| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.c: Load config from file and
provide new conf option to select the file.
* modules/pam_pwhistory/pwhistory_config.c: Parse config from file and
load to options structure.
* modules/pam_pwhistory/pwhistory_config.h: Move options_t structure and
define parse_config_file().
* modules/pam_pwhistory/Makefile.am (noinst_HEADERS): Add pwhistory_config.h.
(pam_pwhistory_la_SOURCES): Add pwhistory_config.c.
(dist_secureconf_DATA): Add pwhistory.conf.
* modules/pam_pwhistory/pwhistory.conf: New configuration file.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2068461
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
| |
* libpam/include/security/pam_modutil.h: Improve the
pam_modutil_search_key() interface documentation.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
| |
* libpam/pam_handlers.c (_pam_add_handler): Use calloc instead of malloc
for struct handler allocation to avoid returning garbage in some fields
of the structure on error path.
Resolves: https://github.com/linux-pam/linux-pam/issues/475
|
|
|
|
|
|
|
|
|
| |
While ubuntu-latest in ci is not necessarily the latest version of the
OS available in ci, whitespace-errors job should be agnostic to the
version being used, so use the default one.
* .github/workflows/ci.yml (whitespace-errors) <runs-on>: Change from
ubuntu-20.04 to ubuntu-latest.
|
|
|
|
|
|
|
|
|
|
|
| |
pam_tally2 had a simple and minimalstic output to show login failure
info, new output of faillock makes the output look a bit complex and
doesn't show failure counts in a straight manner.
This patch fixes the above issue by adding "--legacy-output" flag to
faillock which makes it possible to get output in pam_tally2 style.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
| |
Move the code to it's own function.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
|
|
|
|
| |
No need to do any further processing if a non existent username is given
to faillock.
For first time successful login, failure field should be 0 and faillock
should show something like pam_tally2 did.
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using scandir() to look for MOTD files to display, we wrongly
relied on all filesystems providing a filetype. This is a fix to divert
to lstat() when we have no filetype. To maintain MT safety, it isn't
possible to use lstat() in the scandir() filter function, so all of the
filtering has been moved to an additional loop after scanning all the
motd dirs.
Also, remove superfluous alphasort from scandir(), we are doing
a qsort() later.
Resolves: https://github.com/linux-pam/linux-pam/issues/455
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config and scripts if there is no configuration in /etc.
pam_namespace.c: Take care about the fallback configuration in vendor directory.
pam_namespace.h: Define vendor specific files and directories.
pam_namespace.8.xml: Add description for vendor directories and files.
namespace.conf.5.xml: Add description for vendor directories and files.
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config if there is no configuration in /etc.
pam_limits.c: Take care about the fallback configuration in vendor directory.
pam_limits.8.xml: Add description for vendor directory.
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default config if there is no configuration in /etc.
* pam_access.c: Take care about the fallback configuration in vendor directory.
* pam_access.8.xml: Added description for vendor directory.
|
|
|
|
|
| |
* .github/workflows/ci.yml (gcc11-x86_64-vendordir,
clang12-x86_64-vendordir, gcc11-x86-vendordir): New jobs.
|
|
|
|
|
| |
* ci/run-build-and-tests.sh: Configure using --enable-vendordir option
when VENDORDIR environment variable is set.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/main.c: Load configuration from file
* modules/pam_faillock/pam_faillock: Improve tally directory management
* modules/pam_faillock/faillock_config.c: Print errors
* modules/pam_faillock/faillock_config.h: Extend options structure and
define get_tally_dir().
* modules/pam_faillock/Makefile.am: Compile faillock_config.c for
faillock binary.
* modules/pam_faillock/faillock.8.xml: Update with the new configuration
option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1978029
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configuration load can be reused by faillock.
* modules/pam_faillock/faillock_config.c: Move configuration loading
functions (read_config_file and set_conf_opt) to this file.
* modules/pam_faillock/faillock_config.h: Move configuration loading
macros and structures.
* modules/pam_faillock/Makefile.am: Add faillock_config.
* modules/pam_faillock/faillock.h: Remove configuration loading macros.
* modules/pam_faillock/pam_faillock.c: Remove configuration loading
functions, macros and structures.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
| |
* modules/pam_env/pam_env.c (_assemble_line, _parse_line, _check_var,
_clean_var, _expand_arg, _pam_get_item_byname, _define_var,
_undefine_var): Move definitions of static functions before their first
use to avoid forward declarations cluttering the code.
|
|
|
|
|
|
| |
* modules/pam_issue/pam_issue.c (read_issue_raw, read_issue_quoted):
Move definitions of static functions before their first use to avoid
forward declarations cluttering the code.
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pa/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
|
|
|
| |
* modules/pam_env/tst-pam_env-retval.c: New file.
* modules/pam_env/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_env_retval_LDADD): New variables.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
|
|
|
|
|
|
|
|
|
| |
According to the manual page, the following entry is valid but does not
work:
-:root:ALL EXCEPT localhost
See https://bugzilla.suse.com/show_bug.cgi?id=1019866
Patched is based on PR#226 from Josef Moellers
|
|
|
|
|
|
|
|
|
| |
In the child process, freeing memory right before pam_syslog()
followed by _exit(ENOMEM) is useless.
* modules/pam_exec/pam_exec.c (call_exec): Do not call free(envlist).
Resolves: https://github.com/linux-pam/linux-pam/issues/444
|
|
|
|
|
|
|
|
|
|
| |
In the child process, the elements of argv[] are not modified, so there
is no need to copy strings.
* modules/pam_exec/pam_exec.c (call_exec): Do not call strdup on argv[]
elements during arggv[] initialization.
Resolves: https://github.com/linux-pam/linux-pam/pull/446
|
| |
|
|
|
|
|
|
|
|
| |
Fix the following compilation warning reported by clang:
"result of comparison against a string literal is unspecified
(use strcmp instead)".
* pam_time.c (_pam_parse): Do not compare char* string with a constant.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
using SYS_UID_MIN to check if it is a system account, because all
accounts below the SYS_UID_MAX are system users.
* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
as it is no longer used to calculate the system accounts.
* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_keyinit/pam_keyinit.c: Bypass setre*id() C library calls
with kernel calls and change global variables definitions to be
thread-safe.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1997969
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Co-Authored-By: Andreas Schneider <asn@samba.org>
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hr/
|
|
|
|
|
|
| |
Currently translated at 82.0% (82 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
|
|
|
|
|
|
| |
Currently translated at 1.0% (1 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_HK/
|
|
|
|
|
|
| |
Currently translated at 100.0% (100 of 100 strings).
Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ja/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_time/pam_time.8.xml: Describe this.
* modules/pam_time/time.h [VENDOR_SCONFIGDIR] (VENDOR_PAM_TIME_CONF):
New macro.
* modules/pam_time/pam_time.c (_pam_parse) [VENDOR_PAM_TIME_CONF]:
Try to open VENDOR_PAM_TIME_CONF file when no conffile= option was
specified and PAM_TIME_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/409
|
|
|
|
|
|
|
|
| |
* modules/pam_time/tst-pam_time-retval.c: New file.
* modules/pam_time/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_time_retval_LDADD): New variables.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes, especially in embedded devices, the /etc directory can be
read-only and/or not saved over upgrades. In order to ensure password
policies are maintained across upgrades and the module functions on
read-only file systems, allow the location of the password history file
to be set in the PAM configuration.
Signed-off-by: Edward <jinzhou.zhu1@ge.com>
[Martyn Welch: Updated commit message and ported to latest version]
Signed-off-by: Martyn Welch <martyn.welch@collabora.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
|
|
|
|
|
| |
* libpam/Makefile.am (libpam_la_LIBADD): Add @LTLIBINTL@.
Resolves: https://github.com/linux-pam/linux-pam/pull/433
|
|
|
|
|
|
|
|
| |
* modules/pam_faillock/tst-pam_faillock-retval.c: New file.
* modules/pam_faillock/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faillock_retval_LDADD): New variables.
Resolves: https://github.com/linux-pam/linux-pam/pull/431
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_group/pam_group.c: Include <errno.h>.
[VENDOR_SCONFIGDIR] (VENDOR_PAM_GROUP_CONF): New macro.
(read_field): Add conf_filename argument, use it instead of PAM_GROUP_CONF.
(check_account) <conf_filename>: New variable, initialize it to
PAM_GROUP_CONF, pass it to read_field().
[VENDOR_PAM_GROUP_CONF]: Assign VENDOR_PAM_GROUP_CONF to conf_filename
when PAM_GROUP_CONF file does not exist.
* modules/pam_group/pam_group.8.xml: Describe it.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/412
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.
* modules/pam_sepermit/pam_sepermit.c [VENDOR_SCONFIGDIR]
(SEPERMIT_VENDOR_CONF_FILE): New macro.
(pam_sm_authenticate) [SEPERMIT_VENDOR_CONF_FILE]: Use it as default
config file when conf= option is not specified and the file pointed
by SEPERMIT_CONF_FILE does not exist.
* modules/pam_sepermit/pam_sepermit.8.xml: Describe it.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/411
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The last build of Linux-PAM by travis-ci.org was in March of 2020,
and travis-ci.org says that all building is ceased since June of 2021.
Given that in foreseeable future travis-ci.com is not going to welcome
free software projects, there is no use to keep Travis CI support
in the tree.
* .travis.yml: Remove.
Link: https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing
|
|
|
|
|
| |
* ci/run-build-and-tests.sh: Check that "git status" does not report
any untracked files.
|
|
|
|
| |
* .gitignore: Add Make.xml.rules.
|
|
|
|
|
| |
* modules/pam_limits/pam_limits.c (parse_config_file): Use
VENDOR_SCONFIGDIR macro instead of VENDORDIR.
|
|
|
|
|
|
|
| |
This is a VENDORDIR version of SCONFIGDIR macro, defined to
VENDORDIR"/security" when --enable-vendordir is used for build.
* configure.ac (AC_DEFINE_UNQUOTED): Add VENDOR_SCONFIGDIR.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
source code
Since SCONFIGDIR macro is available, the is no need to define macros
based on SCONFIGDIR in Makefile.am files.
* modules/pam_access/Makefile.am (AM_CFLAGS): Move definitions of
PAM_ACCESS_CONFIG and ACCESS_CONF_GLOB macros ...
* modules/pam_access/pam_access.c: ... here.
* modules/pam_env/Makefile.am (AM_CFLAGS): Move definition of
DEFAULT_CONF_FILE macro ...
* modules/pam_env/pam_env.c: ... here.
* modules/pam_group/Makefile.am (AM_CFLAGS): Move definition of
PAM_GROUP_CONF macro ...
* modules/pam_group/pam_group.c: ... here.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move definition of
LIMITS_FILE macro ...
* modules/pam_limits/pam_limits.c: ... here.
* modules/pam_sepermit/Makefile.am (AM_CFLAGS): Move definition of
SEPERMIT_CONF_FILE macro ...
* modules/pam_sepermit/pam_sepermit.c: ... here.
* modules/pam_time/Makefile.am (AM_CFLAGS): Move definition of
PAM_TIME_CONF macro ...
* modules/pam_time/pam_time.c: ... here.
|
|
|
|
|
|
|
|
|
| |
LIMITS_FILE_DIR used to define a glob pattern instead of a directory
name, fix that inconsistency.
* modules/pam_limits/Makefile.am (AM_CFLAGS): Move "/*.conf" ending of
LIMITS_FILE_DIR macro ...
* modules/pam_limits/pam_limits.c (LIMITS_CONF_GLOB): ... here.
|