summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* po: update .pot and .po filesldv/prepare-for-releaseDmitry V. Levin2023-04-2983-2458/+2458
| | | | | | Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po" command. This essentially updates the project version, line numbers, and timestamps.
* Prepare for 1.5.3 releaseDmitry V. Levin2023-04-292-1/+25
| | | | | * configure.ac (AC_INIT): Raise version to 1.5.3. * NEWS: Update.
* po: update translations using Weblate (Romanian)Remus-Gabriel Chelu2023-04-231-55/+57
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ro/
* po: update translations using Weblate (Korean)김인수2023-04-231-27/+27
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
* pam_succeed_if: do not use the result of keyword substitution for keyword matchldv/pam_succeed_ifDmitry V. Levin2023-04-201-22/+14
| | | | | | | * modules/pam_succeed_if/pam_succeed_if.c (evaluate): Do not use the result of keyword substitution for keyword match. Resolves: https://github.com/linux-pam/linux-pam/issues/560
* ci: add --enable-openssl jobs to the ci matrixDmitry V. Levin2023-04-202-0/+36
| | | | Link: https://github.com/linux-pam/linux-pam/pull/550#issuecomment-1490362439
* build: fix --enable-opensslStefan Schubert2023-04-202-11/+15
| | | | | | | * Make.xml.rules.in: Avoid conflicting profile.condition settings. * configure.ac: Likewise. Resolves: https://github.com/linux-pam/linux-pam/issues/553
* pam_timestamp: Only build hmacfile when no opensslIker Pedrosa2023-04-201-5/+2
| | | | | | | * modules/pam_timestamp/Makefile.am: Only build hmacfile target when openssl isn't enabled. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* man: clarify PAM_DATA_SILENT in pam_set_data.3Luca Boccassi2023-04-201-1/+7
| | | | | | pam_end.3 has additional and important information about PAM_DATA_SILENT, copy it to pam_set_data.3 since that describes the cleanup callback where it will be set.
* fix a grammar mistakeMark Huang2023-04-201-1/+1
|
* configure: Disable NIS if header files are missingThorsten Kukuk2023-04-063-11/+11
| | | | | | configure.ac: Disable NIS if RPC or YP header files are missing modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too
* doc: Include custom-html.xsl.in and custom-man.xsl.inThorsten Kukuk2023-04-041-1/+1
| | | | | doc/Makefile.am: Replace custom-html.xsl and custom-man.xsl with custom-html.xsl.in and custom-man.xsl.in EXTRA_DIST
* treewide: fix unnecessary $ on arithmetic variablesldv/shellcheckDmitry V. Levin2023-03-312-2/+2
| | | | This should fix shellcheck warning SC2004.
* pgp.keys.asc: updateldv/gpg-keyDmitry V. Levin2023-03-301-150/+134
| | | | | | * pgp.keys.asc: Replace with the key used to sign v1.5.2. Resolves: https://github.com/linux-pam/linux-pam/issues/544
* pam_timestamp: fix build failureIker Pedrosa2023-03-301-0/+1
| | | | | | | | | | bcba17939e1b1a568cd4a764534cde74d37078cc started using pam_overwrite_n() without providing the definition to this function, which causes a build failure. modules/pam_timestamp/hmac_openssl_wrapper.c: include pam_inline.h Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
* po: update translations using Weblate (Punjabi)A S Alam2023-03-141-11/+12
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pa/
* manual pages: document usage of $DISPLAY and PAM_TTYThorsten Kukuk2023-03-141-5/+7
| | | | | | man/pam_item_types_std.inc.xml: In the past, PAM_TTY was used for tty devices and $DISPLAY variables for X-based applications. With the introduction of PAM_DISPLAY PAM_TTY should only be used for devices.
* libpam: simplify string copying using strdupChristian Göttsche2023-03-041-5/+1
|
* modules: make use of secure memory erasureChristian Göttsche2023-02-2828-96/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | Use empty initialization of structs to minimize the memset() usage, to reduce the amount of calls which are not sensitive. Non trivial changes: - pam_env: * erase environment variables where possible - pam_exec: * erase responce on error * erase auth token - pam_pwhistory: * erase buffers containing old passwords - pam_selinux: skip overwriting data structure consisting of only pointers to insensitive data, which also gets free'd afterwards (so it currently does not protect against double-free or use-after-free on the member pointers) - pam_unix: erase cipher data in more places - pam_userdb: erase password hashes
* libpamc: make use of secure memory erasureChristian Göttsche2023-02-283-5/+8
|
* libpam_misc: make use of secure memory erasureChristian Göttsche2023-02-282-6/+8
|
* libpam: make use of secure memory erasureChristian Göttsche2023-02-287-41/+48
| | | | | | Non trivial changes: - erase responses in pam_get_authtok_internal() on error branch
* libpam: introduce secure memory erasure helpersChristian Göttsche2023-02-284-10/+85
| | | | | | | | | | Avoid compiler optimizations to elide the memory erasure by using a secure method: either memset_explicit() [C23], bzero_explicit() [glibc 2.25] or a manual memory barrier. Since the current helpers _pam_overwrite*() and _pam_drop_reply() are publicly exported, create new ones in "pam_inline.h" and deprecate the old ones.
* pam_env: use helper to free string listChristian Göttsche2023-02-281-2/+1
| | | | | | Free the environment variables list via the designated helper free_string_array() rather than free its elements in a loop, which might skip some.
* pam_env: override undefined pointer after asprintf failureChristian Göttsche2023-02-281-0/+1
| | | | | On failure the content of the string pointer passed to asprintf(3) is undefined. Set to NULL before free'ing the parent array.
* Y2038: use logind instead of utmpThorsten Kukuk2023-02-285-9/+78
| | | | | | | | | | | | | The struct utmp from glibc uses on many 64bit architectures a 32bit time_t for compatibility with a 32bit userland, which means utmp will not survive the year 2038 (32bit time_t overflow). Use the data from logind instead of utmp. * configure.ac: Add option --enable-logind * modules/pam_issue/Makefile.am: Add CFLAGS/LIBS for logind support * modules/pam_issue/pam_issue.c: Use sd_get_sessions instead of utmp * modules/pam_timestamp/Makefile.am: Add CFLAGS/LIBS for logind support * modules/pam_timestamp/pam_timestamp.c: query logind for login time
* po: update translations using Weblate (Slovenian)Martin Srebotnjak2023-02-201-25/+24
| | | | | | Currently translated at 16.8% (17 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sl/
* po: update translations using Weblate (Hebrew)Yaron Shahrabani2023-02-201-8/+8
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
* manual pages: enhance pam.d documentationThorsten Kukuk2023-02-174-19/+73
| | | | | | | | | | Make /usr/lib/pam.d and <vendordir>/pam.d more visible in the standard manual pages, so that people don't assume there is only /etc/pam.d * doc/man/pam.8.xml: Don't always speak about /etc/pam.d only * doc/man/pam.conf-desc.xml: Don't always speak about /etc/pam.d only * doc/man/pam.conf-dir.xml: Explain search path for pam config files * doc/man/pam.conf.5.xml: Add filelist with all pam.d directories
* pam_lastlog: deprecate it and disable by defaultThorsten Kukuk2023-02-152-5/+16
| | | | | | | | | | | | pam_lastlog uses utmp, wtmp, btmp and lastlog. None of them is Y2038 safe, even on 64bit architectures. Most 64bit architectures use 32bit time_t for compat reasons with 32bit userland. Additionally, all relevant tools for which pam_lastlog would make sense already have their own support for all four files, so this module will most likely only create duplicate entries. * configure.ac: don't build pam_lastlog by default. * ci/run-build-and-tests.sh: enable pam_lastlog.
* libpam: use getlogin() from libc and not utmpThorsten Kukuk2023-02-141-41/+11
| | | | | | | | | utmp uses 32bit time_t for compatibility with 32bit userland on some 64bit systems and is thus not Y2038 safe. Use getlogin() from libc which avoids using utmp and is more safe than the old utmp-based implementation by using /proc/self/loginuid. * libpam/pam_modutil_getlogin.c: Use getlogin() instead of parsing utmp
* po: update translations using Weblate (Czech)Josef Hruska2023-02-071-13/+13
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
* po: update translations using Weblate (Korean)Seong-ho Cho2023-02-071-44/+44
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
* po: update translations using Weblate (Croatian)Gogo Gogsi2023-02-071-12/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hr/
* po: update translations using Weblate (Kazakh)Baurzhan Muftakhidinov2023-02-071-12/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
* po: update translations using Weblate (German)Ettore Atalan2023-02-071-12/+12
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
* po: update translations using Weblate (Swedish)Luna Jernberg2023-02-071-11/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
* po: update translations using Weblate (Finnish)Jan Kuparinen2023-02-071-12/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
* po: update translations using Weblate (Ukrainian)Yuri Chornoivan2023-02-071-12/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
* po: update translations using Weblate (Turkish)Oğuz Ersen2023-02-071-11/+11
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
* po: update translations using Weblate (Polish)Piotr Drąg2023-02-071-13/+12
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
* po: update translations using Weblate (Korean)김인수2023-02-071-10/+10
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
* po: update translations using Weblate (Georgian)Temuri Doghonadze2023-02-071-9/+8
| | | | | | Currently translated at 100.0% (101 of 101 strings). Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ka/
* build: use <vendordir>/security directory for installation if it has been setStefan Schubert2023-02-0744-0/+175
| | | | | | | | | Otherwise the corresponding files are still installed in /etc/security. * configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR. (AM_CONDITIONAL): Add HAVE_VENDORDIR. * modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
* ci: make VENDORDIR based on $prefix for the clang case as wellDmitry V. Levin2023-02-071-1/+1
| | | | | | | | * .github/workflows/ci.yml (clang-14): Change VENDORDIR from /usr/etc to ${prefix}/share/etc, this should help to check that the code no longer relies on the assumption that VENDORDIR == /usr/etc. Complements: 0d1c62eb4733 ("ci: make VENDORDIR based on $prefix")
* ci: make VENDORDIR based on $prefixldv/pam_env-vendordirDmitry V. Levin2023-02-052-2/+2
| | | | | | | * ci/run-build-and-tests.sh: Accept VENDORDIR that does not start with /. * .github/workflows/ci.yml (VENDORDIR): Change from /usr/etc to ${prefix}/share/etc, this should help to check that the code no longer relies on the assumption that VENDORDIR == /usr/etc.
* pam_env: do not assume in tests that VENDORDIR is /usr/etcDmitry V. Levin2023-02-041-13/+35
| | | | | | | * modules/pam_env/tst-pam_env-retval.c: Include <errno.h> and <libgen.h>. [VENDORDIR] (dir, dir_usr, dir_usr_etc): Remove. [VENDORDIR] (mkdir_p, rmdir_p): New functions. (setup, cleanup) [VENDORDIR]: Use them.
* pam_env: do not hardcode /usr/etc into testsDmitry V. Levin2023-02-031-12/+18
| | | | | | | | * modules/pam_env/tst-pam_env-retval.c: Replace /usr/etc/security with VENDOR_SCONFIGDIR, /usr/etc with VENDORDIR. Do not define and use VENDORDIR based variables unless VENDORDIR is defined. Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
* pam_env: do not hardcode /usr/etc into documentationDmitry V. Levin2023-02-021-3/+3
| | | | | | * modules/pam_env/pam_env.conf.5.xml: Replace /usr/etc with %vendordir%. Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
* pam_env: fix VENDOR_DEFAULT_ETC_ENVFILEDmitry V. Levin2023-02-011-1/+1
| | | | | | | * modules/pam_env/pam_env.c (VENDOR_DEFAULT_ETC_ENVFILE): Assume that VENDORDIR already includes "/etc". Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
View Lorry Controller Status