| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
* .github/workflows/ci.yml (gcc12-x86_64, clang14-x86_64,
clang13-x86_64): New jobs.
(gcc11-x86_64-vendordir): Rename to gcc12-x86_64-vendordir,
replace gcc-11 with gcc-12.
(clang12-x86_64-vendordir): Rename to clang14-x86_64-vendordir,
replace clang-12 with clang-14.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch runners to the latest Ubuntu LTS available, which is currently
Ubuntu 22.04. Also, remove old compiler versions from the ci matrix.
* .github/workflows/ci.yml (gcc8-x86_64, clang10-x86_64, clang9-x86_64,
clang8-x86_64): Remove.
(gcc11-x86_64-vendordir, gcc11-x86_64, gcc10-x86_64, gcc9-x86_64,
clang12-x86_64-vendordir, clang12-x86_64, clang11-x86_64): Replace
ubuntu-20.04 with ubuntu-latest.
Link: https://github.blog/changelog/2022-11-09-github-actions-ubuntu-latest-workflows-will-use-ubuntu-22-04/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang-14 insists on issuing the following warning:
In file included from md5_good.c:4:
md5.c:92:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:101:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:136:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:145:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 14);
^
md5.c:151:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->buf.c, 4);
^
* modules/pam_unix/md5.c (byteReverse): Use uint32 instead of
uint8_aligned, update all users.
(uint8_aligned): Remove unused type.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-12 insists on issuing the following warning:
In file included from libpamc.h:13,
from pamc_converse.c:9:
pamc_converse.c: In function 'pamc_converse':
include/security/pam_client.h:129:27: error: array subscript 'struct <anonymous>[0]' is partly outside array bounds of 'unsigned char[6]' [-Werror=array-bounds]
129 | (*(old_p))->control = cntrl; \
| ^~
pamc_converse.c:209:5: note: in expansion of macro 'PAM_BP_RENEW'
209 | PAM_BP_RENEW(prompt_p, PAM_BPC_FAIL, 0);
| ^~~~~~~~~~~~
include/security/pam_client.h:87:29: note: object of size 6 allocated by 'calloc'
87 | # define PAM_BP_CALLOC calloc
| ^
include/security/pam_client.h:124:29: note: in expansion of macro 'PAM_BP_CALLOC'
124 | if ((*(old_p) = PAM_BP_CALLOC(1, 1+__size))) { \
| ^~~~~~~~~~~~~
pamc_converse.c:209:5: note: in expansion of macro 'PAM_BP_RENEW'
209 | PAM_BP_RENEW(prompt_p, PAM_BPC_FAIL, 0);
| ^~~~~~~~~~~~
* libpamc/include/security/pam_client.h (pamc_bp_t): Decorate the
structure pointed by pamc_bp_t pointer as packed. Despite being a part
of the API, the structure is not supposed to be used directly, and all
the interface macros were assuming from the very beginning that this
structure is packed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-12 insists on issuing the following warning:
In file included from /usr/include/string.h:535,
from pam_limits.c:24:
In function 'strncat',
inlined from 'check_logins' at pam_limits.c:287:6,
inlined from 'setup_limits' at pam_limits.c:1066:13,
inlined from 'pam_sm_open_session' at pam_limits.c:1267:14:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:138:10: error: '__builtin___strncat_chk' argument 2 declared attribute 'nonstring' [-Werror=stringop-overread]
138 | return __builtin___strncat_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/utmp.h:29,
from pam_limits.c:37:
/usr/include/x86_64-linux-gnu/bits/utmp.h: In function 'pam_sm_open_session':
/usr/include/x86_64-linux-gnu/bits/utmp.h:66:8: note: argument 'ut_user' declared here
66 | char ut_user[UT_NAMESIZE]
| ^~~~~~~
* modules/pam_limits/pam_limits.c (check_logins): Use memcpy instead of
strncat to pacify the compiler.
|
|
|
|
|
|
|
|
|
|
|
| |
These types of jobs were implemented using the old version of the OS
that is currently being deprecated by github actions.
* .github/workflows/ci.yml (gcc11-x86-vendordir, gcc11-x86, gcc10-x86,
gcc9-x86, gcc8-x86, clang10-x86, clang9-x86, clang8-x86, gcc11-x32,
gcc10-x32, gcc9-x32, gcc8-x32): Remove.
Link: https://github.com/actions/runner-images/issues/6002
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_listfile assumes the group being tested will be written at the end
of the argument list by carrying only a pointer to the value being
examined in 'myval'.
Therefore example
'''
auth required pam_listfile.so \
onerr=succeed apply=ftp item=user sense=deny file=/etc/ftpusers
'''
modified from https://linux.die.net/man/8/pam_listfile is not working because
'apply_val' will point to the latest value of 'myval', which in this case will
be "/etc/ftpusers" instead of "ftp".
Fix this issue by copying the value of 'myval' instead of just taking
a reference pointer.
Signed-off-by: Cyril Duval <cyril.duval@diabolocom.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no one in /etc.
* Makefile.am: Add libeconf setting.
* pam_env.c: Take care about the fallback configuration in the vendor directory.
* pam_env.8.xml: Add description for the vendor directory.
* pam_env.conf.5.xml: Add description for the vendor directory.
* tst-pam_env-retval.c: Add tests for libeconf.
* configure.ac: Add ECONF settings for building man pages.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
default config if there is no one in /etc.
If pam will be compiled with the option --enable-vendordir=<vendor_dir> and
NOT defined --disable-econf, the files which define valid login shells will
be parsed in following order:
- <vendor_dir>/shells
- <vendor_dir>/shells.d/*
- /etc/shells.d/shells
But all files in <vendor_dir> will be ingnored if the user has defined his
own file /etc/shells.
This commit solves issue: https://github.com/linux-pam/linux-pam/issues/498
|
|
|
|
| |
Test case for checking pam_authenticate in pam_shells.
|
|
|
|
|
| |
The XMLS list of xml sources for the manual pages missed some xml files
and instead contained some nroff sources.
|
|
|
|
|
|
|
|
| |
Check if quote flag is positive before decrementing it. Otherwise, for
some use case, it could become negative, and have an unwanted empty string
instead of an undefined variable.
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following diagnostic warning:
Node.js 12 actions are deprecated. For more information see:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.
* .github/workflows/ci.yml: Replace actions/checkout@v2 with
actions/checkout@v3.
|
|
|
|
|
|
| |
Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
command. This updates translations of pam_faillock and pam_mail
modules.
|
|
|
|
|
|
|
|
|
|
| |
Wording of no new mail message should be significantly different from
new mail so that it does not align in length or similar words.
* modules/pam_mail/pam_mail.c (report_mail): Change the wording of
no new mail message.
Resolves: https://github.com/linux-pam/linux-pam/issues/465
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c (usage): Remove extra whitespace from the
usage diagnostics.
Fixes: 94f0f5ebb ("faillock: add support to print login failure info in legacy format")
|
|
|
|
|
|
| |
Currently translated at 90.0% (90 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ka/
Resolves: https://github.com/linux-pam/linux-pam/pull/485
|
|
|
|
|
|
|
|
|
|
| |
Fixed 2 instances in the pam_lastlog module where file locks were
not being enforced when reading and writing last login records.
* modules/pam_lastlog/pam_lastlog.c (last_login_write): The write lock
failure is fatal after 3 tries.
(last_login_read): The read lock failure is non-fatal after 3 tries.
It is non-fatal in the read case due to concerns about a possible DoS.
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging
a consecutive login failure message for the root user in case when
even_deny_root is not set.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing
user specific faillock files after reboot.
* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing
user specific faillock files after reboot.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this change, all stylesheets were hardcoded.
With this change, stylesheets can be defined at configure stage.
* configure.ac: Add new options to configure stylesheets:
--enable-html-stylesheet=FILE
--enable-txt-stylesheet=FILE
--enable-pdf-stylesheet=FILE
--enable-man-stylesheet=FILE
* doc/custom-html.xsl: Rename to doc/custom-html.xsl.in, parametrize html
stylesheet.
* doc/custom-man.xsl: Rename to doc/custom-man.xsl.in, parametrize man
stylesheet.
* doc/.gitignore: Add custom-man.xsl and custom-html.xsl.
* doc/adg/Makefile.am: Use stylesheet variables.
* doc/mwg/Makefile.am: Likewise.
* doc/sag/Makefile.am: Likewise.
Resolves: https://github.com/linux-pam/linux-pam/pull/499
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
files.
Fix undefined references to ${exec_prefix} in pkgconfig files on Guix.
The subsequent declarations of ${libdir} and ${includedir} in the same
files require this commit when ${prefix} is set to something other
than /usr.
When the pkgconfig files were initially provided, the two lines added
here were dropped for what seemed like a good reason. [1] In the
common case of a /usr prefix, 'configure.ac' sets ${libdir} and
possibly ${includedir} explicitly [2] so the additional lines were
then not needed.
Guix and probably Nix too, however, depart from the Filesystem
Hierarchy Standard and require the missing lines. Without those lines,
the pkgconfig files are defective on Guix. [3]
Since working systems are not affected, the lines are added for all.
The fix was confirmed for Guix. One of the files looked like this:
prefix=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566/include/security
Name: PAM
Description: The primary Linux-PAM library. It is used by PAM modules and PAM-aware applications.
URL: http://www.linux-pam.org/
Version: 1.5.2
Cflags: -I${includedir}
Libs: -L${libdir} -lpam
* libpam/pam.pc.in, libpamc/pamc.pc.in, libpam_misc/pam_misc.pc.in:
Add @prefix@ and @exec_prefix@.
Resolves: https://github.com/linux-pam/linux-pam/issues/466
[1] https://github.com/linux-pam/linux-pam/pull/369#discussion_r650557756
[2] https://github.com/linux-pam/linux-pam/blob/40c271164dbcebfc5304d0537a42fb42e6b6803c/configure.ac#L28-L36
[3] https://github.com/linux-pam/linux-pam/issues/466
|
|
|
|
|
|
|
|
|
| |
Check the return value of localtime_r() before calling strftime(). This
function crashes if the argument is NULL.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error with Clang 15 (which makes implicit function
declarations an error by default):
```
+error: call to undeclared library function 'exit' with type 'void (int) __attribute__((noreturn))'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
exit(0);
^
note: include the header <stdlib.h> or explicitly provide a declaration for 'exit'
```
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
|
|
| |
Currently translated at 28.0% (28 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/et/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (inst_init): Make sure
the SIGCHLD handler is not reset too early by moving the sigaction
call right before the fork call.
|
|
|
|
|
|
| |
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Make sure
the SIGCHLD handler is not reset too early by moving the sigaction
call right before the fork call.
|
|
|
|
|
|
|
|
| |
* modules/pam_xauth/pam_xauth.c (run_coprocess): Save the SIGCHLD
handler and reset it to the default before calling fork, restore the
handler after waitpid returns.
Resolves: https://github.com/linux-pam/linux-pam/pull/469
|
|
|
|
|
|
|
|
| |
* modules/pam_exec/pam_exec.c (call_exec): Save the SIGCHLD handler and
reset it to the default before calling fork, restore the handler after
waitpid returns.
Resolves: https://github.com/linux-pam/linux-pam/issues/405
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.8.xml: Add new option to select
configuration file to read.
* modules/pam_pwhistory/pwhistory.conf.5.xml: Document configuration
options for the file.
* modules/pam_pwhistory/Makefile.am (dist_man_MANS): Add pwhistory.conf.5.
(XMLS): Add pwhistory.conf.5.xml.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.c: Load config from file and
provide new conf option to select the file.
* modules/pam_pwhistory/pwhistory_config.c: Parse config from file and
load to options structure.
* modules/pam_pwhistory/pwhistory_config.h: Move options_t structure and
define parse_config_file().
* modules/pam_pwhistory/Makefile.am (noinst_HEADERS): Add pwhistory_config.h.
(pam_pwhistory_la_SOURCES): Add pwhistory_config.c.
(dist_secureconf_DATA): Add pwhistory.conf.
* modules/pam_pwhistory/pwhistory.conf: New configuration file.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2068461
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
| |
* libpam/include/security/pam_modutil.h: Improve the
pam_modutil_search_key() interface documentation.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
| |
* libpam/pam_handlers.c (_pam_add_handler): Use calloc instead of malloc
for struct handler allocation to avoid returning garbage in some fields
of the structure on error path.
Resolves: https://github.com/linux-pam/linux-pam/issues/475
|
|
|
|
|
|
|
|
|
| |
While ubuntu-latest in ci is not necessarily the latest version of the
OS available in ci, whitespace-errors job should be agnostic to the
version being used, so use the default one.
* .github/workflows/ci.yml (whitespace-errors) <runs-on>: Change from
ubuntu-20.04 to ubuntu-latest.
|
|
|
|
|
|
|
|
|
|
|
| |
pam_tally2 had a simple and minimalstic output to show login failure
info, new output of faillock makes the output look a bit complex and
doesn't show failure counts in a straight manner.
This patch fixes the above issue by adding "--legacy-output" flag to
faillock which makes it possible to get output in pam_tally2 style.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
| |
Move the code to it's own function.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
|
|
|
|
| |
No need to do any further processing if a non existent username is given
to faillock.
For first time successful login, failure field should be 0 and faillock
should show something like pam_tally2 did.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using scandir() to look for MOTD files to display, we wrongly
relied on all filesystems providing a filetype. This is a fix to divert
to lstat() when we have no filetype. To maintain MT safety, it isn't
possible to use lstat() in the scandir() filter function, so all of the
filtering has been moved to an additional loop after scanning all the
motd dirs.
Also, remove superfluous alphasort from scandir(), we are doing
a qsort() later.
Resolves: https://github.com/linux-pam/linux-pam/issues/455
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config and scripts if there is no configuration in /etc.
pam_namespace.c: Take care about the fallback configuration in vendor directory.
pam_namespace.h: Define vendor specific files and directories.
pam_namespace.8.xml: Add description for vendor directories and files.
namespace.conf.5.xml: Add description for vendor directories and files.
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no configuration in /etc.
pam_limits.c: Take care about the fallback configuration in vendor directory.
pam_limits.8.xml: Add description for vendor directory.
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default config if there is no configuration in /etc.
* pam_access.c: Take care about the fallback configuration in vendor directory.
* pam_access.8.xml: Added description for vendor directory.
|
|
|
|
|
| |
* .github/workflows/ci.yml (gcc11-x86_64-vendordir,
clang12-x86_64-vendordir, gcc11-x86-vendordir): New jobs.
|
|
|
|
|
| |
* ci/run-build-and-tests.sh: Configure using --enable-vendordir option
when VENDORDIR environment variable is set.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c: Load configuration from file
* modules/pam_faillock/pam_faillock: Improve tally directory management
* modules/pam_faillock/faillock_config.c: Print errors
* modules/pam_faillock/faillock_config.h: Extend options structure and
define get_tally_dir().
* modules/pam_faillock/Makefile.am: Compile faillock_config.c for
faillock binary.
* modules/pam_faillock/faillock.8.xml: Update with the new configuration
option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|