
return ret;
|
|
@ -1,78 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value 2022-01-28 09:45:41.431606850 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml 2022-01-28 09:47:31.732430391 +0100
|
|
||||||
@@ -275,6 +275,8 @@
|
|
||||||
All items support the values <emphasis>-1</emphasis>,
|
|
||||||
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
|
|
||||||
except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
|
|
||||||
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
|
|
||||||
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
If a hard limit or soft limit of a resource is set to a valid value,
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value 2022-01-28 09:45:41.415606731 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c 2022-01-28 09:45:41.431606850 +0100
|
|
||||||
@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pam
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Read the contents of <pathname> and return it in *valuep
|
|
||||||
+ * return 1 if conversion succeeds, result is in *valuep
|
|
||||||
+ * return 0 if conversion fails, *valuep is untouched.
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+value_from_file(const char *pathname, rlim_t *valuep)
|
|
||||||
+{
|
|
||||||
+ char buf[128];
|
|
||||||
+ FILE *fp;
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ retval = 0;
|
|
||||||
+
|
|
||||||
+ if ((fp = fopen(pathname, "r")) != NULL) {
|
|
||||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
|
||||||
+ char *endptr;
|
|
||||||
+ unsigned long long value;
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ value = strtoull(buf, &endptr, 10);
|
|
||||||
+ if (endptr != buf &&
|
|
||||||
+ (value != ULLONG_MAX || errno == 0) &&
|
|
||||||
+ (unsigned long long) (rlim_t) value == value) {
|
|
||||||
+ *valuep = (rlim_t) value;
|
|
||||||
+ retval = 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fclose(fp);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
|
||||||
const char *lim_item, const char *lim_value,
|
|
||||||
@@ -652,6 +687,20 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
rlimit_value = 20 - int_value;
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
+ case RLIMIT_NOFILE:
|
|
||||||
+ /*
|
|
||||||
+ * If nofile is to be set to "unlimited", try to set it to
|
|
||||||
+ * the value in /proc/sys/fs/nr_open instead.
|
|
||||||
+ */
|
|
||||||
+ if (rlimit_value == RLIM_INFINITY) {
|
|
||||||
+ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING,
|
|
||||||
+ "Cannot set \"nofile\" to a sensible value");
|
|
||||||
+ else if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
|
|
||||||
+ (unsigned long long) rlimit_value);
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( (limit_item != LIMIT_LOGIN)
|
|
@ -1,29 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-misc-configurable Linux-PAM-1.3.1/configure.ac
|
|
||||||
--- Linux-PAM-1.3.1/configure.ac.pam-misc-configurable 2023-06-26 09:57:00.243146563 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/configure.ac 2023-06-26 09:59:45.353636685 +0200
|
|
||||||
@@ -621,6 +621,13 @@ if test x"$opt_kerneloverflowuid" == x;
|
|
||||||
fi
|
|
||||||
AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.])
|
|
||||||
|
|
||||||
+AC_ARG_WITH([misc-conv-bufsize],
|
|
||||||
+AS_HELP_STRING([--with-misc-conv-bufsize=<number>],
|
|
||||||
+ [Size of input buffer for libpam_misc's misc_conv() conversation function, default=4096]),
|
|
||||||
+ [],
|
|
||||||
+ [with_misc_conv_bufsize=4096])
|
|
||||||
+AC_DEFINE_UNQUOTED(PAM_MISC_CONV_BUFSIZE, $with_misc_conv_bufsize, [libpam_misc misc_conv() buffer size.])
|
|
||||||
+
|
|
||||||
dnl Files to be created from when we run configure
|
|
||||||
AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
|
|
||||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
|
||||||
diff -up Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable Linux-PAM-1.3.1/libpam_misc/misc_conv.c
|
|
||||||
--- Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable 2023-06-26 09:57:00.242146560 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/libpam_misc/misc_conv.c 2023-06-26 10:00:38.023787972 +0200
|
|
||||||
@@ -18,7 +18,7 @@
|
|
||||||
#include <security/pam_appl.h>
|
|
||||||
#include <security/pam_misc.h>
|
|
||||||
|
|
||||||
-#define INPUTSIZE PAM_MAX_MSG_SIZE /* maximum length of input+1 */
|
|
||||||
+#define INPUTSIZE PAM_MISC_CONV_BUFSIZE /* maximum length of input+1 */
|
|
||||||
#define CONV_ECHO_ON 1 /* types of echo state */
|
|
||||||
#define CONV_ECHO_OFF 0
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
From b6f73810a2e7afd02a231e2dfa14b05752c83db7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
||||||
Date: Wed, 26 Feb 2020 19:20:58 +0000
|
|
||||||
Subject: [PATCH] pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of
|
|
||||||
PAM_MODUTIL_PIPE_FD
|
|
||||||
|
|
||||||
When pam_modutil_sanitize_helper_fds() is invoked with
|
|
||||||
PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
|
|
||||||
or stderr, it closes the read end of the newly created dummy pipe.
|
|
||||||
The negative side effect of this approach is that any write to such
|
|
||||||
descriptor triggers a SIGPIPE. Avoid this by closing the write end of
|
|
||||||
the dummy pipe and using its read end as a dummy pipe descriptor for
|
|
||||||
output. Any read from such descriptor returns 0, and any write just
|
|
||||||
fails with EBADF, which should work better with unprepared writers.
|
|
||||||
|
|
||||||
* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
|
|
||||||
(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
|
|
||||||
|
|
||||||
Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
|
|
||||||
---
|
|
||||||
libpam/pam_modutil_sanitize.c | 30 +-----------------------------
|
|
||||||
1 file changed, 1 insertion(+), 29 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
|
|
||||||
index 605c859d..58b9537c 100644
|
|
||||||
--- a/libpam/pam_modutil_sanitize.c
|
|
||||||
+++ b/libpam/pam_modutil_sanitize.c
|
|
||||||
@@ -46,34 +46,6 @@ redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name)
|
|
||||||
return fd;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * Creates a pipe, closes its read end, redirects fd to its write end.
|
|
||||||
- * Returns fd on success, -1 otherwise.
|
|
||||||
- */
|
|
||||||
-static int
|
|
||||||
-redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name)
|
|
||||||
-{
|
|
||||||
- int out[2];
|
|
||||||
-
|
|
||||||
- if (pipe(out) < 0) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m");
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- close(out[0]);
|
|
||||||
-
|
|
||||||
- if (out[1] == fd)
|
|
||||||
- return fd;
|
|
||||||
-
|
|
||||||
- if (dup2(out[1], fd) != fd) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name);
|
|
||||||
- fd = -1;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- close(out[1]);
|
|
||||||
- return fd;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* Opens /dev/null for writing, redirects fd there.
|
|
||||||
* Returns fd on success, -1 otherwise.
|
|
||||||
@@ -106,7 +78,7 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
|
|
||||||
{
|
|
||||||
switch (mode) {
|
|
||||||
case PAM_MODUTIL_PIPE_FD:
|
|
||||||
- if (redirect_out_pipe(pamh, fd, name) < 0)
|
|
||||||
+ if (redirect_in_pipe(pamh, fd, name) < 0)
|
|
||||||
return -1;
|
|
||||||
break;
|
|
||||||
case PAM_MODUTIL_NULL_FD:
|
|
||||||
--
|
|
||||||
2.25.3
|
|
||||||
|
|
@ -1,283 +0,0 @@
|
|||||||
From d57ab22133654033ee1da89f128a81572d320985 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 20 Dec 2018 13:59:25 +0100
|
|
||||||
Subject: [PATCH] pam_motd: Cleanup the code and avoid unnecessary logging
|
|
||||||
|
|
||||||
The pam_motd module will not log if the default motd.d directories
|
|
||||||
are missing.
|
|
||||||
|
|
||||||
Also cleanup some code cleanliness issues and fix compilation
|
|
||||||
warnings.
|
|
||||||
|
|
||||||
* modules/pam_motd/pam_motd.c: Constification of constant strings.
|
|
||||||
(try_to_display_directory): Removed unused function.
|
|
||||||
(pam_split_string): Replace uint with unsigned int. Fix warnings.
|
|
||||||
(compare_strings): Fix warnings by proper constification.
|
|
||||||
(try_to_display_directories_with_overrides): Cleanups. Switch
|
|
||||||
off the logging if the motd.d directories are missing and they
|
|
||||||
are default ones.
|
|
||||||
(pam_sm_open_session): Cleanup warnings. Pass the information
|
|
||||||
to try_to_display_directories_with_overrides() that non-default
|
|
||||||
motd options are used.
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 88 ++++++++++++++++---------------------
|
|
||||||
1 file changed, 37 insertions(+), 51 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index ec3ebd58..dbd718b6 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -22,6 +22,7 @@
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
|
|
||||||
#include <security/_pam_macros.h>
|
|
||||||
#include <security/pam_ext.h>
|
|
||||||
@@ -48,8 +49,8 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
|
|
||||||
return PAM_IGNORE;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static char default_motd[] = DEFAULT_MOTD;
|
|
||||||
-static char default_motd_dir[] = DEFAULT_MOTD_D;
|
|
||||||
+static const char default_motd[] = DEFAULT_MOTD;
|
|
||||||
+static const char default_motd_dir[] = DEFAULT_MOTD_D;
|
|
||||||
|
|
||||||
static void try_to_display_fd(pam_handle_t *pamh, int fd)
|
|
||||||
{
|
|
||||||
@@ -75,28 +76,6 @@ static void try_to_display_fd(pam_handle_t *pamh, int fd)
|
|
||||||
_pam_drop(mtmp);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void try_to_display_directory(pam_handle_t *pamh, const char *dirname)
|
|
||||||
-{
|
|
||||||
- DIR *dirp;
|
|
||||||
-
|
|
||||||
- dirp = opendir(dirname);
|
|
||||||
-
|
|
||||||
- if (dirp != NULL) {
|
|
||||||
- struct dirent *entry;
|
|
||||||
-
|
|
||||||
- while ((entry = readdir(dirp))) {
|
|
||||||
- int fd = openat(dirfd(dirp), entry->d_name, O_RDONLY);
|
|
||||||
-
|
|
||||||
- if (fd >= 0) {
|
|
||||||
- try_to_display_fd(pamh, fd);
|
|
||||||
- close(fd);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- closedir(dirp);
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* Split a DELIM-separated string ARG into an array.
|
|
||||||
* Outputs a newly allocated array of strings OUT_ARG_SPLIT
|
|
||||||
@@ -104,14 +83,14 @@ static void try_to_display_directory(pam_handle_t *pamh, const char *dirname)
|
|
||||||
* Returns 0 in case of error, 1 in case of success.
|
|
||||||
*/
|
|
||||||
static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
|
||||||
- char ***out_arg_split, uint *out_num_strs)
|
|
||||||
+ char ***out_arg_split, unsigned int *out_num_strs)
|
|
||||||
{
|
|
||||||
char *arg_extracted = NULL;
|
|
||||||
const char *arg_ptr = arg;
|
|
||||||
char **arg_split = NULL;
|
|
||||||
char delim_str[2];
|
|
||||||
- int i = 0;
|
|
||||||
- uint num_strs = 0;
|
|
||||||
+ unsigned int i = 0;
|
|
||||||
+ unsigned int num_strs = 0;
|
|
||||||
int retval = 0;
|
|
||||||
|
|
||||||
delim_str[0] = delim;
|
|
||||||
@@ -126,7 +105,7 @@ static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
|
||||||
arg_ptr = strchr(arg_ptr + sizeof(const char), delim);
|
|
||||||
}
|
|
||||||
|
|
||||||
- arg_split = (char **)calloc(num_strs, sizeof(char *));
|
|
||||||
+ arg_split = calloc(num_strs, sizeof(char *));
|
|
||||||
if (arg_split == NULL) {
|
|
||||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate string array");
|
|
||||||
goto out;
|
|
||||||
@@ -180,10 +159,10 @@ static int join_dir_strings(char **strp_out, const char *a_str, const char *b_st
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int compare_strings(const void * a, const void * b)
|
|
||||||
+static int compare_strings(const void *a, const void *b)
|
|
||||||
{
|
|
||||||
- const char *a_str = *(char **)a;
|
|
||||||
- const char *b_str = *(char **)b;
|
|
||||||
+ const char *a_str = *(const char * const *)a;
|
|
||||||
+ const char *b_str = *(const char * const *)b;
|
|
||||||
|
|
||||||
if (a_str == NULL && b_str == NULL) {
|
|
||||||
return 0;
|
|
||||||
@@ -205,13 +184,13 @@ static int filter_dirents(const struct dirent *d)
|
|
||||||
}
|
|
||||||
|
|
||||||
static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
- char **motd_dir_path_split, int num_motd_dirs)
|
|
||||||
+ char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
|
|
||||||
{
|
|
||||||
struct dirent ***dirscans = NULL;
|
|
||||||
- int *dirscans_sizes = NULL;
|
|
||||||
- int dirscans_size_total = 0;
|
|
||||||
+ unsigned int *dirscans_sizes = NULL;
|
|
||||||
+ unsigned int dirscans_size_total = 0;
|
|
||||||
char **dirnames_all = NULL;
|
|
||||||
- int i;
|
|
||||||
+ unsigned int i;
|
|
||||||
int i_dirnames = 0;
|
|
||||||
|
|
||||||
if (pamh == NULL || motd_dir_path_split == NULL) {
|
|
||||||
@@ -221,29 +200,31 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((dirscans = (struct dirent ***)calloc(num_motd_dirs,
|
|
||||||
- sizeof(struct dirent **))) == NULL) {
|
|
||||||
+ if ((dirscans = calloc(num_motd_dirs, sizeof(struct dirent **))) == NULL) {
|
|
||||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent arrays");
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
- if ((dirscans_sizes = (int *)calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
|
||||||
+ if ((dirscans_sizes = calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
|
||||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent array sizes");
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
- dirscans_sizes[i] = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
|
||||||
+ int rv;
|
|
||||||
+ rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
|
||||||
filter_dirents, alphasort);
|
|
||||||
- if (dirscans_sizes[i] < 0) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s", motd_dir_path_split[i]);
|
|
||||||
- dirscans_sizes[i] = 0;
|
|
||||||
+ if (rv < 0) {
|
|
||||||
+ if (errno != ENOENT || report_missing) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s: %m",
|
|
||||||
+ motd_dir_path_split[i]);
|
|
||||||
+ }
|
|
||||||
+ dirscans_sizes[i] = rv;
|
|
||||||
}
|
|
||||||
dirscans_size_total += dirscans_sizes[i];
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Allocate space for all file names found in the directories, including duplicates. */
|
|
||||||
- if ((dirnames_all = (char **)calloc(dirscans_size_total,
|
|
||||||
- sizeof(char *))) == NULL) {
|
|
||||||
+ if ((dirnames_all = calloc(dirscans_size_total, sizeof(char *))) == NULL) {
|
|
||||||
pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirname array");
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
@@ -253,7 +234,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
- int j;
|
|
||||||
+ unsigned int j;
|
|
||||||
|
|
||||||
for (j = 0; j < dirscans_sizes[i]; j++) {
|
|
||||||
dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
|
|
||||||
@@ -265,7 +246,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
sizeof(const char *), compare_strings);
|
|
||||||
|
|
||||||
for (i = 0; i < dirscans_size_total; i++) {
|
|
||||||
- int j;
|
|
||||||
+ unsigned int j;
|
|
||||||
|
|
||||||
if (dirnames_all[i] == NULL) {
|
|
||||||
continue;
|
|
||||||
@@ -301,7 +282,8 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
out:
|
|
||||||
_pam_drop(dirnames_all);
|
|
||||||
for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
- int j;
|
|
||||||
+ unsigned int j;
|
|
||||||
+
|
|
||||||
for (j = 0; j < dirscans_sizes[i]; j++) {
|
|
||||||
_pam_drop(dirscans[i][j]);
|
|
||||||
}
|
|
||||||
@@ -319,12 +301,13 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
int retval = PAM_IGNORE;
|
|
||||||
const char *motd_path = NULL;
|
|
||||||
char *motd_path_copy = NULL;
|
|
||||||
- int num_motd_paths = 0;
|
|
||||||
+ unsigned int num_motd_paths = 0;
|
|
||||||
char **motd_path_split = NULL;
|
|
||||||
const char *motd_dir_path = NULL;
|
|
||||||
char *motd_dir_path_copy = NULL;
|
|
||||||
- int num_motd_dir_paths = 0;
|
|
||||||
+ unsigned int num_motd_dir_paths = 0;
|
|
||||||
char **motd_dir_path_split = NULL;
|
|
||||||
+ int report_missing;
|
|
||||||
|
|
||||||
if (flags & PAM_SILENT) {
|
|
||||||
return retval;
|
|
||||||
@@ -360,6 +343,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
if (motd_path == NULL && motd_dir_path == NULL) {
|
|
||||||
motd_path = default_motd;
|
|
||||||
motd_dir_path = default_motd_dir;
|
|
||||||
+ report_missing = 0;
|
|
||||||
+ } else {
|
|
||||||
+ report_missing = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (motd_path != NULL) {
|
|
||||||
@@ -385,7 +371,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (motd_path_split != NULL) {
|
|
||||||
- int i;
|
|
||||||
+ unsigned int i;
|
|
||||||
|
|
||||||
for (i = 0; i < num_motd_paths; i++) {
|
|
||||||
int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
||||||
@@ -402,7 +388,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
|
|
||||||
if (motd_dir_path_split != NULL)
|
|
||||||
try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
|
||||||
- num_motd_dir_paths);
|
|
||||||
+ num_motd_dir_paths, report_missing);
|
|
||||||
|
|
||||||
out:
|
|
||||||
_pam_drop(motd_path_copy);
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
From c2c0434bd634a817f2b16ce7f58fc96c04e88b03 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
||||||
Date: Sun, 26 Apr 2020 11:12:59 +0000
|
|
||||||
Subject: [PATCH] pam_motd: fix NULL dereference when at least one of motd
|
|
||||||
directories is not available
|
|
||||||
|
|
||||||
* modules/pam_motd/pam_motd.c
|
|
||||||
(try_to_display_directories_with_overrides): Do not assign -1U to
|
|
||||||
dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.altlinux.org/38389
|
|
||||||
Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index df09b7d0..8147c6fd 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -219,6 +219,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s: %m",
|
|
||||||
motd_dir_path_split[i]);
|
|
||||||
}
|
|
||||||
+ } else {
|
|
||||||
dirscans_sizes[i] = rv;
|
|
||||||
}
|
|
||||||
dirscans_size_total += dirscans_sizes[i];
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From 62cd745d730e5ba13d5d7092ac566fc0b2148e61 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
||||||
Date: Sun, 26 Apr 2020 11:12:59 +0000
|
|
||||||
Subject: [PATCH] pam_motd: fix memory leak
|
|
||||||
|
|
||||||
pam_motd used to leak memory allocated for each motd file
|
|
||||||
successfully opened in try_to_display_directories_with_overrides.
|
|
||||||
|
|
||||||
* modules/pam_motd/pam_motd.c
|
|
||||||
(try_to_display_directories_with_overrides): Free abs_path.
|
|
||||||
|
|
||||||
Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 20 ++++++++++----------
|
|
||||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index f0cd317d..3be129a5 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -259,23 +259,23 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
|
|
||||||
for (j = 0; j < num_motd_dirs; j++) {
|
|
||||||
char *abs_path = NULL;
|
|
||||||
+ int fd;
|
|
||||||
|
|
||||||
if (join_dir_strings(&abs_path, motd_dir_path_split[j],
|
|
||||||
- dirnames_all[i]) < 0) {
|
|
||||||
+ dirnames_all[i]) < 0 || abs_path == NULL) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (abs_path != NULL) {
|
|
||||||
- int fd = open(abs_path, O_RDONLY, 0);
|
|
||||||
- if (fd >= 0) {
|
|
||||||
- try_to_display_fd(pamh, fd);
|
|
||||||
- close(fd);
|
|
||||||
+ fd = open(abs_path, O_RDONLY, 0);
|
|
||||||
+ _pam_drop(abs_path);
|
|
||||||
|
|
||||||
- /* We displayed a file, skip to the next file name. */
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
+ if (fd >= 0) {
|
|
||||||
+ try_to_display_fd(pamh, fd);
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+ /* We displayed a file, skip to the next file name. */
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
- _pam_drop(abs_path);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,133 +0,0 @@
|
|||||||
From 8eaf5570cf011148a0b55c53570df5edaafebdb0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Robert Fairley <rfairley@users.noreply.github.com>
|
|
||||||
Date: Wed, 21 Nov 2018 02:46:02 -0500
|
|
||||||
Subject: [PATCH] pam_motd: Fix segmentation fault when no motd_dir specified
|
|
||||||
(#76)
|
|
||||||
|
|
||||||
This fixes a regression introduced by #69, where motd_path was set
|
|
||||||
to NULL and passed into strdup() if the motd_dir argument was
|
|
||||||
not specified in the configuration file. This caused a segmentation
|
|
||||||
fault.
|
|
||||||
|
|
||||||
* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
|
|
||||||
* xtests/Makefile.am: add test scripts and config file
|
|
||||||
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
|
|
||||||
* xtests/tst-pam_motd4.pamd: create
|
|
||||||
* xtests/tst-pam_motd4.sh: create
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 15 ++++++++++-----
|
|
||||||
xtests/Makefile.am | 4 ++--
|
|
||||||
xtests/tst-pam_motd.sh | 1 +
|
|
||||||
xtests/tst-pam_motd4.pamd | 3 +++
|
|
||||||
xtests/tst-pam_motd4.sh | 27 +++++++++++++++++++++++++++
|
|
||||||
5 files changed, 43 insertions(+), 7 deletions(-)
|
|
||||||
create mode 100644 xtests/tst-pam_motd4.pamd
|
|
||||||
create mode 100755 xtests/tst-pam_motd4.sh
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index 1c1cfcfa..ec3ebd58 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -132,7 +132,6 @@ static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
arg_extracted = strtok_r(arg, delim_str, &arg);
|
|
||||||
while (arg_extracted != NULL && i < num_strs) {
|
|
||||||
arg_split[i++] = arg_extracted;
|
|
||||||
@@ -363,15 +362,21 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
motd_dir_path = default_motd_dir;
|
|
||||||
}
|
|
||||||
|
|
||||||
- motd_path_copy = strdup(motd_path);
|
|
||||||
+ if (motd_path != NULL) {
|
|
||||||
+ motd_path_copy = strdup(motd_path);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (motd_path_copy != NULL) {
|
|
||||||
- if (pam_split_string(pamh, motd_path_copy, ':', &motd_path_split,
|
|
||||||
- &num_motd_paths) == 0) {
|
|
||||||
+ if (pam_split_string(pamh, motd_path_copy, ':',
|
|
||||||
+ &motd_path_split, &num_motd_paths) == 0) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- motd_dir_path_copy = strdup(motd_dir_path);
|
|
||||||
+ if (motd_dir_path != NULL) {
|
|
||||||
+ motd_dir_path_copy = strdup(motd_dir_path);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (motd_dir_path_copy != NULL) {
|
|
||||||
if (pam_split_string(pamh, motd_dir_path_copy, ':',
|
|
||||||
&motd_dir_path_split, &num_motd_dir_paths) == 0) {
|
|
||||||
diff --git a/xtests/Makefile.am b/xtests/Makefile.am
|
|
||||||
index 555d5e33..4d5aba3d 100644
|
|
||||||
--- a/xtests/Makefile.am
|
|
||||||
+++ b/xtests/Makefile.am
|
|
||||||
@@ -34,8 +34,8 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
|
|
||||||
tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh \
|
|
||||||
tst-pam_time1.pamd time.conf \
|
|
||||||
tst-pam_motd.sh tst-pam_motd1.sh tst-pam_motd2.sh \
|
|
||||||
- tst-pam_motd3.sh tst-pam_motd1.pamd \
|
|
||||||
- tst-pam_motd2.pamd tst-pam_motd3.pamd
|
|
||||||
+ tst-pam_motd3.sh tst-pam_motd4.sh tst-pam_motd1.pamd \
|
|
||||||
+ tst-pam_motd2.pamd tst-pam_motd3.pamd tst-pam_motd4.pamd
|
|
||||||
|
|
||||||
XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
|
|
||||||
tst-pam_dispatch4 tst-pam_dispatch5 \
|
|
||||||
diff --git a/xtests/tst-pam_motd.sh b/xtests/tst-pam_motd.sh
|
|
||||||
index 9b0c38f6..90801280 100755
|
|
||||||
--- a/xtests/tst-pam_motd.sh
|
|
||||||
+++ b/xtests/tst-pam_motd.sh
|
|
||||||
@@ -5,3 +5,4 @@ set -e
|
|
||||||
./tst-pam_motd1.sh
|
|
||||||
./tst-pam_motd2.sh
|
|
||||||
./tst-pam_motd3.sh
|
|
||||||
+./tst-pam_motd4.sh
|
|
||||||
diff --git a/xtests/tst-pam_motd4.pamd b/xtests/tst-pam_motd4.pamd
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..9dc311ad
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/xtests/tst-pam_motd4.pamd
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+#%PAM-1.0
|
|
||||||
+session required pam_permit.so
|
|
||||||
+session optional pam_motd.so motd=tst-pam_motd4.d/etc/motd
|
|
||||||
diff --git a/xtests/tst-pam_motd4.sh b/xtests/tst-pam_motd4.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 00000000..6022177f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/xtests/tst-pam_motd4.sh
|
|
||||||
@@ -0,0 +1,27 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+TST_DIR="tst-pam_motd4.d"
|
|
||||||
+
|
|
||||||
+function tst_cleanup() {
|
|
||||||
+ rm -rf "${TST_DIR}"
|
|
||||||
+ rm -f tst-pam_motd4.out
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+mkdir -p ${TST_DIR}/etc
|
|
||||||
+
|
|
||||||
+# Verify the case of single motd with no motd_dir given in tst-pam_motd4.pamd
|
|
||||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
|
||||||
+
|
|
||||||
+./tst-pam_motd tst-pam_motd4 > tst-pam_motd4.out
|
|
||||||
+
|
|
||||||
+RET=$?
|
|
||||||
+
|
|
||||||
+motd_to_show_output=$(cat tst-pam_motd4.out | grep "motd: /etc/motd")
|
|
||||||
+if [ -z "${motd_to_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+tst_cleanup
|
|
||||||
+exit $RET
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -1,691 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.939663167 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml 2022-04-25 12:34:43.506582206 +0200
|
|
||||||
@@ -21,6 +21,9 @@
|
|
||||||
<arg choice="opt">
|
|
||||||
motd=<replaceable>/path/filename</replaceable>
|
|
||||||
</arg>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ motd_dir=<replaceable>/path/dirname.d</replaceable>
|
|
||||||
+ </arg>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
@@ -31,18 +34,49 @@
|
|
||||||
<para>
|
|
||||||
pam_motd is a PAM module that can be used to display
|
|
||||||
arbitrary motd (message of the day) files after a successful
|
|
||||||
- login. By default the <filename>/etc/motd</filename> file and
|
|
||||||
- all files from <filename>/etc/motd.d</filename> are
|
|
||||||
- shown. The message size is limited to 64KB.
|
|
||||||
+ login. By default, pam_motd shows files in the
|
|
||||||
+ following locations:
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ <simplelist type='vert'>
|
|
||||||
+ <member><filename>/etc/motd</filename></member>
|
|
||||||
+ <member><filename>/run/motd</filename></member>
|
|
||||||
+ <member><filename>/usr/lib/motd</filename></member>
|
|
||||||
+ <member><filename>/etc/motd.d/</filename></member>
|
|
||||||
+ <member><filename>/run/motd.d/</filename></member>
|
|
||||||
+ <member><filename>/usr/lib/motd.d/</filename></member>
|
|
||||||
+ </simplelist>
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Each message size is limited to 64KB.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ If <filename>/etc/motd</filename> does not exist,
|
|
||||||
+ then <filename>/run/motd</filename> is shown. If
|
|
||||||
+ <filename>/run/motd</filename> does not exist, then
|
|
||||||
+ <filename>/usr/lib/motd</filename> is shown.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Similar overriding behavior applies to the directories.
|
|
||||||
+ Files in <filename>/etc/motd.d/</filename> override files
|
|
||||||
+ with the same name in <filename>/run/motd.d/</filename> and
|
|
||||||
+ <filename>/usr/lib/motd.d/</filename>. Files in <filename>/run/motd.d/</filename>
|
|
||||||
+ override files with the same name in <filename>/usr/lib/motd.d/</filename>.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Files in the directories listed above are displayed in lexicographic
|
|
||||||
+ order by name. Moreover, the files are filtered by reading them with the
|
|
||||||
+ credentials of the target user authenticating on the system.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
To silence a message,
|
|
||||||
a symbolic link with target <filename>/dev/null</filename>
|
|
||||||
may be placed in <filename>/etc/motd.d</filename> with
|
|
||||||
the same filename as the message to be silenced. Example:
|
|
||||||
+ Creating a symbolic link as follows silences <filename>/usr/lib/motd.d/my_motd</filename>.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- <command>ln -sfn /dev/null /etc/motd.d/my_motd</command>
|
|
||||||
+ <command>ln -s /dev/null /etc/motd.d/my_motd</command>
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
@@ -56,8 +90,10 @@
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- The <filename>/path/filename</filename> file is displayed
|
|
||||||
- as message of the day.
|
|
||||||
+ The <filename>/path/filename</filename> file is displayed
|
|
||||||
+ as message of the day. Multiple paths to try can be
|
|
||||||
+ specified as a colon-separated list. By default this option
|
|
||||||
+ is set to <filename>/etc/motd:/run/motd:/usr/lib/motd</filename>.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
@@ -68,16 +104,17 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
The <filename>/path/dirname.d</filename> directory is scanned
|
|
||||||
- and each file contained inside of it is displayed.
|
|
||||||
+ and each file contained inside of it is displayed. Multiple
|
|
||||||
+ directories to scan can be specified as a colon-separated list.
|
|
||||||
+ By default this option is set to <filename>/etc/motd.d:/run/motd.d:/usr/lib/motd.d</filename>.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
<para>
|
|
||||||
- When no options are given, the default is to display both
|
|
||||||
- <filename>/etc/motd</filename> and the contents of
|
|
||||||
- <filename>/etc/motd.d</filename>. Specifying either option (or both)
|
|
||||||
- will disable this default behavior.
|
|
||||||
+ When no options are given, the default behavior applies for both
|
|
||||||
+ options. Specifying either option (or both) will disable the
|
|
||||||
+ default behavior for both options.
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c.pam_motd-support-multiple-motd-paths1 2018-05-18 11:50:46.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.c 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -33,8 +33,8 @@
|
|
||||||
*/
|
|
||||||
|
|
||||||
#define PAM_SM_SESSION
|
|
||||||
-#define DEFAULT_MOTD "/etc/motd"
|
|
||||||
-#define DEFAULT_MOTD_D "/etc/motd.d"
|
|
||||||
+#define DEFAULT_MOTD "/etc/motd:/run/motd:/usr/lib/motd"
|
|
||||||
+#define DEFAULT_MOTD_D "/etc/motd.d:/run/motd.d:/usr/lib/motd.d"
|
|
||||||
|
|
||||||
#include <security/pam_modules.h>
|
|
||||||
#include <security/pam_modutil.h>
|
|
||||||
@@ -97,12 +97,235 @@ static void try_to_display_directory(pam
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Split a DELIM-separated string ARG into an array.
|
|
||||||
+ * Outputs a newly allocated array of strings OUT_ARG_SPLIT
|
|
||||||
+ * and the number of strings OUT_NUM_STRS.
|
|
||||||
+ * Returns 0 in case of error, 1 in case of success.
|
|
||||||
+ */
|
|
||||||
+static int pam_split_string(const pam_handle_t *pamh, char *arg, char delim,
|
|
||||||
+ char ***out_arg_split, uint *out_num_strs)
|
|
||||||
+{
|
|
||||||
+ char *arg_extracted = NULL;
|
|
||||||
+ const char *arg_ptr = arg;
|
|
||||||
+ char **arg_split = NULL;
|
|
||||||
+ char delim_str[2];
|
|
||||||
+ int i = 0;
|
|
||||||
+ uint num_strs = 0;
|
|
||||||
+ int retval = 0;
|
|
||||||
+
|
|
||||||
+ delim_str[0] = delim;
|
|
||||||
+ delim_str[1] = '\0';
|
|
||||||
+
|
|
||||||
+ if (arg == NULL) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while (arg_ptr != NULL) {
|
|
||||||
+ num_strs++;
|
|
||||||
+ arg_ptr = strchr(arg_ptr + sizeof(const char), delim);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ arg_split = (char **)calloc(num_strs, sizeof(char *));
|
|
||||||
+ if (arg_split == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate string array");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ arg_extracted = strtok_r(arg, delim_str, &arg);
|
|
||||||
+ while (arg_extracted != NULL && i < num_strs) {
|
|
||||||
+ arg_split[i++] = arg_extracted;
|
|
||||||
+ arg_extracted = strtok_r(NULL, delim_str, &arg);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ retval = 1;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ *out_num_strs = num_strs;
|
|
||||||
+ *out_arg_split = arg_split;
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Join A_STR and B_STR, inserting a "/" between them if one is not already trailing
|
|
||||||
+ * in A_STR or beginning B_STR. A pointer to a newly allocated string holding the
|
|
||||||
+ * joined string is returned in STRP_OUT.
|
|
||||||
+ * Returns -1 in case of error, or the number of bytes in the joined string in
|
|
||||||
+ * case of success. */
|
|
||||||
+static int join_dir_strings(char **strp_out, const char *a_str, const char *b_str)
|
|
||||||
+{
|
|
||||||
+ int has_sep = 0;
|
|
||||||
+ int retval = -1;
|
|
||||||
+ char *join_strp = NULL;
|
|
||||||
+
|
|
||||||
+ if (strp_out == NULL || a_str == NULL || b_str == NULL) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ if (strlen(a_str) == 0) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ has_sep = (a_str[strlen(a_str) - 1] == '/') || (b_str[0] == '/');
|
|
||||||
+
|
|
||||||
+ retval = asprintf(&join_strp, "%s%s%s", a_str,
|
|
||||||
+ (has_sep == 1) ? "" : "/", b_str);
|
|
||||||
+
|
|
||||||
+ if (retval < 0) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *strp_out = join_strp;
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int compare_strings(const void * a, const void * b)
|
|
||||||
+{
|
|
||||||
+ const char *a_str = *(char **)a;
|
|
||||||
+ const char *b_str = *(char **)b;
|
|
||||||
+
|
|
||||||
+ if (a_str == NULL && b_str == NULL) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ else if (a_str == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ else if (b_str == NULL) {
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
+ return strcmp(a_str, b_str);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int filter_dirents(const struct dirent *d)
|
|
||||||
+{
|
|
||||||
+ return (d->d_type == DT_REG || d->d_type == DT_LNK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
+ char **motd_dir_path_split, int num_motd_dirs)
|
|
||||||
+{
|
|
||||||
+ struct dirent ***dirscans = NULL;
|
|
||||||
+ int *dirscans_sizes = NULL;
|
|
||||||
+ int dirscans_size_total = 0;
|
|
||||||
+ char **dirnames_all = NULL;
|
|
||||||
+ int i;
|
|
||||||
+ int i_dirnames = 0;
|
|
||||||
+
|
|
||||||
+ if (pamh == NULL || motd_dir_path_split == NULL) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ if (num_motd_dirs < 1) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((dirscans = (struct dirent ***)calloc(num_motd_dirs,
|
|
||||||
+ sizeof(struct dirent **))) == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent arrays");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ if ((dirscans_sizes = (int *)calloc(num_motd_dirs, sizeof(int))) == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirent array sizes");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
+ dirscans_sizes[i] = scandir(motd_dir_path_split[i], &(dirscans[i]),
|
|
||||||
+ filter_dirents, alphasort);
|
|
||||||
+ if (dirscans_sizes[i] < 0) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pam_motd: error scanning directory %s", motd_dir_path_split[i]);
|
|
||||||
+ dirscans_sizes[i] = 0;
|
|
||||||
+ }
|
|
||||||
+ dirscans_size_total += dirscans_sizes[i];
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Allocate space for all file names found in the directories, including duplicates. */
|
|
||||||
+ if ((dirnames_all = (char **)calloc(dirscans_size_total,
|
|
||||||
+ sizeof(char *))) == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "pam_motd: failed to allocate dirname array");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < dirscans_size_total; i++) {
|
|
||||||
+ dirnames_all[i] = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
+ int j;
|
|
||||||
+
|
|
||||||
+ for (j = 0; j < dirscans_sizes[i]; j++) {
|
|
||||||
+ dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
|
|
||||||
+ i_dirnames++;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ qsort(dirnames_all, dirscans_size_total,
|
|
||||||
+ sizeof(const char *), compare_strings);
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < dirscans_size_total; i++) {
|
|
||||||
+ int j;
|
|
||||||
+
|
|
||||||
+ if (dirnames_all[i] == NULL) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Skip duplicate file names. */
|
|
||||||
+ if (i > 0 && strcmp(dirnames_all[i], dirnames_all[i - 1]) == 0) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (j = 0; j < num_motd_dirs; j++) {
|
|
||||||
+ char *abs_path = NULL;
|
|
||||||
+
|
|
||||||
+ if (join_dir_strings(&abs_path, motd_dir_path_split[j],
|
|
||||||
+ dirnames_all[i]) < 0) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (abs_path != NULL) {
|
|
||||||
+ int fd = open(abs_path, O_RDONLY, 0);
|
|
||||||
+ if (fd >= 0) {
|
|
||||||
+ try_to_display_fd(pamh, fd);
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+ /* We displayed a file, skip to the next file name. */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ _pam_drop(abs_path);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ _pam_drop(dirnames_all);
|
|
||||||
+ for (i = 0; i < num_motd_dirs; i++) {
|
|
||||||
+ int j;
|
|
||||||
+ for (j = 0; j < dirscans_sizes[i]; j++) {
|
|
||||||
+ _pam_drop(dirscans[i][j]);
|
|
||||||
+ }
|
|
||||||
+ _pam_drop(dirscans[i]);
|
|
||||||
+ }
|
|
||||||
+ _pam_drop(dirscans_sizes);
|
|
||||||
+ _pam_drop(dirscans);
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
int argc, const char **argv)
|
|
||||||
{
|
|
||||||
int retval = PAM_IGNORE;
|
|
||||||
const char *motd_path = NULL;
|
|
||||||
+ char *motd_path_copy = NULL;
|
|
||||||
+ int num_motd_paths = 0;
|
|
||||||
+ char **motd_path_split = NULL;
|
|
||||||
const char *motd_dir_path = NULL;
|
|
||||||
+ char *motd_dir_path_copy = NULL;
|
|
||||||
+ int num_motd_dir_paths = 0;
|
|
||||||
+ char **motd_dir_path_split = NULL;
|
|
||||||
|
|
||||||
if (flags & PAM_SILENT) {
|
|
||||||
return retval;
|
|
||||||
@@ -140,17 +363,47 @@ int pam_sm_open_session(pam_handle_t *pa
|
|
||||||
motd_dir_path = default_motd_dir;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (motd_path != NULL) {
|
|
||||||
- int fd = open(motd_path, O_RDONLY, 0);
|
|
||||||
+ motd_path_copy = strdup(motd_path);
|
|
||||||
+ if (motd_path_copy != NULL) {
|
|
||||||
+ if (pam_split_string(pamh, motd_path_copy, ':', &motd_path_split,
|
|
||||||
+ &num_motd_paths) == 0) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ motd_dir_path_copy = strdup(motd_dir_path);
|
|
||||||
+ if (motd_dir_path_copy != NULL) {
|
|
||||||
+ if (pam_split_string(pamh, motd_dir_path_copy, ':',
|
|
||||||
+ &motd_dir_path_split, &num_motd_dir_paths) == 0) {
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (motd_path_split != NULL) {
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < num_motd_paths; i++) {
|
|
||||||
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
||||||
|
|
||||||
- if (fd >= 0) {
|
|
||||||
- try_to_display_fd(pamh, fd);
|
|
||||||
- close(fd);
|
|
||||||
+ if (fd >= 0) {
|
|
||||||
+ try_to_display_fd(pamh, fd);
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+ /* We found and displayed a file, move onto next filename. */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (motd_dir_path != NULL)
|
|
||||||
- try_to_display_directory(pamh, motd_dir_path);
|
|
||||||
+ if (motd_dir_path_split != NULL)
|
|
||||||
+ try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
|
||||||
+ num_motd_dir_paths);
|
|
||||||
+
|
|
||||||
+ out:
|
|
||||||
+ _pam_drop(motd_path_copy);
|
|
||||||
+ _pam_drop(motd_path_split);
|
|
||||||
+ _pam_drop(motd_dir_path_copy);
|
|
||||||
+ _pam_drop(motd_dir_path_split);
|
|
||||||
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/Makefile.am.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/xtests/Makefile.am.pam_motd-support-multiple-motd-paths1 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/Makefile.am 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -32,7 +32,10 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispa
|
|
||||||
tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh \
|
|
||||||
tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh \
|
|
||||||
tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh \
|
|
||||||
- tst-pam_time1.pamd time.conf
|
|
||||||
+ tst-pam_time1.pamd time.conf \
|
|
||||||
+ tst-pam_motd.sh tst-pam_motd1.sh tst-pam_motd2.sh \
|
|
||||||
+ tst-pam_motd3.sh tst-pam_motd1.pamd \
|
|
||||||
+ tst-pam_motd2.pamd tst-pam_motd3.pamd
|
|
||||||
|
|
||||||
XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
|
|
||||||
tst-pam_dispatch4 tst-pam_dispatch5 \
|
|
||||||
@@ -41,7 +44,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispa
|
|
||||||
tst-pam_access1 tst-pam_access2 tst-pam_access3 \
|
|
||||||
tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
|
|
||||||
tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
|
|
||||||
- tst-pam_pwhistory1 tst-pam_time1
|
|
||||||
+ tst-pam_pwhistory1 tst-pam_time1 tst-pam_motd
|
|
||||||
|
|
||||||
NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
|
|
||||||
tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line1
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd1.pamd 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+#%PAM-1.0
|
|
||||||
+session required pam_permit.so
|
|
||||||
+session optional pam_motd.so motd=tst-pam_motd1.d/etc/motd motd_dir=tst-pam_motd1.d/etc/motd.d
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd1.sh 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,36 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+TST_DIR="tst-pam_motd1.d"
|
|
||||||
+
|
|
||||||
+function tst_cleanup() {
|
|
||||||
+ rm -rf "${TST_DIR}"
|
|
||||||
+ rm -f tst-pam_motd1.out
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+mkdir -p ${TST_DIR}
|
|
||||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
|
||||||
+
|
|
||||||
+# Verify the case of single motd and motd.d directory works
|
|
||||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
|
||||||
+echo "motd: /etc/motd.d/test" > ${TST_DIR}/etc/motd.d/test
|
|
||||||
+
|
|
||||||
+./tst-pam_motd tst-pam_motd1 > tst-pam_motd1.out
|
|
||||||
+
|
|
||||||
+RET=$?
|
|
||||||
+
|
|
||||||
+motd_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd")
|
|
||||||
+if [ -z "${motd_to_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+motd_dir_to_show_output=$(cat tst-pam_motd1.out | grep "motd: /etc/motd.d/test")
|
|
||||||
+if [ -z "${motd_dir_to_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+tst_cleanup
|
|
||||||
+exit $RET
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd2.pamd 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+#%PAM-1.0
|
|
||||||
+session required pam_permit.so
|
|
||||||
+session optional pam_motd.so motd=tst-pam_motd2.d/etc/motd:tst-pam_motd2.d/run/motd:tst-pam_motd2.d/usr/lib/motd motd_dir=tst-pam_motd2.d/etc/motd.d:tst-pam_motd2.d/run/motd.d:tst-pam_motd2.d/usr/lib/motd.d
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd2.sh 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,53 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+TST_DIR="tst-pam_motd2.d"
|
|
||||||
+
|
|
||||||
+function tst_cleanup() {
|
|
||||||
+ rm -rf "${TST_DIR}"
|
|
||||||
+ rm -f tst-pam_motd2.out
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+mkdir -p ${TST_DIR}
|
|
||||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
|
||||||
+mkdir -p ${TST_DIR}/run/motd.d
|
|
||||||
+mkdir -p ${TST_DIR}/usr/lib/motd.d
|
|
||||||
+
|
|
||||||
+echo "motd: /etc/motd" > ${TST_DIR}/etc/motd
|
|
||||||
+echo "motd: /run/motd" > ${TST_DIR}/run/motd
|
|
||||||
+echo "motd: /usr/lib/motd" > ${TST_DIR}/usr/lib/motd
|
|
||||||
+
|
|
||||||
+# Drop a motd file in test directories such that every overriding
|
|
||||||
+# condition (for 3 directories in this case) will be seen.
|
|
||||||
+echo "motd: e0r0u1 in usr/lib - will show" > ${TST_DIR}/usr/lib/motd.d/e0r0u1.motd
|
|
||||||
+echo "motd: e0r1u0 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u0.motd
|
|
||||||
+echo "motd: e0r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e0r1u1.motd
|
|
||||||
+echo "motd: e0r1u1 in run - will show" > ${TST_DIR}/run/motd.d/e0r1u1.motd
|
|
||||||
+echo "motd: e1r0u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u0.motd
|
|
||||||
+echo "motd: e1r0u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r0u1.motd
|
|
||||||
+echo "motd: e1r0u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r0u1.motd
|
|
||||||
+echo "motd: e1r1u0 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u0.motd
|
|
||||||
+echo "motd: e1r1u0 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u0.motd
|
|
||||||
+echo "motd: e1r1u1 in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/e1r1u1.motd
|
|
||||||
+echo "motd: e1r1u1 in run - not show" > ${TST_DIR}/run/motd.d/e1r1u1.motd
|
|
||||||
+echo "motd: e1r1u1 in etc - will show" > ${TST_DIR}/etc/motd.d/e1r1u1.motd
|
|
||||||
+
|
|
||||||
+./tst-pam_motd tst-pam_motd2 > tst-pam_motd2.out
|
|
||||||
+
|
|
||||||
+RET=$?
|
|
||||||
+
|
|
||||||
+motd_to_show_output=$(cat tst-pam_motd2.out | grep "motd: /etc/motd")
|
|
||||||
+if [ -z "${motd_to_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+motd_dir_not_show_output=$(cat tst-pam_motd2.out | grep "not show")
|
|
||||||
+if [ -n "${motd_dir_not_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+tst_cleanup
|
|
||||||
+exit $RET
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd3.pamd 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+#%PAM-1.0
|
|
||||||
+session required pam_permit.so
|
|
||||||
+session optional pam_motd.so motd=tst-pam_motd3.d/etc/motd:tst-pam_motd3.d/run/motd:tst-pam_motd3.d/usr/lib/motd motd_dir=tst-pam_motd3.d/etc/motd.d:tst-pam_motd3.d/run/motd.d:tst-pam_motd3.d/usr/lib/motd.d
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd3.sh 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,53 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+TST_DIR="tst-pam_motd3.d"
|
|
||||||
+
|
|
||||||
+function tst_cleanup() {
|
|
||||||
+ rm -rf "${TST_DIR}"
|
|
||||||
+ rm -f tst-pam_motd3.out
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+mkdir -p ${TST_DIR}
|
|
||||||
+mkdir -p ${TST_DIR}/etc/motd.d
|
|
||||||
+mkdir -p ${TST_DIR}/run/motd.d
|
|
||||||
+mkdir -p ${TST_DIR}/usr/lib/motd.d
|
|
||||||
+
|
|
||||||
+# Verify motd is still displayed when not overridden
|
|
||||||
+echo "motd: test-show in run - show" > ${TST_DIR}/run/motd.d/test-show.motd
|
|
||||||
+
|
|
||||||
+# Test overridden by a symlink to a file that isn't /dev/null; symlink target should show
|
|
||||||
+echo "motd: hidden-by-symlink in usr/lib - not show" > ${TST_DIR}/usr/lib/motd.d/hidden-by-symlink.motd
|
|
||||||
+echo "motd: test-from-symlink - show" > ${TST_DIR}/test-from-symlink.motd
|
|
||||||
+ln -sr ${TST_DIR}/test-from-symlink.motd ${TST_DIR}/run/motd.d/hidden-by-symlink.motd
|
|
||||||
+
|
|
||||||
+# Test hidden by a null symlink
|
|
||||||
+echo "motd: hidden-by-null-symlink in run - not show" > ${TST_DIR}/run/motd.d/hidden-by-null-symlink.motd
|
|
||||||
+ln -s /dev/null ${TST_DIR}/etc/motd.d/hidden-by-null-symlink.motd
|
|
||||||
+
|
|
||||||
+./tst-pam_motd tst-pam_motd3 > tst-pam_motd3.out
|
|
||||||
+
|
|
||||||
+RET=$?
|
|
||||||
+
|
|
||||||
+motd_dir_not_show_output=$(cat tst-pam_motd3.out | grep "not show")
|
|
||||||
+if [ -n "${motd_dir_not_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+motd_test_show_output=$(cat tst-pam_motd3.out | grep "test-show.*- show")
|
|
||||||
+if [ -z "${motd_test_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+motd_general_symlink_show_output=$(cat tst-pam_motd3.out | grep "test-from-symlink.*- show")
|
|
||||||
+if [ -z "${motd_general_symlink_show_output}" ];
|
|
||||||
+then
|
|
||||||
+ tst_cleanup
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+tst_cleanup
|
|
||||||
+exit $RET
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd.c.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd.c
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd.c.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd.c 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,69 @@
|
|
||||||
+/*
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+#include <config.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <security/pam_appl.h>
|
|
||||||
+#include <security/pam_misc.h>
|
|
||||||
+
|
|
||||||
+static struct pam_conv conv = {
|
|
||||||
+ misc_conv,
|
|
||||||
+ NULL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+int main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ pam_handle_t *pamh=NULL;
|
|
||||||
+ char *tst_arg = NULL;
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ if (argc > 1)
|
|
||||||
+ tst_arg = argv[1];
|
|
||||||
+
|
|
||||||
+ retval = pam_start(tst_arg, NULL, &conv, &pamh);
|
|
||||||
+
|
|
||||||
+ retval = pam_open_session(pamh, 0);
|
|
||||||
+
|
|
||||||
+ retval = pam_close_session(pamh, 0);
|
|
||||||
+
|
|
||||||
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
|
|
||||||
+ pamh = NULL;
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
|
|
||||||
+}
|
|
||||||
diff -up Linux-PAM-1.3.1/xtests/tst-pam_motd.sh.pam_motd-support-multiple-motd-paths1 Linux-PAM-1.3.1/xtests/tst-pam_motd.sh
|
|
||||||
--- Linux-PAM-1.3.1/xtests/tst-pam_motd.sh.pam_motd-support-multiple-motd-paths1 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/xtests/tst-pam_motd.sh 2022-04-25 12:32:36.947663225 +0200
|
|
||||||
@@ -0,0 +1,7 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e
|
|
||||||
+
|
|
||||||
+./tst-pam_motd1.sh
|
|
||||||
+./tst-pam_motd2.sh
|
|
||||||
+./tst-pam_motd3.sh
|
|
@ -1,573 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.709355179 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am 2022-09-29 10:13:35.780355766 +0200
|
|
||||||
@@ -10,9 +10,10 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
|
||||||
|
|
||||||
TESTS = tst-pam_pwhistory
|
|
||||||
|
|
||||||
-man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
|
||||||
+man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
|
|
||||||
|
|
||||||
-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
|
||||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
|
|
||||||
+ pwhistory.conf.5.xml
|
|
||||||
|
|
||||||
securelibdir = $(SECUREDIR)
|
|
||||||
secureconfdir = $(SCONFIGDIR)
|
|
||||||
@@ -25,12 +26,14 @@ if HAVE_VERSIONING
|
|
||||||
pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
endif
|
|
||||||
|
|
||||||
-noinst_HEADERS = opasswd.h
|
|
||||||
+noinst_HEADERS = opasswd.h pwhistory_config.h
|
|
||||||
+
|
|
||||||
+dist_secureconf_DATA = pwhistory.conf
|
|
||||||
|
|
||||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
|
||||||
pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
|
||||||
-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
|
||||||
+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
|
|
||||||
|
|
||||||
sbin_PROGRAMS = pwhistory_helper
|
|
||||||
pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml 2022-09-29 10:13:35.780355766 +0200
|
|
||||||
@@ -36,6 +36,9 @@
|
|
||||||
<arg choice="opt">
|
|
||||||
authtok_type=<replaceable>STRING</replaceable>
|
|
||||||
</arg>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ conf=<replaceable>/path/to/config-file</replaceable>
|
|
||||||
+ </arg>
|
|
||||||
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
@@ -104,7 +107,7 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
The last <replaceable>N</replaceable> passwords for each
|
|
||||||
- user are saved in <filename>/etc/security/opasswd</filename>.
|
|
||||||
+ user are saved.
|
|
||||||
The default is <emphasis>10</emphasis>. Value of
|
|
||||||
<emphasis>0</emphasis> makes the module to keep the existing
|
|
||||||
contents of the <filename>opasswd</filename> file unchanged.
|
|
||||||
@@ -137,7 +140,26 @@
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>conf=<replaceable>/path/to/config-file</replaceable></option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Use another configuration file instead of the default
|
|
||||||
+ <filename>/etc/security/pwhistory.conf</filename>.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
</variablelist>
|
|
||||||
+ <para>
|
|
||||||
+ The options for configuring the module behavior are described in the
|
|
||||||
+ <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
|
|
||||||
+ <manvolnum>5</manvolnum></citerefentry> manual page. The options
|
|
||||||
+ specified on the module command line override the values from the
|
|
||||||
+ configuration file.
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id="pam_pwhistory-types">
|
|
||||||
@@ -223,6 +245,9 @@ password required pam_unix.so
|
|
||||||
<title>SEE ALSO</title>
|
|
||||||
<para>
|
|
||||||
<citerefentry>
|
|
||||||
+ <refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
</citerefentry>,
|
|
||||||
<citerefentry>
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.711355195 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c 2022-09-29 10:13:35.780355766 +0200
|
|
||||||
@@ -62,18 +62,11 @@
|
|
||||||
#include <security/_pam_macros.h>
|
|
||||||
|
|
||||||
#include "opasswd.h"
|
|
||||||
+#include "pwhistory_config.h"
|
|
||||||
|
|
||||||
#define DEFAULT_BUFLEN 2048
|
|
||||||
#define MAX_FD_NO 20000
|
|
||||||
|
|
||||||
-struct options_t {
|
|
||||||
- int debug;
|
|
||||||
- int enforce_for_root;
|
|
||||||
- int remember;
|
|
||||||
- int tries;
|
|
||||||
-};
|
|
||||||
-typedef struct options_t options_t;
|
|
||||||
-
|
|
||||||
|
|
||||||
static void
|
|
||||||
parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
|
|
||||||
@@ -304,6 +297,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
options.remember = 10;
|
|
||||||
options.tries = 1;
|
|
||||||
|
|
||||||
+ parse_config_file(pamh, argc, argv, &options);
|
|
||||||
+
|
|
||||||
/* Parse parameters for module */
|
|
||||||
for ( ; argc-- > 0; argv++)
|
|
||||||
parse_option (pamh, *argv, &options);
|
|
||||||
@@ -311,7 +306,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
if (options.debug)
|
|
||||||
pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
|
|
||||||
|
|
||||||
-
|
|
||||||
if (options.remember == 0)
|
|
||||||
return PAM_IGNORE;
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.780355766 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml 2022-09-29 10:13:35.780355766 +0200
|
|
||||||
@@ -0,0 +1,155 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+
|
|
||||||
+<refentry id="pwhistory.conf">
|
|
||||||
+
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>pwhistory.conf</refentrytitle>
|
|
||||||
+ <manvolnum>5</manvolnum>
|
|
||||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+
|
|
||||||
+ <refnamediv id="pwhistory.conf-name">
|
|
||||||
+ <refname>pwhistory.conf</refname>
|
|
||||||
+ <refpurpose>pam_pwhistory configuration file</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory.conf-description">
|
|
||||||
+
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+ <para>
|
|
||||||
+ <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
|
|
||||||
+ default settings for saving the last passwords for each user.
|
|
||||||
+ This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
|
|
||||||
+ preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ The file has a very simple <emphasis>name = value</emphasis> format with possible comments
|
|
||||||
+ starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
|
|
||||||
+ of line, and around the <emphasis>=</emphasis> sign is ignored.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory.conf-options">
|
|
||||||
+
|
|
||||||
+ <title>OPTIONS</title>
|
|
||||||
+ <variablelist>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>debug</option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Turns on debugging via
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
|
|
||||||
+ </citerefentry>.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>enforce_for_root</option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ If this option is set, the check is enforced for root, too.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>remember=<replaceable>N</replaceable></option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ The last <replaceable>N</replaceable> passwords for each
|
|
||||||
+ user are saved.
|
|
||||||
+ The default is <emphasis>10</emphasis>. Value of
|
|
||||||
+ <emphasis>0</emphasis> makes the module to keep the existing
|
|
||||||
+ contents of the <filename>opasswd</filename> file unchanged.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>retry=<replaceable>N</replaceable></option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Prompt user at most <replaceable>N</replaceable> times
|
|
||||||
+ before returning with error. The default is 1.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>file=<replaceable>/path/filename</replaceable></option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Store password history in file
|
|
||||||
+ <replaceable>/path/filename</replaceable> rather than the default
|
|
||||||
+ location. The default location is
|
|
||||||
+ <filename>/etc/security/opasswd</filename>.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory.conf-examples'>
|
|
||||||
+ <title>EXAMPLES</title>
|
|
||||||
+ <para>
|
|
||||||
+ /etc/security/pwhistory.conf file example:
|
|
||||||
+ </para>
|
|
||||||
+ <programlisting>
|
|
||||||
+debug
|
|
||||||
+remember=5
|
|
||||||
+file=/tmp/opasswd
|
|
||||||
+ </programlisting>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory.conf-files">
|
|
||||||
+ <title>FILES</title>
|
|
||||||
+ <variablelist>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term><filename>/etc/security/pwhistory.conf</filename></term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>the config file for custom options</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory.conf-see_also'>
|
|
||||||
+ <title>SEE ALSO</title>
|
|
||||||
+ <para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory.conf-author'>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+ <para>
|
|
||||||
+ pam_pwhistory was written by Thorsten Kukuk. The support for
|
|
||||||
+ pwhistory.conf was written by Iker Pedrosa.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+</refentry>
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c 2022-09-29 10:14:33.377832622 +0200
|
|
||||||
@@ -0,0 +1,195 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+
|
|
||||||
+#include <security/pam_modutil.h>
|
|
||||||
+
|
|
||||||
+#include "pam_inline.h"
|
|
||||||
+#include "pwhistory_config.h"
|
|
||||||
+
|
|
||||||
+#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
|
|
||||||
+
|
|
||||||
+/* lookup a value for key in login.defs file or similar key value format */
|
|
||||||
+static char *
|
|
||||||
+pwhistory_search_key(pam_handle_t *pamh UNUSED,
|
|
||||||
+ const char *file_name,
|
|
||||||
+ const char *key)
|
|
||||||
+{
|
|
||||||
+ FILE *fp;
|
|
||||||
+ char *buf = NULL;
|
|
||||||
+ size_t buflen = 0;
|
|
||||||
+ char *retval = NULL;
|
|
||||||
+
|
|
||||||
+#ifdef USE_ECONF
|
|
||||||
+ if (strcmp (file_name, LOGIN_DEFS) == 0)
|
|
||||||
+ return econf_search_key ("login", ".defs", key);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ fp = fopen(file_name, "r");
|
|
||||||
+ if (NULL == fp)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ while (!feof(fp)) {
|
|
||||||
+ char *tmp, *cp;
|
|
||||||
+#if defined(HAVE_GETLINE)
|
|
||||||
+ ssize_t n = getline(&buf, &buflen, fp);
|
|
||||||
+#elif defined (HAVE_GETDELIM)
|
|
||||||
+ ssize_t n = getdelim(&buf, &buflen, '\n', fp);
|
|
||||||
+#else
|
|
||||||
+ ssize_t n;
|
|
||||||
+
|
|
||||||
+ if (buf == NULL) {
|
|
||||||
+ buflen = BUF_SIZE;
|
|
||||||
+ buf = malloc(buflen);
|
|
||||||
+ if (buf == NULL) {
|
|
||||||
+ fclose(fp);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ buf[0] = '\0';
|
|
||||||
+ if (fgets(buf, buflen - 1, fp) == NULL)
|
|
||||||
+ break;
|
|
||||||
+ else if (buf != NULL)
|
|
||||||
+ n = strlen(buf);
|
|
||||||
+ else
|
|
||||||
+ n = 0;
|
|
||||||
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
|
||||||
+ cp = buf;
|
|
||||||
+
|
|
||||||
+ if (n < 1)
|
|
||||||
+ break;
|
|
||||||
+ if (cp[n - 1] == '\n')
|
|
||||||
+ cp[n - 1] = '\0';
|
|
||||||
+
|
|
||||||
+ tmp = strchr(cp, '#'); /* remove comments */
|
|
||||||
+ if (tmp)
|
|
||||||
+ *tmp = '\0';
|
|
||||||
+ while (isspace((int)*cp)) /* remove spaces and tabs */
|
|
||||||
+ ++cp;
|
|
||||||
+ if (*cp == '\0') /* ignore empty lines */
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ tmp = strsep (&cp, " \t=");
|
|
||||||
+ if (cp != NULL)
|
|
||||||
+ while (isspace((int)*cp) || *cp == '=')
|
|
||||||
+ ++cp;
|
|
||||||
+ else
|
|
||||||
+ cp = buf + n; /* empty string */
|
|
||||||
+
|
|
||||||
+ if (strcasecmp(tmp, key) == 0) {
|
|
||||||
+ retval = strdup(cp);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ fclose(fp);
|
|
||||||
+
|
|
||||||
+ free(buf);
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
+ struct options_t *options)
|
|
||||||
+{
|
|
||||||
+ const char *fname = NULL;
|
|
||||||
+ int i;
|
|
||||||
+ char *val;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < argc; ++i) {
|
|
||||||
+ const char *str = pam_str_skip_prefix(argv[i], "conf=");
|
|
||||||
+
|
|
||||||
+ if (str != NULL) {
|
|
||||||
+ fname = str;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fname == NULL) {
|
|
||||||
+ fname = PWHISTORY_DEFAULT_CONF;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = pwhistory_search_key (pamh, fname, "debug");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ options->debug = 1;
|
|
||||||
+ free(val);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = pwhistory_search_key (pamh, fname, "enforce_for_root");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ options->enforce_for_root = 1;
|
|
||||||
+ free(val);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = pwhistory_search_key (pamh, fname, "remember");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ unsigned int temp;
|
|
||||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR,
|
|
||||||
+ "Bad number supplied for remember argument");
|
|
||||||
+ } else {
|
|
||||||
+ options->remember = temp;
|
|
||||||
+ }
|
|
||||||
+ free(val);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = pwhistory_search_key (pamh, fname, "retry");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ unsigned int temp;
|
|
||||||
+ if (sscanf(val, "%u", &temp) != 1) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR,
|
|
||||||
+ "Bad number supplied for retry argument");
|
|
||||||
+ } else {
|
|
||||||
+ options->tries = temp;
|
|
||||||
+ }
|
|
||||||
+ free(val);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = pwhistory_search_key (pamh, fname, "file");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ if (*val != '/') {
|
|
||||||
+ pam_syslog (pamh, LOG_ERR,
|
|
||||||
+ "File path should be absolute: %s", val);
|
|
||||||
+ } else {
|
|
||||||
+ options->filename = val;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h 2022-09-29 10:13:35.781355775 +0200
|
|
||||||
@@ -0,0 +1,54 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef _PWHISTORY_CONFIG_H
|
|
||||||
+#define _PWHISTORY_CONFIG_H
|
|
||||||
+
|
|
||||||
+#include <security/pam_ext.h>
|
|
||||||
+
|
|
||||||
+struct options_t {
|
|
||||||
+ int debug;
|
|
||||||
+ int enforce_for_root;
|
|
||||||
+ int remember;
|
|
||||||
+ int tries;
|
|
||||||
+ const char *filename;
|
|
||||||
+};
|
|
||||||
+typedef struct options_t options_t;
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
+ struct options_t *options);
|
|
||||||
+
|
|
||||||
+#endif /* _PWHISTORY_CONFIG_H */
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file 2022-09-29 10:13:35.781355775 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf 2022-09-29 10:13:35.781355775 +0200
|
|
||||||
@@ -0,0 +1,21 @@
|
|
||||||
+# Configuration for remembering the last passwords used by a user.
|
|
||||||
+#
|
|
||||||
+# Enable the debugging logs.
|
|
||||||
+# Enabled if option is present.
|
|
||||||
+# debug
|
|
||||||
+#
|
|
||||||
+# root account's passwords are also remembered.
|
|
||||||
+# Enabled if option is present.
|
|
||||||
+# enforce_for_root
|
|
||||||
+#
|
|
||||||
+# Number of passwords to remember.
|
|
||||||
+# The default is 10.
|
|
||||||
+# remember = 10
|
|
||||||
+#
|
|
||||||
+# Number of times to prompt for the password.
|
|
||||||
+# The default is 1.
|
|
||||||
+# retry = 1
|
|
||||||
+#
|
|
||||||
+# The directory where the last passwords are kept.
|
|
||||||
+# The default is /etc/security/opasswd.
|
|
||||||
+# file = /etc/security/opasswd
|
|
@ -1,111 +0,0 @@
|
|||||||
From a7453aeeb398d6cbb7a709c4e2a1d75905220fff Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stanislav Zidek <szidek@redhat.com>
|
|
||||||
Date: Fri, 16 Apr 2021 19:14:18 +0200
|
|
||||||
Subject: [PATCH] pam_userdb: Prevent garbage characters from db
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
|
|
||||||
---
|
|
||||||
modules/pam_userdb/pam_userdb.8.xml | 3 +-
|
|
||||||
modules/pam_userdb/pam_userdb.c | 56 +++++++++++++++++------------
|
|
||||||
2 files changed, 36 insertions(+), 23 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml
|
|
||||||
index fa628ada..bce92850 100644
|
|
||||||
--- a/modules/pam_userdb/pam_userdb.8.xml
|
|
||||||
+++ b/modules/pam_userdb/pam_userdb.8.xml
|
|
||||||
@@ -100,7 +100,8 @@
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- Print debug information.
|
|
||||||
+ Print debug information. Note that password hashes, both from db
|
|
||||||
+ and computed, will be printed to syslog.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
|
||||||
index dc2ca232..d59801bf 100644
|
|
||||||
--- a/modules/pam_userdb/pam_userdb.c
|
|
||||||
+++ b/modules/pam_userdb/pam_userdb.c
|
|
||||||
@@ -194,7 +194,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (data.dptr != NULL) {
|
|
||||||
- int compare = 0;
|
|
||||||
+ int compare = -2;
|
|
||||||
|
|
||||||
if (ctrl & PAM_KEY_ONLY_ARG)
|
|
||||||
{
|
|
||||||
@@ -209,36 +209,48 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
|
||||||
char *cryptpw = NULL;
|
|
||||||
|
|
||||||
if (data.dsize < 13) {
|
|
||||||
- compare = -2;
|
|
||||||
+ /* hash is too short */
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "password hash in database is too short");
|
|
||||||
} else if (ctrl & PAM_ICASE_ARG) {
|
|
||||||
- compare = -2;
|
|
||||||
+ pam_syslog(pamh, LOG_INFO,
|
|
||||||
+ "case-insensitive comparison only works with plaintext passwords");
|
|
||||||
} else {
|
|
||||||
+ /* libdb is not guaranteed to produce null terminated strings */
|
|
||||||
+ char *pwhash = strndup(data.dptr, data.dsize);
|
|
||||||
+
|
|
||||||
+ if (pwhash == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr");
|
|
||||||
+ } else {
|
|
||||||
#ifdef HAVE_CRYPT_R
|
|
||||||
- struct crypt_data *cdata = NULL;
|
|
||||||
- cdata = malloc(sizeof(*cdata));
|
|
||||||
- if (cdata != NULL) {
|
|
||||||
- cdata->initialized = 0;
|
|
||||||
- cryptpw = crypt_r(pass, data.dptr, cdata);
|
|
||||||
- }
|
|
||||||
+ struct crypt_data *cdata = NULL;
|
|
||||||
+ cdata = malloc(sizeof(*cdata));
|
|
||||||
+ if (cdata == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data");
|
|
||||||
+ } else {
|
|
||||||
+ cdata->initialized = 0;
|
|
||||||
+ cryptpw = crypt_r(pass, pwhash, cdata);
|
|
||||||
+ }
|
|
||||||
#else
|
|
||||||
- cryptpw = crypt (pass, data.dptr);
|
|
||||||
+ cryptpw = crypt (pass, pwhash);
|
|
||||||
#endif
|
|
||||||
- if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
|
||||||
- compare = memcmp(data.dptr, cryptpw, data.dsize);
|
|
||||||
- } else {
|
|
||||||
- compare = -2;
|
|
||||||
- if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
- if (cryptpw)
|
|
||||||
- pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
|
||||||
- else
|
|
||||||
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
|
||||||
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
|
||||||
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
|
||||||
+ } else {
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
+ if (cryptpw) {
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw);
|
|
||||||
+ } else {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "crypt() returned NULL");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
#ifdef HAVE_CRYPT_R
|
|
||||||
- free(cdata);
|
|
||||||
+ free(cdata);
|
|
||||||
#endif
|
|
||||||
+ }
|
|
||||||
+ free(pwhash);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
} else {
|
|
||||||
|
|
||||||
/* Unknown password encryption method -
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,75 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/configure.ac
|
|
||||||
--- Linux-PAM-1.3.1/configure.ac.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.169146826 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/configure.ac 2022-06-22 16:43:54.343373619 +0200
|
|
||||||
@@ -615,12 +615,6 @@ if test x"$opt_uidmin" == x; then
|
|
||||||
fi
|
|
||||||
AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
|
||||||
|
|
||||||
-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
|
||||||
-if test x"$opt_sysuidmin" == x; then
|
|
||||||
- opt_sysuidmin=101
|
|
||||||
-fi
|
|
||||||
-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
|
||||||
-
|
|
||||||
AC_ARG_WITH([kerneloverflowuid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
|
||||||
if test x"$opt_kerneloverflowuid" == x; then
|
|
||||||
opt_kerneloverflowuid=65534
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.155146722 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml 2022-06-22 16:41:09.169146826 +0200
|
|
||||||
@@ -31,7 +31,7 @@
|
|
||||||
pam_usertype.so is designed to succeed or fail authentication
|
|
||||||
based on type of the account of the authenticated user.
|
|
||||||
The type of the account is decided with help of
|
|
||||||
- <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
|
||||||
+ <emphasis>SYS_UID_MAX</emphasis>
|
|
||||||
settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
|
||||||
whether to load other modules based on this test.
|
|
||||||
</para>
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype-SYS_UID_MAX Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype-SYS_UID_MAX 2022-06-22 16:41:09.155146722 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2022-06-22 16:41:09.169146826 +0200
|
|
||||||
@@ -277,7 +277,6 @@ static int
|
|
||||||
pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
|
||||||
{
|
|
||||||
uid_t uid_min;
|
|
||||||
- uid_t sys_min;
|
|
||||||
uid_t sys_max;
|
|
||||||
|
|
||||||
if (uid == (uid_t)-1) {
|
|
||||||
@@ -285,21 +284,19 @@ pam_usertype_is_system(pam_handle_t *pam
|
|
||||||
return PAM_USER_UNKNOWN;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (uid <= 99) {
|
|
||||||
- /* Reserved. */
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
|
||||||
/* nobody */
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
|
||||||
- sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
|
||||||
sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
|
||||||
|
|
||||||
- return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
|
||||||
+ if (uid <= sys_max && uid < uid_min) {
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_AUTH_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -336,7 +333,7 @@ pam_usertype_evaluate(struct pam_usertyp
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Arguments:
|
|
||||||
- * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
|
||||||
+ * - issystem: uid less than SYS_UID_MAX
|
|
||||||
* - isregular: not issystem
|
|
||||||
* - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
|
||||||
* - audit: log unknown users to syslog
|
|
@ -1,712 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/configure.ac.pam-usertype Linux-PAM-1.3.1/configure.ac
|
|
||||||
--- Linux-PAM-1.3.1/configure.ac.pam-usertype 2020-05-15 10:03:27.247468160 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/configure.ac 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -606,6 +606,27 @@ AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KE
|
|
||||||
|
|
||||||
AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
|
|
||||||
|
|
||||||
+dnl
|
|
||||||
+dnl Get values for default uid ranges in login.defs used in pam_usertype
|
|
||||||
+dnl
|
|
||||||
+AC_ARG_WITH([uidmin], AS_HELP_STRING([--with-uidmin=<number>],[default value for regular user min uid (1000)]), opt_uidmin=$withval)
|
|
||||||
+if test x"$opt_uidmin" == x; then
|
|
||||||
+ opt_uidmin=1000
|
|
||||||
+fi
|
|
||||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
|
||||||
+
|
|
||||||
+AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
|
||||||
+if test x"$opt_sysuidmin" == x; then
|
|
||||||
+ opt_sysuidmin=101
|
|
||||||
+fi
|
|
||||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
|
||||||
+
|
|
||||||
+AC_ARG_WITH([kerneloverflowuid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
|
||||||
+if test x"$opt_kerneloverflowuid" == x; then
|
|
||||||
+ opt_kerneloverflowuid=65534
|
|
||||||
+fi
|
|
||||||
+AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.])
|
|
||||||
+
|
|
||||||
dnl Files to be created from when we run configure
|
|
||||||
AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
|
|
||||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
|
||||||
@@ -636,6 +657,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
|
||||||
modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
|
|
||||||
modules/pam_umask/Makefile \
|
|
||||||
modules/pam_unix/Makefile modules/pam_userdb/Makefile \
|
|
||||||
+ modules/pam_usertype/Makefile \
|
|
||||||
modules/pam_warn/Makefile modules/pam_wheel/Makefile \
|
|
||||||
modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
|
|
||||||
doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/Makefile.am.pam-usertype Linux-PAM-1.3.1/modules/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/modules/Makefile.am.pam-usertype 2020-05-15 10:03:27.247468160 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/Makefile.am 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -12,7 +12,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
|
|
||||||
pam_selinux pam_sepermit pam_shells pam_stress \
|
|
||||||
pam_succeed_if pam_time pam_timestamp \
|
|
||||||
pam_tty_audit pam_umask \
|
|
||||||
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
|
|
||||||
+ pam_unix pam_userdb pam_usertype pam_warn pam_wheel pam_xauth
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/Makefile.am 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -0,0 +1,34 @@
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+# Copyright (c) 2020 Red Hat, Inc.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+CLEANFILES = *~
|
|
||||||
+MAINTAINERCLEANFILES = $(MANS) README
|
|
||||||
+
|
|
||||||
+EXTRA_DIST = README ${MANS} ${XMLS} tst-pam_usertype
|
|
||||||
+
|
|
||||||
+TESTS = tst-pam_usertype
|
|
||||||
+
|
|
||||||
+man_MANS = pam_usertype.8
|
|
||||||
+
|
|
||||||
+XMLS = README.xml pam_usertype.8.xml
|
|
||||||
+
|
|
||||||
+securelibdir = $(SECUREDIR)
|
|
||||||
+secureconfdir = $(SCONFIGDIR)
|
|
||||||
+
|
|
||||||
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
|
||||||
+ $(WARN_CFLAGS)
|
|
||||||
+AM_LDFLAGS = -no-undefined -avoid-version -module
|
|
||||||
+if HAVE_VERSIONING
|
|
||||||
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
+securelib_LTLIBRARIES = pam_usertype.la
|
|
||||||
+pam_usertype_la_LIBADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
+
|
|
||||||
+if ENABLE_REGENERATE_MAN
|
|
||||||
+noinst_DATA = README
|
|
||||||
+README: pam_usertype.8.xml
|
|
||||||
+-include $(top_srcdir)/Make.xml.rules
|
|
||||||
+endif
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.8.xml 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -0,0 +1,170 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+<refentry id='pam_usertype'>
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>pam_usertype</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class='sectdesc'>Linux-PAM</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+
|
|
||||||
+ <refnamediv id='pam_usertype-name'>
|
|
||||||
+ <refname>pam_usertype</refname>
|
|
||||||
+ <refpurpose>check if the authenticated user is a system or regular account</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ <refsynopsisdiv>
|
|
||||||
+ <cmdsynopsis id='pam_usertype-cmdsynopsis'>
|
|
||||||
+ <command>pam_usertype.so</command>
|
|
||||||
+ <arg choice='opt' rep='repeat'><replaceable>flag</replaceable></arg>
|
|
||||||
+ <arg choice='req'><replaceable>condition</replaceable></arg>
|
|
||||||
+ </cmdsynopsis>
|
|
||||||
+ </refsynopsisdiv>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pam_usertype-description'>
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+ <para>
|
|
||||||
+ pam_usertype.so is designed to succeed or fail authentication
|
|
||||||
+ based on type of the account of the authenticated user.
|
|
||||||
+ The type of the account is decided with help of
|
|
||||||
+ <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
|
||||||
+ settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
|
||||||
+ whether to load other modules based on this test.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The module should be given only one condition as module argument.
|
|
||||||
+ Authentication will succeed only if the condition is met.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pam_usertype-options">
|
|
||||||
+ <title>OPTIONS</title>
|
|
||||||
+ <para>
|
|
||||||
+ The following <emphasis>flag</emphasis>s are supported:
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <variablelist>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term><option>use_uid</option></term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Evaluate conditions using the account of the user whose UID
|
|
||||||
+ the application is running under instead of the user being
|
|
||||||
+ authenticated.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term><option>audit</option></term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Log unknown users to the system log.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ Available <emphasis>condition</emphasis>s are:
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <variablelist>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term><option>issystem</option></term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>Succeed if the user is a system user.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term><option>isregular</option></term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>Succeed if the user is a regular user.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pam_usertype-types">
|
|
||||||
+ <title>MODULE TYPES PROVIDED</title>
|
|
||||||
+ <para>
|
|
||||||
+ All module types (<option>account</option>, <option>auth</option>,
|
|
||||||
+ <option>password</option> and <option>session</option>) are provided.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pam_usertype-return_values'>
|
|
||||||
+ <title>RETURN VALUES</title>
|
|
||||||
+ <variablelist>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>PAM_SUCCESS</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ The condition was true.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>PAM_AUTH_ERR</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ The condition was false.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>PAM_SERVICE_ERR</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ A service error occurred or the arguments can't be
|
|
||||||
+ parsed correctly.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>PAM_USER_UNKNOWN</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ User was not found.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pam_usertype-examples'>
|
|
||||||
+ <title>EXAMPLES</title>
|
|
||||||
+ <para>
|
|
||||||
+ Skip remaining modules if the user is a system user:
|
|
||||||
+ </para>
|
|
||||||
+ <programlisting>
|
|
||||||
+account sufficient pam_usertype.so issystem
|
|
||||||
+ </programlisting>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pam_usertype-see_also'>
|
|
||||||
+ <title>SEE ALSO</title>
|
|
||||||
+ <para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pam_usertype-author'>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+ <para>Pavel Březina <pbrezina@redhat.com></para>
|
|
||||||
+ </refsect1>
|
|
||||||
+</refentry>
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2020-05-15 10:16:08.053198025 +0200
|
|
||||||
@@ -0,0 +1,394 @@
|
|
||||||
+/******************************************************************************
|
|
||||||
+ * Check user type based on login.defs.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2020 Red Hat, Inc.
|
|
||||||
+ * Written by Pavel Březina <pbrezina@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <pwd.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+
|
|
||||||
+#define PAM_SM_AUTH
|
|
||||||
+#define PAM_SM_ACCOUNT
|
|
||||||
+#define PAM_SM_SESSION
|
|
||||||
+#define PAM_SM_PASSWORD
|
|
||||||
+
|
|
||||||
+#include <security/pam_modules.h>
|
|
||||||
+#include <security/pam_modutil.h>
|
|
||||||
+#include <security/pam_ext.h>
|
|
||||||
+
|
|
||||||
+#define LOGIN_DEFS "/etc/login.defs"
|
|
||||||
+
|
|
||||||
+enum pam_usertype_op {
|
|
||||||
+ OP_IS_SYSTEM,
|
|
||||||
+ OP_IS_REGULAR,
|
|
||||||
+
|
|
||||||
+ OP_SENTINEL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct pam_usertype_opts {
|
|
||||||
+ enum pam_usertype_op op;
|
|
||||||
+ int use_uid;
|
|
||||||
+ int audit;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+pam_usertype_parse_args(struct pam_usertype_opts *opts,
|
|
||||||
+ pam_handle_t *pamh,
|
|
||||||
+ int argc,
|
|
||||||
+ const char **argv)
|
|
||||||
+{
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ memset(opts, 0, sizeof(struct pam_usertype_opts));
|
|
||||||
+ opts->op = OP_SENTINEL;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < argc; i++) {
|
|
||||||
+ if (strcmp(argv[i], "use_uid") == 0) {
|
|
||||||
+ opts->use_uid = 1;
|
|
||||||
+ } else if (strcmp(argv[i], "audit") == 0) {
|
|
||||||
+ opts->audit = 1;
|
|
||||||
+ } else if (strcmp(argv[i], "issystem") == 0) {
|
|
||||||
+ opts->op = OP_IS_SYSTEM;
|
|
||||||
+ } else if (strcmp(argv[i], "isregular") == 0) {
|
|
||||||
+ opts->op = OP_IS_REGULAR;
|
|
||||||
+ } else {
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "Unknown argument: %s", argv[i]);
|
|
||||||
+ /* Just continue. */
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (opts->op == OP_SENTINEL) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Operation not specified");
|
|
||||||
+ return PAM_SERVICE_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+pam_usertype_get_uid(struct pam_usertype_opts *opts,
|
|
||||||
+ pam_handle_t *pamh,
|
|
||||||
+ uid_t *_uid)
|
|
||||||
+{
|
|
||||||
+ struct passwd *pwd;
|
|
||||||
+ const void *prompt;
|
|
||||||
+ const char *username;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ /* Get uid of user that runs the application. */
|
|
||||||
+ if (opts->use_uid) {
|
|
||||||
+ pwd = pam_modutil_getpwuid(pamh, getuid());
|
|
||||||
+ if (pwd == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR,
|
|
||||||
+ "error retrieving information about user %lu",
|
|
||||||
+ (unsigned long)getuid());
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_uid = pwd->pw_uid;
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Get uid of user that is being authenticated. */
|
|
||||||
+ ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt);
|
|
||||||
+ if (ret != PAM_SUCCESS || prompt == NULL || strlen(prompt) == 0) {
|
|
||||||
+ prompt = "login: ";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = pam_get_user(pamh, &username, prompt);
|
|
||||||
+ if (ret != PAM_SUCCESS || username == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s",
|
|
||||||
+ pam_strerror(pamh, ret));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pwd = pam_modutil_getpwnam(pamh, username);
|
|
||||||
+ if (pwd == NULL) {
|
|
||||||
+ if (opts->audit) {
|
|
||||||
+ pam_syslog(pamh, LOG_NOTICE,
|
|
||||||
+ "error retrieving information about user %s", username);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_uid = pwd->pw_uid;
|
|
||||||
+
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define MAX_UID_VALUE 0xFFFFFFFFUL
|
|
||||||
+
|
|
||||||
+/* lookup a value for key in login.defs file or similar key value format */
|
|
||||||
+char *
|
|
||||||
+pam_usertype_search_key(pam_handle_t *pamh UNUSED,
|
|
||||||
+ const char *file_name,
|
|
||||||
+ const char *key)
|
|
||||||
+{
|
|
||||||
+ FILE *fp;
|
|
||||||
+ char *buf = NULL;
|
|
||||||
+ size_t buflen = 0;
|
|
||||||
+ char *retval = NULL;
|
|
||||||
+
|
|
||||||
+ fp = fopen(file_name, "r");
|
|
||||||
+ if (NULL == fp)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ while (!feof(fp)) {
|
|
||||||
+ char *tmp, *cp;
|
|
||||||
+#if defined(HAVE_GETLINE)
|
|
||||||
+ ssize_t n = getline(&buf, &buflen, fp);
|
|
||||||
+#elif defined (HAVE_GETDELIM)
|
|
||||||
+ ssize_t n = getdelim(&buf, &buflen, '\n', fp);
|
|
||||||
+#else
|
|
||||||
+ ssize_t n;
|
|
||||||
+
|
|
||||||
+ if (buf == NULL) {
|
|
||||||
+ buflen = BUF_SIZE;
|
|
||||||
+ buf = malloc(buflen);
|
|
||||||
+ if (buf == NULL) {
|
|
||||||
+ fclose(fp);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ buf[0] = '\0';
|
|
||||||
+ if (fgets(buf, buflen - 1, fp) == NULL)
|
|
||||||
+ break;
|
|
||||||
+ else if (buf != NULL)
|
|
||||||
+ n = strlen(buf);
|
|
||||||
+ else
|
|
||||||
+ n = 0;
|
|
||||||
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
|
||||||
+ cp = buf;
|
|
||||||
+
|
|
||||||
+ if (n < 1)
|
|
||||||
+ break;
|
|
||||||
+ if (cp[n - 1] == '\n')
|
|
||||||
+ cp[n - 1] = '\0';
|
|
||||||
+
|
|
||||||
+ tmp = strchr(cp, '#'); /* remove comments */
|
|
||||||
+ if (tmp)
|
|
||||||
+ *tmp = '\0';
|
|
||||||
+ while (isspace((int)*cp)) /* remove spaces and tabs */
|
|
||||||
+ ++cp;
|
|
||||||
+ if (*cp == '\0') /* ignore empty lines */
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ tmp = strsep (&cp, " \t=");
|
|
||||||
+ if (cp != NULL)
|
|
||||||
+ while (isspace((int)*cp) || *cp == '=')
|
|
||||||
+ ++cp;
|
|
||||||
+ else
|
|
||||||
+ cp = "";
|
|
||||||
+
|
|
||||||
+ if (strcasecmp(tmp, key) == 0) {
|
|
||||||
+ retval = strdup(cp);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ fclose(fp);
|
|
||||||
+
|
|
||||||
+ free(buf);
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static uid_t
|
|
||||||
+pam_usertype_get_id(pam_handle_t *pamh,
|
|
||||||
+ const char *key,
|
|
||||||
+ uid_t default_value)
|
|
||||||
+{
|
|
||||||
+ unsigned long ul;
|
|
||||||
+ char *value;
|
|
||||||
+ char *ep;
|
|
||||||
+ uid_t uid;
|
|
||||||
+
|
|
||||||
+ value = pam_usertype_search_key(pamh, LOGIN_DEFS, key);
|
|
||||||
+ if (value == NULL) {
|
|
||||||
+ return default_value;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* taken from get_lastlog_uid_max() */
|
|
||||||
+ ep = value + strlen(value);
|
|
||||||
+ while (ep > value && isspace(*(--ep))) {
|
|
||||||
+ *ep = '\0';
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ ul = strtoul(value, &ep, 10);
|
|
||||||
+ if (!(ul >= MAX_UID_VALUE
|
|
||||||
+ || (uid_t)ul >= MAX_UID_VALUE
|
|
||||||
+ || (errno != 0 && ul == 0)
|
|
||||||
+ || value == ep
|
|
||||||
+ || *ep != '\0')) {
|
|
||||||
+ uid = (uid_t)ul;
|
|
||||||
+ } else {
|
|
||||||
+ uid = default_value;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(value);
|
|
||||||
+
|
|
||||||
+ return uid;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
|
||||||
+{
|
|
||||||
+ uid_t uid_min;
|
|
||||||
+ uid_t sys_min;
|
|
||||||
+ uid_t sys_max;
|
|
||||||
+
|
|
||||||
+ if (uid == (uid_t)-1) {
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "invalid uid");
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (uid <= 99) {
|
|
||||||
+ /* Reserved. */
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
|
||||||
+ /* nobody */
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
|
||||||
+ sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
|
||||||
+ sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
|
||||||
+
|
|
||||||
+ return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+pam_usertype_is_regular(pam_handle_t *pamh, uid_t uid)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = pam_usertype_is_system(pamh, uid);
|
|
||||||
+ switch (ret) {
|
|
||||||
+ case PAM_SUCCESS:
|
|
||||||
+ return PAM_AUTH_ERR;
|
|
||||||
+ case PAM_USER_UNKNOWN:
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ default:
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+pam_usertype_evaluate(struct pam_usertype_opts *opts,
|
|
||||||
+ pam_handle_t *pamh,
|
|
||||||
+ uid_t uid)
|
|
||||||
+{
|
|
||||||
+ switch (opts->op) {
|
|
||||||
+ case OP_IS_SYSTEM:
|
|
||||||
+ return pam_usertype_is_system(pamh, uid);
|
|
||||||
+ case OP_IS_REGULAR:
|
|
||||||
+ return pam_usertype_is_regular(pamh, uid);
|
|
||||||
+ default:
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Unknown operation: %d", opts->op);
|
|
||||||
+ return PAM_SERVICE_ERR;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * Arguments:
|
|
||||||
+ * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
|
||||||
+ * - isregular: not issystem
|
|
||||||
+ * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
|
||||||
+ * - audit: log unknown users to syslog
|
|
||||||
+ */
|
|
||||||
+int
|
|
||||||
+pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
|
||||||
+ int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ struct pam_usertype_opts opts;
|
|
||||||
+ uid_t uid;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = pam_usertype_parse_args(&opts, pamh, argc, argv);
|
|
||||||
+ if (ret != PAM_SUCCESS) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = pam_usertype_get_uid(&opts, pamh, &uid);
|
|
||||||
+ if (ret != PAM_SUCCESS) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return pam_usertype_evaluate(&opts, pamh, uid);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
|
|
||||||
+ int argc UNUSED, const char **argv UNUSED)
|
|
||||||
+{
|
|
||||||
+ return PAM_IGNORE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ return pam_sm_authenticate(pamh, flags, argc, argv);
|
|
||||||
+}
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/README.xml.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/README.xml
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/README.xml.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/README.xml 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -0,0 +1,41 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
|
|
||||||
+[
|
|
||||||
+<!--
|
|
||||||
+<!ENTITY pamaccess SYSTEM "pam_usertype.8.xml">
|
|
||||||
+-->
|
|
||||||
+]>
|
|
||||||
+
|
|
||||||
+<article>
|
|
||||||
+
|
|
||||||
+ <articleinfo>
|
|
||||||
+
|
|
||||||
+ <title>
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
||||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_usertype-name"]/*)'/>
|
|
||||||
+ </title>
|
|
||||||
+
|
|
||||||
+ </articleinfo>
|
|
||||||
+
|
|
||||||
+ <section>
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
||||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-description"]/*)'/>
|
|
||||||
+ </section>
|
|
||||||
+
|
|
||||||
+ <section>
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
||||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-options"]/*)'/>
|
|
||||||
+ </section>
|
|
||||||
+
|
|
||||||
+ <section>
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
||||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-examples"]/*)'/>
|
|
||||||
+ </section>
|
|
||||||
+
|
|
||||||
+ <section>
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
||||||
+ href="pam_usertype.8.xml" xpointer='xpointer(//refsect1[@id = "pam_usertype-author"]/*)'/>
|
|
||||||
+ </section>
|
|
||||||
+
|
|
||||||
+</article>
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype.pam-usertype Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype.pam-usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_usertype/tst-pam_usertype 2020-05-15 10:03:27.270468089 +0200
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+../../tests/tst-dlopen .libs/pam_usertype.so
|
|
@ -1,33 +0,0 @@
|
|||||||
From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Wed, 7 Aug 2019 18:13:57 +0200
|
|
||||||
Subject: [PATCH] pam_tty_audit: Manual page clarification about password
|
|
||||||
logging
|
|
||||||
|
|
||||||
* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
|
|
||||||
can be sometimes logged even when the option is not set.
|
|
||||||
---
|
|
||||||
modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
|
||||||
index 59a3406..e346c68 100644
|
|
||||||
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
|
|
||||||
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
|
||||||
@@ -149,6 +149,13 @@
|
|
||||||
greater than or equal to <replaceable>min_uid</replaceable> will be
|
|
||||||
matched.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ Please note that passwords in some circumstances may be logged by TTY auditing
|
|
||||||
+ even if the <option>log_passwd</option> is not used. For example, all input to
|
|
||||||
+ an ssh session will be logged - even if there is a password being typed into
|
|
||||||
+ some software running at the remote host because only the local TTY state
|
|
||||||
+ affects the local TTY auditing.
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id='pam_tty_audit-examples'>
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds 2023-11-02 09:59:54.533238124 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c 2023-11-02 10:40:58.017404936 +0100
|
|
||||||
@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
|
||||||
unsigned int ctrl, lctrl;
|
|
||||||
int retval;
|
|
||||||
int remember = -1;
|
|
||||||
- int rounds = -1;
|
|
||||||
+ int rounds = 0;
|
|
||||||
int pass_min_len = 0;
|
|
||||||
|
|
||||||
/* <DO NOT free() THESE> */
|
|
@ -1,174 +0,0 @@
|
|||||||
From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
|
||||||
Date: Thu, 15 Nov 2018 15:01:57 +0100
|
|
||||||
Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
|
|
||||||
|
|
||||||
Bcrypt hashes used the "$2a$" prefix since 1997.
|
|
||||||
However, in 2011 an implementation bug was discovered in bcrypt
|
|
||||||
affecting the handling of characters in passphrases with the 8th
|
|
||||||
bit set.
|
|
||||||
|
|
||||||
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
|
|
||||||
for a behavior that exactly matches crypt_blowfish's "$2y$", and
|
|
||||||
the crypt_blowfish implementation supports it as well since v1.1.
|
|
||||||
|
|
||||||
That said new computed bcrypt hashes should use the "$2b$" prefix.
|
|
||||||
|
|
||||||
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
|
|
||||||
---
|
|
||||||
modules/pam_unix/passverify.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
||||||
index 9c1771e2..1f433b3a 100644
|
|
||||||
--- a/modules/pam_unix/passverify.c
|
|
||||||
+++ b/modules/pam_unix/passverify.c
|
|
||||||
@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
|
|
||||||
/* algoid = "$1" */
|
|
||||||
return crypt_md5_wrapper(password);
|
|
||||||
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
||||||
- algoid = "$2a$";
|
|
||||||
+ algoid = "$2b$";
|
|
||||||
} else if (on(UNIX_SHA256_PASS, ctrl)) {
|
|
||||||
algoid = "$5$";
|
|
||||||
} else if (on(UNIX_SHA512_PASS, ctrl)) {
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/configure.ac.legacy-xcrypt Linux-PAM-1.3.1/configure.ac
|
|
||||||
--- Linux-PAM-1.3.1/configure.ac.legacy-xcrypt 2023-10-26 12:08:46.896437225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/configure.ac 2023-10-26 12:10:38.289654696 +0200
|
|
||||||
@@ -395,19 +395,32 @@ AC_SUBST(LIBAUDIT)
|
|
||||||
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
|
|
||||||
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
|
|
||||||
|
|
||||||
-AC_CHECK_HEADERS(xcrypt.h crypt.h)
|
|
||||||
-AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
|
|
||||||
- [crypt_libs="xcrypt crypt"],
|
|
||||||
- [crypt_libs="crypt"])
|
|
||||||
+AC_CHECK_HEADERS(crypt.h)
|
|
||||||
|
|
||||||
BACKUP_LIBS=$LIBS
|
|
||||||
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
|
|
||||||
-AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
|
|
||||||
+LIBCRYPT=""
|
|
||||||
+PKG_CHECK_MODULES([CRYPT], [libcrypt], [
|
|
||||||
+ CFLAGS="$CFLAGS $CRYPT_CFLAGS"
|
|
||||||
+ CPPFLAGS="$CPPFLAGS $CRYPT_CFLAGS"
|
|
||||||
+ LIBS="$LIBS $CRYPT_LIBS"
|
|
||||||
+ LIBCRYPT="$CRYPT_LIBS"
|
|
||||||
+], [
|
|
||||||
+ AC_SEARCH_LIBS([crypt_gensalt_rn],[crypt])
|
|
||||||
+ case "$ac_cv_search_crypt_gensalt_rn" in
|
|
||||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt_gensalt_rn" ;;
|
|
||||||
+ no) AC_SEARCH_LIBS([crypt_r],[crypt])
|
|
||||||
+ case "$ac_cv_search_crypt_r" in
|
|
||||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt_r" ;;
|
|
||||||
+ no ) AC_SEARCH_LIBS([crypt],[crypt])
|
|
||||||
+ case "$ac_cv_search_crypt" in
|
|
||||||
+ -l*) LIBCRYPT="$ac_cv_search_crypt" ;;
|
|
||||||
+ esac ;;
|
|
||||||
+ esac ;;
|
|
||||||
+ esac
|
|
||||||
+])
|
|
||||||
+AC_CHECK_FUNCS([crypt_r])
|
|
||||||
LIBS=$BACKUP_LIBS
|
|
||||||
AC_SUBST(LIBCRYPT)
|
|
||||||
-if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
|
|
||||||
- AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
|
|
||||||
-fi
|
|
||||||
|
|
||||||
AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
|
|
||||||
if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt 2023-10-26 12:08:46.896437225 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c 2023-10-26 12:11:14.437725259 +0200
|
|
||||||
@@ -52,9 +52,7 @@
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
|
|
||||||
-#if defined (HAVE_XCRYPT_H)
|
|
||||||
-#include <xcrypt.h>
|
|
||||||
-#elif defined (HAVE_CRYPT_H)
|
|
||||||
+#ifdef HAVE_CRYPT_H
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt 2017-02-10 11:10:15.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c 2023-10-26 12:08:46.896437225 +0200
|
|
||||||
@@ -29,9 +29,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <security/_pam_macros.h>
|
|
||||||
-#ifdef HAVE_LIBXCRYPT
|
|
||||||
-#include <xcrypt.h>
|
|
||||||
-#elif defined(HAVE_CRYPT_H)
|
|
||||||
+#ifdef HAVE_CRYPT_H
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/passverify.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt 2023-10-26 12:08:46.895437223 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c 2023-10-26 12:16:25.470320408 +0200
|
|
||||||
@@ -19,9 +19,7 @@
|
|
||||||
#include <sys/time.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
-#ifdef HAVE_LIBXCRYPT
|
|
||||||
-#include <xcrypt.h>
|
|
||||||
-#elif defined(HAVE_CRYPT_H)
|
|
||||||
+#ifdef HAVE_CRYPT_H
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -406,23 +404,19 @@ PAMH_ARG_DECL(char * create_password_has
|
|
||||||
return crypted;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifdef HAVE_CRYPT_GENSALT_R
|
|
||||||
- if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
||||||
- char entropy[17];
|
|
||||||
- crypt_make_salt(entropy, sizeof(entropy) - 1);
|
|
||||||
- sp = crypt_gensalt_r (algoid, rounds,
|
|
||||||
- entropy, sizeof(entropy),
|
|
||||||
- salt, sizeof(salt));
|
|
||||||
- } else {
|
|
||||||
-#endif
|
|
||||||
- sp = stpcpy(salt, algoid);
|
|
||||||
- if (on(UNIX_ALGO_ROUNDS, ctrl)) {
|
|
||||||
- sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
|
|
||||||
- }
|
|
||||||
- crypt_make_salt(sp, 16);
|
|
||||||
-#ifdef HAVE_CRYPT_GENSALT_R
|
|
||||||
+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
|
|
||||||
+ /*
|
|
||||||
+ * Any version of libcrypt supporting auto entropy is
|
|
||||||
+ * guaranteed to have crypt_gensalt_rn().
|
|
||||||
+ */
|
|
||||||
+ sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
|
|
||||||
+#else
|
|
||||||
+ sp = stpcpy(salt, algoid);
|
|
||||||
+ if (on(UNIX_ALGO_ROUNDS, ctrl)) {
|
|
||||||
+ sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
|
|
||||||
}
|
|
||||||
-#endif
|
|
||||||
+ crypt_make_salt(sp, 16);
|
|
||||||
+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
|
|
||||||
#ifdef HAVE_CRYPT_R
|
|
||||||
sp = NULL;
|
|
||||||
cdata = malloc(sizeof(*cdata));
|
|
||||||
diff -up Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c
|
|
||||||
--- Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt 2023-10-26 12:08:46.880437194 +0200
|
|
||||||
+++ Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c 2023-10-26 12:08:46.896437225 +0200
|
|
||||||
@@ -17,9 +17,7 @@
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <errno.h>
|
|
||||||
-#ifdef HAVE_LIBXCRYPT
|
|
||||||
-#include <xcrypt.h>
|
|
||||||
-#elif defined(HAVE_CRYPT_H)
|
|
||||||
+#ifdef HAVE_CRYPT_H
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Mon, 14 Oct 2019 16:52:46 +0200
|
|
||||||
Subject: [PATCH] pam_unix: Add logging useful for debugging problems
|
|
||||||
|
|
||||||
Two messages added about obtaining the username are guarded
|
|
||||||
by the debug option as these should not be normally
|
|
||||||
logged - they can be useful for debugging but they do not
|
|
||||||
indicate any special condition.
|
|
||||||
|
|
||||||
The message about authenticating user with blank password is
|
|
||||||
still just LOG_DEBUG priority but it is logged unconditionally
|
|
||||||
because it is somewhat extraordinary condition to have an user
|
|
||||||
with blank password.
|
|
||||||
|
|
||||||
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
|
|
||||||
D() macro calls which are not enabled on production builds with
|
|
||||||
regular pam_syslog() calls.
|
|
||||||
---
|
|
||||||
modules/pam_unix/pam_unix_auth.c | 7 ++++---
|
|
||||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
|
|
||||||
index 681e49d..3fca945 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix_auth.c
|
|
||||||
+++ b/modules/pam_unix/pam_unix_auth.c
|
|
||||||
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
AUTH_RETURN;
|
|
||||||
}
|
|
||||||
if (on(UNIX_DEBUG, ctrl))
|
|
||||||
- D(("username [%s] obtained", name));
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
|
|
||||||
} else {
|
|
||||||
- D(("trouble reading username"));
|
|
||||||
if (retval == PAM_CONV_AGAIN) {
|
|
||||||
D(("pam_get_user/conv() function is not ready yet"));
|
|
||||||
/* it is safe to resume this function so we translate this
|
|
||||||
* retval to the value that indicates we're happy to resume.
|
|
||||||
*/
|
|
||||||
retval = PAM_INCOMPLETE;
|
|
||||||
+ } else if (on(UNIX_DEBUG, ctrl)) {
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
|
|
||||||
}
|
|
||||||
AUTH_RETURN;
|
|
||||||
}
|
|
||||||
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
/* if this user does not have a password... */
|
|
||||||
|
|
||||||
if (_unix_blankpasswd(pamh, ctrl, name)) {
|
|
||||||
- D(("user '%s' has blank passwd", name));
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
|
|
||||||
name = NULL;
|
|
||||||
retval = PAM_SUCCESS;
|
|
||||||
AUTH_RETURN;
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,134 +0,0 @@
|
|||||||
From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Wed, 26 Aug 2020 14:44:23 +0200
|
|
||||||
Subject: [PATCH 1/3] pam_wheel: improve coding style
|
|
||||||
|
|
||||||
modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
|
|
||||||
condition statements
|
|
||||||
---
|
|
||||||
modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++-----------------
|
|
||||||
1 file changed, 19 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
|
||||||
index a025ebaf..94cb7d89 100644
|
|
||||||
--- a/modules/pam_wheel/pam_wheel.c
|
|
||||||
+++ b/modules/pam_wheel/pam_wheel.c
|
|
||||||
@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ctrl & PAM_USE_UID_ARG) {
|
|
||||||
- tpwd = pam_modutil_getpwuid (pamh, getuid());
|
|
||||||
- if (!tpwd) {
|
|
||||||
- if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
+ tpwd = pam_modutil_getpwuid (pamh, getuid());
|
|
||||||
+ if (tpwd == NULL) {
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
||||||
- }
|
|
||||||
- return PAM_SERVICE_ERR;
|
|
||||||
- }
|
|
||||||
- fromsu = tpwd->pw_name;
|
|
||||||
+ }
|
|
||||||
+ return PAM_SERVICE_ERR;
|
|
||||||
+ }
|
|
||||||
+ fromsu = tpwd->pw_name;
|
|
||||||
} else {
|
|
||||||
- fromsu = pam_modutil_getlogin(pamh);
|
|
||||||
- if (fromsu) {
|
|
||||||
- tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
||||||
- }
|
|
||||||
- if (!fromsu || !tpwd) {
|
|
||||||
- if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
||||||
- }
|
|
||||||
- return PAM_SERVICE_ERR;
|
|
||||||
- }
|
|
||||||
+ fromsu = pam_modutil_getlogin(pamh);
|
|
||||||
+
|
|
||||||
+ if (fromsu != NULL) {
|
|
||||||
+ tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fromsu == NULL || tpwd == NULL) {
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
+ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
||||||
+ }
|
|
||||||
+ return PAM_SERVICE_ERR;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
|
|
||||||
From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Thu, 27 Aug 2020 09:16:15 +0200
|
|
||||||
Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER
|
|
||||||
|
|
||||||
modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
|
|
||||||
ID, then try with PAM_RUSER.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1866866
|
|
||||||
---
|
|
||||||
modules/pam_wheel/pam_wheel.c | 10 ++++++++++
|
|
||||||
1 file changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
|
||||||
index 94cb7d89..7fa3cfa9 100644
|
|
||||||
--- a/modules/pam_wheel/pam_wheel.c
|
|
||||||
+++ b/modules/pam_wheel/pam_wheel.c
|
|
||||||
@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
|
||||||
} else {
|
|
||||||
fromsu = pam_modutil_getlogin(pamh);
|
|
||||||
|
|
||||||
+ /* if getlogin fails try a fallback to PAM_RUSER */
|
|
||||||
+ if (fromsu == NULL) {
|
|
||||||
+ const char *rhostname;
|
|
||||||
+
|
|
||||||
+ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
|
|
||||||
+ if (retval != PAM_SUCCESS || rhostname == NULL) {
|
|
||||||
+ retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (fromsu != NULL) {
|
|
||||||
tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
|
|
||||||
From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Wed, 9 Sep 2020 10:32:03 +0200
|
|
||||||
Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page
|
|
||||||
|
|
||||||
modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
|
|
||||||
real uid of the calling process.
|
|
||||||
---
|
|
||||||
modules/pam_wheel/pam_wheel.8.xml | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
|
|
||||||
index b32f5e2b..ee8c7d26 100644
|
|
||||||
--- a/modules/pam_wheel/pam_wheel.8.xml
|
|
||||||
+++ b/modules/pam_wheel/pam_wheel.8.xml
|
|
||||||
@@ -122,9 +122,9 @@
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- The check for wheel membership will be done against
|
|
||||||
- the current uid instead of the original one (useful when
|
|
||||||
- jumping with su from one account to another for example).
|
|
||||||
+ The check will be done against the real uid of the calling process,
|
|
||||||
+ instead of trying to obtain the user from the login session
|
|
||||||
+ associated with the terminal in use.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 10086bc69663fa819277af244eeb5b629a2403b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Deepak Das <ddas@redhat.com>
|
|
||||||
Date: Mon, 10 Oct 2022 21:21:35 +0530
|
|
||||||
Subject: [PATCH] pam_faillock: avoid logging an erroneous consecutive login
|
|
||||||
failure message
|
|
||||||
|
|
||||||
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
|
|
||||||
a consecutive login failure message for the root user in case when
|
|
||||||
even_deny_root is not set.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
|
||||||
---
|
|
||||||
modules/pam_faillock/pam_faillock.c | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
|
||||||
index ddbb90e7..ca1c7035 100644
|
|
||||||
--- a/modules/pam_faillock/pam_faillock.c
|
|
||||||
+++ b/modules/pam_faillock/pam_faillock.c
|
|
||||||
@@ -374,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
|
||||||
}
|
|
||||||
close(audit_fd);
|
|
||||||
#endif
|
|
||||||
- if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
|
|
||||||
- pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
|
|
||||||
- opts->user);
|
|
||||||
+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) &&
|
|
||||||
+ ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) {
|
|
||||||
+ pam_syslog(pamh, LOG_INFO,
|
|
||||||
+ "Consecutive login failures for user %s account temporarily locked",
|
|
||||||
+ opts->user);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From bcbf145ce925934214e48200c27c9ff736452549 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Deepak Das <ddas@redhat.com>
|
|
||||||
Date: Mon, 10 Oct 2022 17:55:53 +0530
|
|
||||||
Subject: [PATCH] pam_faillock: Clarify missing user faillock files after
|
|
||||||
reboot
|
|
||||||
|
|
||||||
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
|
|
||||||
user specific faillock files after reboot.
|
|
||||||
|
|
||||||
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
|
|
||||||
user specific faillock files after reboot.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
|
||||||
---
|
|
||||||
modules/pam_faillock/faillock.conf.5.xml | 4 ++++
|
|
||||||
modules/pam_faillock/pam_faillock.8.xml | 6 ++++++
|
|
||||||
2 files changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml
|
|
||||||
index 04a84107..8faa5915 100644
|
|
||||||
--- a/modules/pam_faillock/faillock.conf.5.xml
|
|
||||||
+++ b/modules/pam_faillock/faillock.conf.5.xml
|
|
||||||
@@ -44,6 +44,10 @@
|
|
||||||
The directory where the user files with the failure records are kept. The
|
|
||||||
default is <filename>/var/run/faillock</filename>.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ Note: These files will disappear after reboot on systems configured with
|
|
||||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
|
||||||
+ </para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
|
|
||||||
index 79bcbbd0..b7b7b0db 100644
|
|
||||||
--- a/modules/pam_faillock/pam_faillock.8.xml
|
|
||||||
+++ b/modules/pam_faillock/pam_faillock.8.xml
|
|
||||||
@@ -327,6 +327,12 @@ session required pam_selinux.so open
|
|
||||||
<term><filename>/var/run/faillock/*</filename></term>
|
|
||||||
<listitem>
|
|
||||||
<para>the files logging the authentication failures for users</para>
|
|
||||||
+ <para>
|
|
||||||
+ Note: These files will disappear after reboot on systems configured with
|
|
||||||
+ directory <filename>/var/run/faillock</filename> mounted on virtual memory.
|
|
||||||
+ For persistent storage use the option <emphasis>dir=</emphasis> in
|
|
||||||
+ file <filename>/etc/security/faillock.conf</filename>.
|
|
||||||
+ </para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 40c271164dbcebfc5304d0537a42fb42e6b6803c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Date: Mon, 26 Sep 2022 12:16:53 +0200
|
|
||||||
Subject: [PATCH] pam_lastlog: check localtime_r() return value
|
|
||||||
|
|
||||||
Check the return value of localtime_r() before calling strftime(). This
|
|
||||||
function crashes if the argument is NULL.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
|
|
||||||
|
|
||||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
modules/pam_lastlog/pam_lastlog.c | 12 ++++++------
|
|
||||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
index abd048df..121e7560 100644
|
|
||||||
--- a/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
+++ b/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
@@ -573,12 +573,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
|
|
||||||
time_t lf_time;
|
|
||||||
|
|
||||||
lf_time = utuser.ut_tv.tv_sec;
|
|
||||||
- tm = localtime_r (&lf_time, &tm_buf);
|
|
||||||
- strftime (the_time, sizeof (the_time),
|
|
||||||
- /* TRANSLATORS: "strftime options for date of last login" */
|
|
||||||
- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
|
||||||
-
|
|
||||||
- date = the_time;
|
|
||||||
+ if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) {
|
|
||||||
+ strftime (the_time, sizeof (the_time),
|
|
||||||
+ /* TRANSLATORS: "strftime options for date of last login" */
|
|
||||||
+ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
|
|
||||||
+ date = the_time;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* we want & have the host? */
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
#%PAM-1.0
|
|
||||||
# This file is auto-generated.
|
|
||||||
# User changes will be destroyed the next time authselect is run.
|
|
||||||
auth required pam_env.so
|
|
||||||
auth sufficient pam_unix.so try_first_pass nullok
|
|
||||||
auth required pam_deny.so
|
|
||||||
|
|
||||||
account required pam_unix.so
|
|
||||||
|
|
||||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
|
||||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
|
||||||
password required pam_deny.so
|
|
||||||
|
|
||||||
session optional pam_keyinit.so revoke
|
|
||||||
session required pam_limits.so
|
|
||||||
-session optional pam_systemd.so
|
|
||||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
||||||
session required pam_unix.so
|
|
@ -1,8 +0,0 @@
|
|||||||
#%PAM-1.0
|
|
||||||
# This file is auto-generated.
|
|
||||||
# User changes will be destroyed the next time authselect is run.
|
|
||||||
|
|
||||||
session optional pam_umask.so silent
|
|
||||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
||||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
|
||||||
session optional pam_lastlog.so silent noupdate showfailed
|
|
@ -1,4 +0,0 @@
|
|||||||
#%PAM-1.0
|
|
||||||
# This file is auto-generated.
|
|
||||||
# User changes will be destroyed the next time authselect is run.
|
|
||||||
auth sufficient pam_sss.so allow_missing_name
|
|
@ -1,18 +0,0 @@
|
|||||||
#%PAM-1.0
|
|
||||||
# This file is auto-generated.
|
|
||||||
# User changes will be destroyed the next time authselect is run.
|
|
||||||
auth required pam_env.so
|
|
||||||
auth sufficient pam_unix.so try_first_pass nullok
|
|
||||||
auth required pam_deny.so
|
|
||||||
|
|
||||||
account required pam_unix.so
|
|
||||||
|
|
||||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
|
||||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
|
||||||
password required pam_deny.so
|
|
||||||
|
|
||||||
session optional pam_keyinit.so revoke
|
|
||||||
session required pam_limits.so
|
|
||||||
-session optional pam_systemd.so
|
|
||||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
||||||
session required pam_unix.so
|
|
8
gating.yaml
Normal file
8
gating.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-10
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||||
|
|
5
macros.pam
Normal file
5
macros.pam
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
%_pam_libdir %{_libdir}
|
||||||
|
%_pam_moduledir %{_libdir}/security
|
||||||
|
%_pam_secconfdir %{_sysconfdir}/security
|
||||||
|
%_pam_confdir %{_sysconfdir}/pam.d
|
||||||
|
%_pam_vendordir %{_datadir}/pam.d
|
@ -1,7 +1,8 @@
|
|||||||
diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
|
Index: Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c
|
||||||
--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
|
===================================================================
|
||||||
+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
|
--- Linux-PAM-1.5.3.orig/modules/pam_unix/pam_unix_passwd.c
|
||||||
@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
+++ Linux-PAM-1.5.3/modules/pam_unix/pam_unix_passwd.c
|
||||||
|
@@ -678,12 +678,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||||
return PAM_SUCCESS;
|
return PAM_SUCCESS;
|
||||||
} else if (off(UNIX__IAMROOT, ctrl) ||
|
} else if (off(UNIX__IAMROOT, ctrl) ||
|
||||||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
24
pam-1.6.0-redhat-modules.patch
Normal file
24
pam-1.6.0-redhat-modules.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up Linux-PAM-1.6.0/configure.ac.redhat-modules Linux-PAM-1.6.0/configure.ac
|
||||||
|
--- Linux-PAM-1.6.0/configure.ac.redhat-modules 2024-01-23 13:16:34.854753145 +0100
|
||||||
|
+++ Linux-PAM-1.6.0/configure.ac 2024-01-23 13:17:52.855859922 +0100
|
||||||
|
@@ -774,6 +774,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||||
|
po/Makefile.in \
|
||||||
|
Make.xml.rules \
|
||||||
|
modules/Makefile \
|
||||||
|
+ modules/pam_chroot/Makefile \
|
||||||
|
+ modules/pam_postgresok/Makefile \
|
||||||
|
modules/pam_access/Makefile \
|
||||||
|
modules/pam_canonicalize_user/Makefile \
|
||||||
|
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||||
|
diff -up Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules Linux-PAM-1.6.0/modules/Makefile.am
|
||||||
|
--- Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules 2024-01-17 11:29:36.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.6.0/modules/Makefile.am 2024-01-23 13:16:34.855753147 +0100
|
||||||
|
@@ -48,6 +48,8 @@ SUBDIRS := \
|
||||||
|
pam_debug \
|
||||||
|
pam_deny \
|
||||||
|
pam_echo \
|
||||||
|
+ pam_chroot \
|
||||||
|
+ pam_postgresok \
|
||||||
|
pam_env \
|
||||||
|
pam_exec \
|
||||||
|
pam_faildelay \
|
24
pam-1.6.1-noflex.patch
Normal file
24
pam-1.6.1-noflex.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up Linux-PAM-1.6.1/doc/Makefile.am.noflex Linux-PAM-1.6.1/doc/Makefile.am
|
||||||
|
--- Linux-PAM-1.6.1/doc/Makefile.am.noflex 2024-04-09 18:22:59.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.6.1/doc/Makefile.am 2024-04-10 11:09:39.304086982 +0200
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
||||||
|
#
|
||||||
|
|
||||||
|
-SUBDIRS = man specs sag adg mwg
|
||||||
|
+SUBDIRS = man sag adg mwg
|
||||||
|
|
||||||
|
CLEANFILES = *~
|
||||||
|
DISTCLEANFILES = custom-html.xsl custom-man.xsl
|
||||||
|
diff -up Linux-PAM-1.6.1/Makefile.am.noflex Linux-PAM-1.6.1/Makefile.am
|
||||||
|
--- Linux-PAM-1.6.1/Makefile.am.noflex 2024-04-10 11:09:39.304086982 +0200
|
||||||
|
+++ Linux-PAM-1.6.1/Makefile.am 2024-04-10 11:13:15.057352362 +0200
|
||||||
|
@@ -4,7 +4,7 @@
|
||||||
|
|
||||||
|
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
|
||||||
|
|
||||||
|
-SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po conf \
|
||||||
|
+SUBDIRS = libpam_internal libpam tests libpamc libpam_misc modules po doc \
|
||||||
|
xtests
|
||||||
|
|
||||||
|
if HAVE_DOC
|
119
pam-1.6.1-pam-access-local.patch
Normal file
119
pam-1.6.1-pam-access-local.patch
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
From ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 16 Oct 2024 12:41:09 +0200
|
||||||
|
Subject: [PATCH 1/2] pam_access: always match local address
|
||||||
|
|
||||||
|
* modules/pam_access/pam_access.c: match the local address regardless of
|
||||||
|
the IP version in use.
|
||||||
|
|
||||||
|
In some circumstances the `localhost` may be translated to IPv4 or IPv6,
|
||||||
|
but the configuration file only indicated the address for one of the two
|
||||||
|
versions. Since the originating value is set in `PAM_RHOST` and PAM has
|
||||||
|
no control over it, let's match the local addresses regardless of the IP
|
||||||
|
version in use.
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-23018
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_access/pam_access.c | 30 ++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||||
|
index bfbc6d57..48e7c7e9 100644
|
||||||
|
--- a/modules/pam_access/pam_access.c
|
||||||
|
+++ b/modules/pam_access/pam_access.c
|
||||||
|
@@ -306,6 +306,23 @@ isipaddr (const char *string, int *addr_type,
|
||||||
|
return is_ip;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* is_local_addr - checks if the IP address is local */
|
||||||
|
+static int
|
||||||
|
+is_local_addr (const char *string, int addr_type)
|
||||||
|
+{
|
||||||
|
+ if (addr_type == AF_INET) {
|
||||||
|
+ if (strcmp(string, "127.0.0.1") == 0) {
|
||||||
|
+ return YES;
|
||||||
|
+ }
|
||||||
|
+ } else if (addr_type == AF_INET6) {
|
||||||
|
+ if (strcmp(string, "::1") == 0) {
|
||||||
|
+ return YES;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NO;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
/* are_addresses_equal - translate IP address strings to real IP
|
||||||
|
* addresses and compare them to find out if they are equal.
|
||||||
|
@@ -327,9 +344,18 @@ are_addresses_equal (const char *ipaddr0, const char *ipaddr1,
|
||||||
|
if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO)
|
||||||
|
return NO;
|
||||||
|
|
||||||
|
- if (addr_type0 != addr_type1)
|
||||||
|
- /* different address types */
|
||||||
|
+ if (addr_type0 != addr_type1) {
|
||||||
|
+ /* different address types, but there is still a possibility that they are
|
||||||
|
+ * both local addresses
|
||||||
|
+ */
|
||||||
|
+ int local1 = is_local_addr(ipaddr0, addr_type0);
|
||||||
|
+ int local2 = is_local_addr(ipaddr1, addr_type1);
|
||||||
|
+
|
||||||
|
+ if (local1 == YES && local2 == YES)
|
||||||
|
+ return YES;
|
||||||
|
+
|
||||||
|
return NO;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (netmask != NULL) {
|
||||||
|
/* Got a netmask, so normalize addresses? */
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
||||||
|
|
||||||
|
From 641dfd1084508c63f3590e93a35b80ffc50774e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Fri, 18 Oct 2024 10:27:07 +0200
|
||||||
|
Subject: [PATCH 2/2] pam_access: clarify `LOCAL` keyword behaviour
|
||||||
|
|
||||||
|
* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour
|
||||||
|
explanation was focused on the development internals. Let's clarify it
|
||||||
|
by rephrasing it to something a sysadmin can understand.
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-39943
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_access/access.conf.5.xml | 17 ++++++-----------
|
||||||
|
1 file changed, 6 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
|
||||||
|
index 35a1a8fe..0b93db00 100644
|
||||||
|
--- a/modules/pam_access/access.conf.5.xml
|
||||||
|
+++ b/modules/pam_access/access.conf.5.xml
|
||||||
|
@@ -79,17 +79,12 @@
|
||||||
|
with network mask (where network mask can be a decimal number or an
|
||||||
|
internet address also), <emphasis>ALL</emphasis> (which always matches)
|
||||||
|
or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
|
||||||
|
- keyword matches if and only if
|
||||||
|
- <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
- when called with an <parameter>item_type</parameter> of
|
||||||
|
- <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
|
||||||
|
- empty string (and therefore the
|
||||||
|
- <replaceable>origins</replaceable> field is compared against the
|
||||||
|
- return value of
|
||||||
|
- <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
|
- called with an <parameter>item_type</parameter> of
|
||||||
|
- <emphasis>PAM_TTY</emphasis> or, absent that,
|
||||||
|
- <emphasis>PAM_SERVICE</emphasis>).
|
||||||
|
+ keyword matches when the user connects without a network
|
||||||
|
+ connection (e.g., <emphasis>su</emphasis>,
|
||||||
|
+ <emphasis>login</emphasis>). A connection through the loopback
|
||||||
|
+ device (e.g., <command>ssh user@localhost</command>) is
|
||||||
|
+ considered a network connection, and thus, the
|
||||||
|
+ <emphasis>LOCAL</emphasis> keyword does not match.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
86
pam-1.6.1-pam-env-econf-read-file-fixes.patch
Normal file
86
pam-1.6.1-pam-env-econf-read-file-fixes.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From aabd5314a6d76968c377969b49118a2df3f97003 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dmitry V. Levin" <ldv@strace.io>
|
||||||
|
Date: Sun, 19 May 2024 15:00:00 +0000
|
||||||
|
Subject: [PATCH 1/2] pam_env: fix NULL dereference on error path in
|
||||||
|
econf_read_file
|
||||||
|
|
||||||
|
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Handle NULL
|
||||||
|
value returned by econf_getStringValue().
|
||||||
|
|
||||||
|
Resolves: https://github.com/linux-pam/linux-pam/issues/796
|
||||||
|
---
|
||||||
|
modules/pam_env/pam_env.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
|
||||||
|
index 2cc58228..6d39bb24 100644
|
||||||
|
--- a/modules/pam_env/pam_env.c
|
||||||
|
+++ b/modules/pam_env/pam_env.c
|
||||||
|
@@ -287,7 +287,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||||
|
char *val;
|
||||||
|
|
||||||
|
error = econf_getStringValue (key_file, NULL, keys[i], &val);
|
||||||
|
- if (error != ECONF_SUCCESS) {
|
||||||
|
+ if (error != ECONF_SUCCESS || val == NULL) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s",
|
||||||
|
keys[i],
|
||||||
|
econf_errString(error));
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
||||||
|
|
||||||
|
From 75292685a625153c6e28bdd820e97421c258c04a Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dmitry V. Levin" <ldv@strace.io>
|
||||||
|
Date: Sun, 19 May 2024 15:00:00 +0000
|
||||||
|
Subject: [PATCH 2/2] pam_env: fix error handling in econf_read_file
|
||||||
|
|
||||||
|
* modules/pam_env/pam_env.c [USE_ECONF] (econf_read_file): Make sure
|
||||||
|
the returned array of strings is properly initialized
|
||||||
|
when econf_getStringValue() fails to return a value.
|
||||||
|
---
|
||||||
|
modules/pam_env/pam_env.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
|
||||||
|
index 6d39bb24..7c146439 100644
|
||||||
|
--- a/modules/pam_env/pam_env.c
|
||||||
|
+++ b/modules/pam_env/pam_env.c
|
||||||
|
@@ -273,7 +273,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||||
|
return PAM_ABORT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- *lines = malloc((key_number +1)* sizeof(char**));
|
||||||
|
+ *lines = calloc((key_number + 1), sizeof(char**));
|
||||||
|
if (*lines == NULL) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
|
||||||
|
econf_free(keys);
|
||||||
|
@@ -281,8 +281,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||||
|
return PAM_BUF_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
- (*lines)[key_number] = 0;
|
||||||
|
-
|
||||||
|
+ size_t n = 0;
|
||||||
|
for (size_t i = 0; i < key_number; i++) {
|
||||||
|
char *val;
|
||||||
|
|
||||||
|
@@ -293,7 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||||
|
econf_errString(error));
|
||||||
|
} else {
|
||||||
|
econf_unescnl(val);
|
||||||
|
- if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
|
||||||
|
+ if (asprintf(&(*lines)[n],"%s%c%s", keys[i], delim[0], val) < 0) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
|
||||||
|
econf_free(keys);
|
||||||
|
econf_freeFile(key_file);
|
||||||
|
@@ -303,6 +302,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||||
|
return PAM_BUF_ERR;
|
||||||
|
}
|
||||||
|
free (val);
|
||||||
|
+ n++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
212
pam-1.6.1-sast-fixes.patch
Normal file
212
pam-1.6.1-sast-fixes.patch
Normal file
@ -0,0 +1,212 @@
|
|||||||
|
From 5eccaf9b3488d3f6da800281363697e4e4834e77 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 11:16:28 +0200
|
||||||
|
Subject: [PATCH 1/5] pam_faillock: close the audit socket after use
|
||||||
|
|
||||||
|
* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
|
||||||
|
socket when it will no longer be used.
|
||||||
|
|
||||||
|
```
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
|
||||||
|
256| audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
257| rhost, NULL, tty, 1);
|
||||||
|
258|-> }
|
||||||
|
259| #endif
|
||||||
|
260| opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
||||||
|
```
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-36475
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_faillock/pam_faillock.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
||||||
|
index e636a24e..f39a9d95 100644
|
||||||
|
--- a/modules/pam_faillock/pam_faillock.c
|
||||||
|
+++ b/modules/pam_faillock/pam_faillock.c
|
||||||
|
@@ -255,6 +255,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
||||||
|
snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
rhost, NULL, tty, 1);
|
||||||
|
+ audit_close(audit_fd);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
||||||
|
|
||||||
|
From d00f6cb366b492de455f9b72fcbd2e49abf323e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 11:20:02 +0200
|
||||||
|
Subject: [PATCH 2/5] pam_rootok: close the audit socket on error path
|
||||||
|
|
||||||
|
* modules/pam_rootok/pam_rootok.c (log_callback): Close the audit socket
|
||||||
|
if vasprintf returned an error.
|
||||||
|
|
||||||
|
```
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: open_fn: Returning handle opened by "audit_open".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:59: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_rootok/pam_rootok.c:69: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
|
||||||
|
67| va_end(ap);
|
||||||
|
68| if (ret < 0) {
|
||||||
|
69|-> return 0;
|
||||||
|
70| }
|
||||||
|
71| audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
|
```
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-36475
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_rootok/pam_rootok.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
|
||||||
|
index 6d2dfa07..1b88fb19 100644
|
||||||
|
--- a/modules/pam_rootok/pam_rootok.c
|
||||||
|
+++ b/modules/pam_rootok/pam_rootok.c
|
||||||
|
@@ -66,6 +66,7 @@ log_callback (int type UNUSED, const char *fmt, ...)
|
||||||
|
ret = vasprintf (&buf, fmt, ap);
|
||||||
|
va_end(ap);
|
||||||
|
if (ret < 0) {
|
||||||
|
+ audit_close(audit_fd);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
||||||
|
|
||||||
|
From 1ca5bfed50bd9f6c2f1e3e36c2df3253923dadf6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 12:27:00 +0200
|
||||||
|
Subject: [PATCH 3/5] pam_timestamp: close the timestamp file on error path
|
||||||
|
|
||||||
|
* modules/pam_timestamp/pam_timestamp.c (pam_sm_authenticate)
|
||||||
|
[WITH_OPENSSL]: Close the timestamp file if hmac_size returned
|
||||||
|
an error.
|
||||||
|
|
||||||
|
```
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
|
||||||
|
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:450: var_assign: Assigning: "fd" = handle returned from "open(path, 131072)".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:460: noescape: Resource "fd" is not freed or pointed-to in "fstat".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_timestamp/pam_timestamp.c:484: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
|
||||||
|
482| #ifdef WITH_OPENSSL
|
||||||
|
483| if (hmac_size(pamh, debug, &maclen)) {
|
||||||
|
484|-> return PAM_AUTH_ERR;
|
||||||
|
485| }
|
||||||
|
486| #else
|
||||||
|
```
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-36475
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_timestamp/pam_timestamp.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
index 7c5457c4..edecc052 100644
|
||||||
|
--- a/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
+++ b/modules/pam_timestamp/pam_timestamp.c
|
||||||
|
@@ -481,6 +481,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
if (hmac_size(pamh, debug, &maclen)) {
|
||||||
|
+ close(fd);
|
||||||
|
return PAM_AUTH_ERR;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
||||||
|
|
||||||
|
From 667204d7e3e4a0341c529f7566d62dd64dd80866 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 12:25:34 +0200
|
||||||
|
Subject: [PATCH 4/5] pam_namespace: free SELinux context
|
||||||
|
|
||||||
|
* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context):
|
||||||
|
Free SELinux context before returning.
|
||||||
|
|
||||||
|
```
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to.
|
||||||
|
1002| }
|
||||||
|
1003| /* Should never get here */
|
||||||
|
1004|-> return PAM_SUCCESS;
|
||||||
|
1005| }
|
||||||
|
1006| #endif
|
||||||
|
```
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-36475
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_namespace/pam_namespace.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||||
|
index e499d95a..781dac20 100644
|
||||||
|
--- a/modules/pam_namespace/pam_namespace.c
|
||||||
|
+++ b/modules/pam_namespace/pam_namespace.c
|
||||||
|
@@ -1003,6 +1003,7 @@ static int form_context(const struct polydir_s *polyptr,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
/* Should never get here */
|
||||||
|
+ freecon(scon);
|
||||||
|
return PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
||||||
|
|
||||||
|
From bd2f695b3d89efe0c52bba975f9540634125178a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 12:29:07 +0200
|
||||||
|
Subject: [PATCH 5/5] pam_namespace: free SELinux context on error path
|
||||||
|
|
||||||
|
* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]:
|
||||||
|
Free SELinux context in case of an error.
|
||||||
|
|
||||||
|
```
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw".
|
||||||
|
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to.
|
||||||
|
1460| pam_syslog(idata->pamh, LOG_ERR,
|
||||||
|
1461| "Error creating directory %s: %m", dir);
|
||||||
|
1462|-> return PAM_SESSION_ERR;
|
||||||
|
1463| }
|
||||||
|
1464|
|
||||||
|
```
|
||||||
|
|
||||||
|
Resolves: https://issues.redhat.com/browse/RHEL-36475
|
||||||
|
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_namespace/pam_namespace.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||||
|
index 781dac20..2dab49ef 100644
|
||||||
|
--- a/modules/pam_namespace/pam_namespace.c
|
||||||
|
+++ b/modules/pam_namespace/pam_namespace.c
|
||||||
|
@@ -1462,6 +1462,9 @@ static int create_polydir(struct polydir_s *polyptr,
|
||||||
|
if (rc == -1) {
|
||||||
|
pam_syslog(idata->pamh, LOG_ERR,
|
||||||
|
"Error creating directory %s: %m", dir);
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ freecon(oldcon_raw);
|
||||||
|
+#endif
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,3 @@
|
|||||||
d /run/console 0755 root root -
|
d /run/console 0755 root root -
|
||||||
d /run/faillock 0755 root root -
|
d /run/faillock 0755 root root -
|
||||||
d /run/sepermit 0755 root root -
|
d /run/sepermit 0755 root root -
|
||||||
d /run/motd.d 0755 root root -
|
|
3
sources
Normal file
3
sources
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
SHA512 (Linux-PAM-1.6.1.tar.xz) = ddb5a5f296f564b76925324550d29f15d342841a97815336789c7bb922a8663e831edeb54f3dcd1eaf297e3325c9e2e6c14b8740def5c43cf3f160a8a14fa2ea
|
||||||
|
SHA512 (Linux-PAM-1.6.1.tar.xz.asc) = 609dd4dadac06ac50002684998f3dc3e19f7452bd39ccac67421bc402b2d95544a825ad6f2af14e6d2ce999bb1a716ebcaf7a947d459c365380320e42418abf5
|
||||||
|
SHA512 (pam-redhat-1.2.0.tar.xz) = f676a6c8df0cf3836018b1a67ded1d40937b88ff046e5c6b22bac46cb05e27970ef6a7ce224269e4c0d1ca9375c72e77880cf9114e936a7de9c423bf443d27ee
|
71
tests/Test-coverage-for-TTY-auditing/Makefile
Normal file
71
tests/Test-coverage-for-TTY-auditing/Makefile
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
|
||||||
|
# Description: Test for Test coverage for TTY auditing
|
||||||
|
# Author: Dalibor Pospisil <dapospis@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
@test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
@if [ -e /usr/share/beakerlib/plugins/try-check-final.sh ]; then \
|
||||||
|
/usr/share/beakerlib/plugins/try-check-final.sh verify_plugin; \
|
||||||
|
elif [ -e /mnt/tests/CoreOS/beaker/plugin-tcf/try-check-final.sh ]; then \
|
||||||
|
/mnt/tests/CoreOS/beaker/plugin-tcf/try-check-final.sh verify_plugin; \
|
||||||
|
elif [ -e /mnt/qa/scratch/dapospis/try-check-final.sh ]; then \
|
||||||
|
/mnt/qa/scratch/dapospis/try-check-final.sh verify_plugin; \
|
||||||
|
fi;
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Dalibor Pospisil <dapospis@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: test(/CoreOS/beaker/plugin-tcf)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for Test coverage for TTY auditing" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: pam" >> $(METADATA)
|
||||||
|
@echo "Requires: pam /usr/bin/bc /usr/bin/expect /usr/bin/pcregrep" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/Test-coverage-for-TTY-auditing/PURPOSE
Normal file
4
tests/Test-coverage-for-TTY-auditing/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
|
||||||
|
Description: Test for Test coverage for TTY auditing
|
||||||
|
Author: Dalibor Pospisil <dapospis@redhat.com>
|
||||||
|
Bug summary: Test coverage for TTY auditing
|
119
tests/Test-coverage-for-TTY-auditing/runtest.sh
Normal file
119
tests/Test-coverage-for-TTY-auditing/runtest.sh
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
|
||||||
|
# Description: Test for Test coverage for TTY auditing
|
||||||
|
# Author: Dalibor Pospisil <dapospis@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/lib/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGES="pam"
|
||||||
|
BINARIES="pcregrep expect bc"
|
||||||
|
|
||||||
|
rlJournalStart &&{
|
||||||
|
rlPhaseStartSetup &&{
|
||||||
|
rlTry "Setup phase" && {
|
||||||
|
for PACKAGE in $PACKAGES; do
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
done
|
||||||
|
for BINARY in $BINARIES; do
|
||||||
|
rlRun "which $BINARY" 0 "Check presence of $BINARY"
|
||||||
|
done
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlFileBackup --clean /etc/pam.d/
|
||||||
|
rlRun "echo 'session required pam_tty_audit.so disable=* enable=root' >>/etc/pam.d/system-auth"
|
||||||
|
rlRun "cat /etc/pam.d/system-auth"
|
||||||
|
rlFin; }
|
||||||
|
rlPhaseEnd;}
|
||||||
|
|
||||||
|
rlPhaseStartTest &&{
|
||||||
|
rlTry "Test phase" && {
|
||||||
|
rlTry "backup audit.log" &&{
|
||||||
|
cat /var/log/audit/audit.log >./audit.log
|
||||||
|
rlFin; }
|
||||||
|
unalias su >& /dev/null
|
||||||
|
rlTry "su root, bc some expressions" &&{
|
||||||
|
expect <<EOF
|
||||||
|
set env(TERM) vt100
|
||||||
|
set timeout 5
|
||||||
|
spawn su -l root
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 1 }
|
||||||
|
"#" { send -- "bc\r" }
|
||||||
|
}
|
||||||
|
expect -re "For details type .warranty.." { send -- "1+1\r" }
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 1 }
|
||||||
|
"2" { send -- "10^2\r" }
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 1 }
|
||||||
|
"100" { send -- "\033\[A\033\[A\r" }
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 1 }
|
||||||
|
"2" { send -- "quit\r" }
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 1 }
|
||||||
|
"#" { send -- "exit\r" }
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout { exit 2 }
|
||||||
|
eof { exit 0 }
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
rlFin; }
|
||||||
|
rlTry &&{
|
||||||
|
rlLog "wait 3s"
|
||||||
|
sleep 3s
|
||||||
|
rlFin; }
|
||||||
|
rlRun "diff ./audit.log /var/log/audit/audit.log | grep '>' | sed -e 's/> //' | tee ./log" 0-255
|
||||||
|
rlChk "check that audit.log contains what it should" &&{
|
||||||
|
aureport --tty -ts recent -if ./log |tee log.txt
|
||||||
|
rlRun "pcregrep -M 'bc \"1\+1\",(<ret>|<nl>)(\n|\r)?.*\"10\^2\",(<ret>|<nl>)(\r|\n)?.*<up>,<up>,(<ret>|<nl>)' log.txt"
|
||||||
|
rlFin; }
|
||||||
|
rlFin; }
|
||||||
|
#PS1="[test] " bash
|
||||||
|
rlPhaseEnd;}
|
||||||
|
|
||||||
|
rlPhaseStartCleanup &&{
|
||||||
|
rlChk "Cleanup phase" && {
|
||||||
|
rlFileRestore
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlFin; }
|
||||||
|
rlTCFcheckFinal
|
||||||
|
rlPhaseEnd;}
|
||||||
|
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd;}
|
70
tests/pam_unix/Makefile
Normal file
70
tests/pam_unix/Makefile
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/pam/Sanity/pam_unix
|
||||||
|
# Description: Test for module pam_unix
|
||||||
|
# Author: David Spurek <dspurek@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/pam/Sanity/pam_unix
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: David Spurek <dspurek@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for module pam_unix" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 15m" >> $(METADATA)
|
||||||
|
@echo "RunFor: pam" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(distribution/ConditionalPhases)" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(distribution/dpcommon)" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(distribution/testUser)" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(openssh/basic)" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(pam/basic)" >> $(METADATA)
|
||||||
|
@echo "Requires: pam" >> $(METADATA)
|
||||||
|
@echo "Requires: expect" >> $(METADATA)
|
||||||
|
@echo "Requires: openssh-server openssh-clients" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
3
tests/pam_unix/PURPOSE
Normal file
3
tests/pam_unix/PURPOSE
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
PURPOSE of /CoreOS/pam/Sanity/pam_unix
|
||||||
|
Description: Test for module pam_unix
|
||||||
|
Author: David Spurek <dspurek@redhat.com>
|
174
tests/pam_unix/runtest.sh
Normal file
174
tests/pam_unix/runtest.sh
Normal file
@ -0,0 +1,174 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/pam/Sanity/pam_unix
|
||||||
|
# Description: Test for module pam_unix
|
||||||
|
# Author: David Spurek <dspurek@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="pam"
|
||||||
|
|
||||||
|
PACKAGES=( "pam" "expect" )
|
||||||
|
|
||||||
|
_PASSWORD1="jf@#Faffo"
|
||||||
|
_PASSWORD2="0m4nchU!!F"
|
||||||
|
|
||||||
|
function do_passwd {
|
||||||
|
expect <<EOF
|
||||||
|
set timeout 5
|
||||||
|
spawn -noecho su $1 -c passwd
|
||||||
|
expect {
|
||||||
|
timeout {puts timeout; exit 1}
|
||||||
|
eof {exit 2}
|
||||||
|
-nocase "(current)*password" { puts "$2"; send -- "$2\r"}
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout {puts timeout; exit 1}
|
||||||
|
eof {exit 3}
|
||||||
|
-nocase "new*password" { puts "$3"; send -- "$3\r"}
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout {puts timeout; exit 1}
|
||||||
|
eof {exit 4}
|
||||||
|
-nocase "has been already used" { puts "exit 6" ; exit 6}
|
||||||
|
-nocase "retype*password" { puts "$3"; send -- "$3\r"}
|
||||||
|
}
|
||||||
|
expect {
|
||||||
|
timeout {exit 5}
|
||||||
|
-nocase "has been already used" { puts "exit 6" ; exit 6}
|
||||||
|
eof
|
||||||
|
}
|
||||||
|
puts "end"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
rlJournalStart && {
|
||||||
|
rlPhaseStartSetup && {
|
||||||
|
tcfTry "Setup phase" && {
|
||||||
|
tcfRun "rlCheckMakefileRequires"
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
CleanupRegister "rlRun 'rm -r $TmpDir' 0 'Removing tmp directory'"
|
||||||
|
CleanupRegister 'rlRun "popd"'
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
CleanupRegister 'rlRun "pamCleanup"'
|
||||||
|
rlRun "pamSetup"
|
||||||
|
CleanupRegister 'rlRun "rlFileRestore"'
|
||||||
|
rlFileBackup "/etc/security/opasswd" && >/etc/security/opasswd
|
||||||
|
tcfFin; }
|
||||||
|
rlPhaseEnd; }
|
||||||
|
|
||||||
|
tcfTry "Tests" --no-assert && {
|
||||||
|
tcfChk && {
|
||||||
|
rlPhaseStartTest "test option remember" && {
|
||||||
|
tcfChk "setup" && {
|
||||||
|
CleanupRegister --mark 'rlRun "testUserCleanup"'
|
||||||
|
rlRun "testUserSetup 2"
|
||||||
|
PWA=( ':3533tjh^397*:~21081^*p@w!~18374_0' ':4273tjh^397*:~3709^*p@w!~19467_1' ':31388tjh^397*:~32486^*p@w!~12258_2' ':10233tjh^397*:~620^*p@w!~19779_3' ':26151tjh^397*:~8077^*p@w!~29968_4' ':26593tjh^397*:~4665^*p@w!~16428_5' ':23163tjh^397*:~16784^*p@w!~4822_6' ':4065tjh^397*:~14355^*p@w!~4119_7' ':16312tjh^397*:~30577^*p@w!~26223_8' )
|
||||||
|
rlRun "echo ${PWA[0]} | passwd --stdin ${testUser[1]}"
|
||||||
|
CleanupRegister 'rlRun "pamRestoreFiles"'
|
||||||
|
rlRun "pamBackupFiles"
|
||||||
|
#rlRun "sed -i -e 's/^password\s\+sufficient\s\+pam_unix.so/\0 remember=5/' $sys_auth"
|
||||||
|
rlRun "pamReplaceServiceModuleRule su password pam_unix.so '' '' '' '$(pamGetServiceRuleAgruments su password pam_unix.so) remember=5'"
|
||||||
|
#rlRun "cat $sys_auth"
|
||||||
|
rlRun "pamGetServiceRules --prefix su password"
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
tcfTry "test remember option" && {
|
||||||
|
NEWPW=${PWA[0]}
|
||||||
|
for i in `seq 6`; do
|
||||||
|
rlLog "change passwrd #$i"
|
||||||
|
OLDPW=$NEWPW; NEWPW=${PWA[$i]}
|
||||||
|
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${NEWPW}" 0
|
||||||
|
done
|
||||||
|
|
||||||
|
rlLog "change passwrd #$i"
|
||||||
|
rlLog "Try change to password that have been alredy used (should fail)"
|
||||||
|
OLDPW=$NEWPW;
|
||||||
|
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${PWA[1]}" 6
|
||||||
|
|
||||||
|
for i in 7 8 1; do
|
||||||
|
rlLog "change passwrd #$i"
|
||||||
|
OLDPW=$NEWPW; NEWPW=${PWA[$i]}
|
||||||
|
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${NEWPW}" 0
|
||||||
|
done
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
tcfTry "test vhange the password to a previous password of test1" && {
|
||||||
|
# change the password to a previous password of test1, the password change should be allowed.
|
||||||
|
rlLog "Change the password to a previous password of test1, the password change should be allowed"
|
||||||
|
echo ${PWA[0]} | passwd --stdin $testUser
|
||||||
|
rlRun "do_passwd $testUser ${PWA[0]} ${PWA[5]}" 0
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
tcfChk "cleanup" && {
|
||||||
|
CleanupDo --mark
|
||||||
|
tcfFin; }
|
||||||
|
rlPhaseEnd; }; :
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
# Run the test for >=RHEL-6.9 and >=RHEL-7.3 and <>RHEL(Fedora)
|
||||||
|
! rlIsRHEL '<6.9' && { ! rlIsRHEL '<7.3' || rlIsRHEL 6; } && tcfChk && {
|
||||||
|
rlPhaseStartTest "test option no_pass_expiry" && {
|
||||||
|
tcfChk "setup" && {
|
||||||
|
CleanupRegister --mark 'rlRun "testUserCleanup"'
|
||||||
|
rlRun "testUserSetup"
|
||||||
|
CleanupRegister 'rlRun "sshCleanup"'
|
||||||
|
rlRun "sshSetup"
|
||||||
|
rlRun "sshKeyGen"
|
||||||
|
rlRun "sshCopyID --user $testUser --password $testUserPasswd"
|
||||||
|
CleanupRegister 'rlRun "sshdRestore"'
|
||||||
|
rlRun "sshdStart"
|
||||||
|
CleanupRegister 'rlRun "pamRestoreFiles"'
|
||||||
|
rlRun "pamBackupFiles"
|
||||||
|
rlRun "pamGetServiceRules --prefix su account"
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
tcfTry "test" && {
|
||||||
|
rlRun "sshRun --user $testUser --key 'id'"
|
||||||
|
rlRun "chage -d 0 $testUser"
|
||||||
|
rlRun "sshRun --user $testUser --key 'id'" 1-255
|
||||||
|
rlRun "pamReplaceServiceModuleRule sshd account pam_unix.so '' '' '' '$(pamGetServiceRuleAgruments su password pam_unix.so) no_pass_expiry'"
|
||||||
|
rlRun "pamGetServiceRules --prefix sshd account"
|
||||||
|
rlRun "sshRun --user $testUser --key 'id'"
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
tcfChk "cleanup" && {
|
||||||
|
CleanupDo --mark
|
||||||
|
tcfFin; }
|
||||||
|
rlPhaseEnd; }; :
|
||||||
|
tcfFin; }; :
|
||||||
|
tcfFin; }
|
||||||
|
|
||||||
|
rlPhaseStartCleanup && {
|
||||||
|
tcfChk "Cleanup phase" && {
|
||||||
|
CleanupDo
|
||||||
|
tcfFin; }
|
||||||
|
tcfCheckFinal
|
||||||
|
rlPhaseEnd; }
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd; }
|
33
tests/tests.yml
Normal file
33
tests/tests.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
# Tests that run in classic context
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
tests:
|
||||||
|
- pam_unix
|
||||||
|
- Test-coverage-for-TTY-auditing
|
||||||
|
required_packages:
|
||||||
|
- bc
|
||||||
|
- expect
|
||||||
|
- findutils # beakerlib needs find command
|
||||||
|
- openssh-clients
|
||||||
|
- openssh-server
|
||||||
|
- pam
|
||||||
|
- pcre-tools
|
||||||
|
|
||||||
|
# Tests that run in container context
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- container
|
||||||
|
tests:
|
||||||
|
- Test-coverage-for-TTY-auditing
|
||||||
|
required_packages:
|
||||||
|
- bc
|
||||||
|
- expect
|
||||||
|
- findutils # beakerlib needs find command
|
||||||
|
- pam
|
||||||
|
- pcre-tools
|
Loading…
Reference in New Issue
Block a user