SLFO-pool/pam
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main pam revision 0bf4344e447551fd37662b147ec12ea4

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 17:39:09 +02:00
commit 242ad4afd6
27 changed files with 3728 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
Linux-PAM-1.6.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
Linux-PAM-1.6.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
zxDFnUsJ/JgmJm3y47J2
=wzV/
-----END PGP SIGNATURE-----

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<flavor>full</flavor>
</multibuild>

6
baselibs.conf Normal file
View File

@ -0,0 +1,6 @@
pam
requires "(systemd-<targettype> if systemd)"
obsoletes "pam_unix-<targettype>"
obsoletes "pam_unix-nis-<targettype>"
pam-extra
pam-devel

9
common-account.pamd Normal file
View File

@ -0,0 +1,9 @@
#
# /etc/pam.d/common-account - account settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the account modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix.so try_first_pass

11
common-auth.pamd Normal file
View File

@ -0,0 +1,11 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix.so try_first_pass

11
common-password.pamd Normal file
View File

@ -0,0 +1,11 @@
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
password required pam_unix.so nullok

14
common-session-nonlogin.pamd Normal file
View File

@ -0,0 +1,14 @@
#
# /etc/pam.d/common-session-nonlogin - session-related modules common
# to services not doing a real login
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive), but not if they don't create a new login session
# (e.g. like cron, chfn, chsh, ...)
#
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so

13
common-session.pamd Normal file
View File

@ -0,0 +1,13 @@
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so

8
macros.pam Normal file
View File

@ -0,0 +1,8 @@
%_pam_libdir %{_libdir}
%_pam_moduledir %{_libdir}/security
%_pam_secconfdir %{_sysconfdir}/security
%_pam_secdistconfdir %{_distconfdir}/security
%_pam_confdir %{_sysconfdir}/pam.d
%_pam_vendordir %{_prefix}/lib/pam.d
# legacy, to be retired
%_pamdir %{_pam_moduledir}

10
other.pamd Normal file
View File

@ -0,0 +1,10 @@
#%PAM-1.0
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so

11
pam-limit-nproc.patch Normal file
View File

@ -0,0 +1,11 @@
Index: Linux-PAM-1.3.1/modules/pam_limits/limits.conf
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_limits/limits.conf
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf
@@ -47,4 +47,6 @@
#ftp hard nproc 0
#@student - maxlogins 4
+# No limits for nproc, use systemd configuration instead
+
# End of file

46
pam-login_defs-check.sh Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Extract list of variables supported by su/runuser.
#
# If you edit this file, you will probably need to edit
# shadow-login_defs-check.sh from shadow sources in a similar way.
set -o errexit
echo -n "Checking login.defs variables in pam... " >&2
grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
cat >&2 <<EOF
You have to perform following steps:
Check whether the error is false positive (script failed to extract
variables) or true positive (variable list changed).
If it is false positive:
- Fix this script.
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
If it is true positive:
- Check-out shadow package and call shadow-login_defs-check.sh.
- Compare its output shadow-login_defs-check-pam.lst with
pam-login_defs-vars.lst in the pam build directory.
- Update shadow encryption_method_nis.patch, if needed.
- If encryption_method_nis.patch was updated, update
login_defs-support-for-pam symbol version in both shadow and
pam spec files accordingly.
- Update checksum in this script.
EOF
exit 1
else
echo "OK" >&2
fi

2316
pam.changes Normal file
View File

File diff suppressed because it is too large Load Diff

585
pam.spec Normal file
View File

@ -0,0 +1,585 @@
#
# spec file for package pam
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
# Enable livepatching support for SLE15-SP4 onwards. It requires
# compiler support introduced there.
%define livepatchable 1
# Set variables for livepatching.
%define _other %{_topdir}/OTHER
%define tar_basename pam-livepatch-%{version}-%{release}
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
%define clones_dest_dir %{tar_basename}/%{_arch}
%else
# Unsupported operating system.
%define livepatchable 0
%endif
%ifnarch x86_64
# Unsupported architectures must have livepatch disabled.
%define livepatchable 0
%endif
%bcond_without selinux
%bcond_with debug
%define flavor @BUILD_FLAVOR@%{nil}
%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
security/namespace.conf security/namespace.init security/sepermit.conf
%if "%{flavor}" == "full"
%define build_main 0
%define build_doc 1
%define build_extra 1
%define build_userdb 1
%define name_suffix -%{flavor}-src
%else
%define build_main 1
%define build_doc 0
%define build_extra 0
%define build_userdb 0
%define name_suffix %{nil}
%endif
#
%define libpam_so_version 0.85.1
%define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%define config_noreplace 1
%endif
#
%{load:%{_sourcedir}/macros.pam}
#
Name: pam%{name_suffix}
#
Version: 1.6.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
Group: System/Libraries
URL: https://github.com/linux-pam/linux-pam
Source: Linux-PAM-%{version}.tar.xz
Source1: Linux-PAM-%{version}.tar.xz.asc
Source2: macros.pam
Source3: other.pamd
Source4: common-auth.pamd
Source5: common-account.pamd
Source6: common-password.pamd
Source7: common-session.pamd
Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
Source13: pam.tmpfiles
Source20: common-session-nonlogin.pamd
Source21: postlogin-auth.pamd
Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/739
Patch2: pam_env-fix_vendordir.patch
# https://github.com/linux-pam/linux-pam/pull/740
Patch3: pam_env-fix-enable-vendordir-fallback.patch
# https://github.com/linux-pam/linux-pam/pull/741
Patch4: pam_env-remove-escaped-newlines.patch
# https://github.com/linux-pam/linux-pam/pull/744
Patch5: pam_unix-fix-password-aging-disabled.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
BuildRequires: libtool
BuildRequires: xz
Requires(post): permissions
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Recommends: login_defs-support-for-pam >= 1.5.2
BuildRequires: pkgconfig(libeconf)
%if %{with selinux}
BuildRequires: libselinux-devel
%endif
Obsoletes: pam_unix
Obsoletes: pam_unix-nis
Recommends: pam-manpages
Requires(pre): group(shadow)
Requires(pre): user(root)
%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
%if %{build_userdb}
%package -n pam-userdb
Summary: PAM module to authenticate against a separate database
Group: System/Libraries
Provides: pam-extra:%{_pam_moduledir}/pam_userdb.so
BuildRequires: libdb-4_8-devel
BuildRequires: pam-devel
%description -n pam-userdb
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains pam_userdb which is used to verify a
username/password pair against values stored in a Berkeley DB database.
%endif
%if %{build_extra}
%package -n pam-extra
Summary: PAM module with extended dependencies
Group: System/Libraries
#BuildRequires: pkgconfig(systemd)
# The systemd-mini package does not pass configure checks
BuildRequires: systemd-devel >= 254
BuildRequires: pam-devel
Provides: pam:%{_sbindir}/pam_timestamp_check
%description -n pam-extra
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains extra modules eg pam_issue and pam_timestamp which
can have extended dependencies.
%endif
%if %{build_doc}
%package -n pam-doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
BuildArch: noarch
%description -n pam-doc
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the documentation.
%package -n pam-manpages
Summary: Manualpages for Pluggable Authentication Modules
Group: Documentation/HTML
Provides: pam:/%{_mandir}/man8/PAM.8.gz
BuildArch: noarch
BuildRequires: docbook5-xsl-stylesheets
BuildRequires: elinks
BuildRequires: xmlgraphics-fop
%description -n pam-manpages
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the manual pages.
%endif
%package devel
Summary: Include Files and Libraries for PAM Development
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: pam = %{version}
%description devel
PAM (Pluggable Authentication Modules) is a system security tool which
allows system administrators to set authentication policy without
having to recompile programs which do authentication.
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
%prep
%setup -q -n Linux-PAM-%{version}
cp -a %{SOURCE12} .
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./pam-login_defs-check.sh
export CFLAGS="%{optflags}"
%if !%{with debug}
CFLAGS="$CFLAGS -DNDEBUG"
%endif
%if %{livepatchable}
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
%endif
autoreconf
%configure \
--includedir=%{_includedir}/security \
--docdir=%{_docdir}/pam \
--htmldir=%{_docdir}/pam/html \
--pdfdir=%{_docdir}/pam/pdf \
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \
%if "%{flavor}" == "full"
--enable-logind \
%endif
--disable-examples \
--disable-nis \
%if %{with debug}
--enable-debug
%endif
%make_build
%if %{livepatchable}
# Ipa-clones are files generated by gcc which logs changes made across
# functions, and we need to know such changes to build livepatches
# correctly. These files are intended to be used by the livepatch
# developers and may be retrieved by using `osc getbinaries`.
#
# Create list of ipa-clones.
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
# Create ipa-clones destination folder and move clones there.
mkdir -p ipa-clones/%{clones_dest_dir}
while read f; do
_dest=ipa-clones/%{clones_dest_dir}/$f
mkdir -p ${_dest%/*}
cp $f $_dest
done < ipa-clones.list
# Create tar package with the clone files.
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
# Copy tar package to the OTHERS folder
cp %{tar_package_name} %{_other}
%endif # livepatchable
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
%if %{build_main}
%check
%make_build check
%endif
%install
mkdir -p %{buildroot}%{_pam_confdir}
mkdir -p %{buildroot}%{_pam_vendordir}
mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}%{_pam_moduledir}
mkdir -p %{buildroot}/sbin
mkdir -p -m 755 %{buildroot}%{_libdir}
# For compat reasons
mkdir -p %{buildroot}%{_distconfdir}/pam.d
%make_install
/sbin/ldconfig -n %{buildroot}%{_libdir}
# Install documentation
%make_install -C doc
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
install -d %{buildroot}%{_pam_secconfdir}/namespace.d
# install other.pamd and common-*.pamd
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin
install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
mkdir -p %{buildroot}%{_prefix}/lib/motd.d
#
# Remove crap
#
find %{buildroot} -type f -name "*.la" -delete -print
#
# Install READMEs of PAM modules
#
DOC=%{buildroot}%{_defaultdocdir}/pam
mkdir -p $DOC/modules
pushd modules
for i in pam_*/README; do
cp -fpv "$i" "$DOC/modules/README.${i%/*}"
done
popd
# Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
# /run/motd.d
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
# Remove manual pages for main package
%if !%{build_doc}
rm -rf %{buildroot}%{_mandir}/man?/*
%else
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# bsc#1188724
echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
%endif
%if !%{build_main}
rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
%else
# Delete files for extra package
rm -rf %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
# Create filelist with translations
%find_lang Linux-PAM
%endif
%if %{build_main}
%verifyscript
%verify_permissions -e %{_sbindir}/unix_chkpwd
%verify_permissions -e %{_sbindir}/unix2_chkpwd
%post
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
%pre
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%files -f Linux-PAM.lang
%doc NEWS
%license COPYING
%exclude %{_defaultdocdir}/pam/html
%exclude %{_defaultdocdir}/pam/modules
%exclude %{_defaultdocdir}/pam/pdf
%exclude %{_defaultdocdir}/pam/*.txt
%dir %{_pam_confdir}
%dir %{_pam_vendordir}
%dir %{_pam_secconfdir}
%dir %{_pam_secdistconfdir}
%dir %{_pam_secdistconfdir}/limits.d
# /usr/etc/pam.d is for compat reasons
%dir %{_distconfdir}/pam.d
%dir %{_prefix}/lib/motd.d
%if %{defined config_noreplace}
%config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_pam_confdir}/common-*
%else
%{_pam_vendordir}/other
%{_pam_vendordir}/common-*
%{_pam_vendordir}/postlogin-*
%endif
%{_distconfdir}/environment
%{_pam_secdistconfdir}/access.conf
%{_pam_secdistconfdir}/group.conf
%{_pam_secdistconfdir}/faillock.conf
%{_pam_secdistconfdir}/limits.conf
%{_pam_secdistconfdir}/pam_env.conf
%if %{with selinux}
%{_pam_secdistconfdir}/sepermit.conf
%endif
%{_pam_secdistconfdir}/time.conf
%{_pam_secdistconfdir}/namespace.conf
%{_pam_secdistconfdir}/namespace.init
%{_pam_secdistconfdir}/pwhistory.conf
%dir %{_pam_secdistconfdir}/namespace.d
%{_libdir}/libpam.so.0
%{_libdir}/libpam.so.%{libpam_so_version}
%{_libdir}/libpamc.so.0
%{_libdir}/libpamc.so.%{libpamc_so_version}
%{_libdir}/libpam_misc.so.0
%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
%dir %{_pam_moduledir}
%{_pam_moduledir}/pam_access.so
%{_pam_moduledir}/pam_canonicalize_user.so
%{_pam_moduledir}/pam_debug.so
%{_pam_moduledir}/pam_deny.so
%{_pam_moduledir}/pam_echo.so
%{_pam_moduledir}/pam_env.so
%{_pam_moduledir}/pam_exec.so
%{_pam_moduledir}/pam_faildelay.so
%{_pam_moduledir}/pam_faillock.so
%{_pam_moduledir}/pam_filter.so
%dir %{_pam_moduledir}/pam_filter
%{_pam_moduledir}//pam_filter/upperLOWER
%{_pam_moduledir}/pam_ftp.so
%{_pam_moduledir}/pam_group.so
%{_pam_moduledir}/pam_keyinit.so
%{_pam_moduledir}/pam_limits.so
%{_pam_moduledir}/pam_listfile.so
%{_pam_moduledir}/pam_localuser.so
%{_pam_moduledir}/pam_loginuid.so
%{_pam_moduledir}/pam_mail.so
%{_pam_moduledir}/pam_mkhomedir.so
%{_pam_moduledir}/pam_motd.so
%{_pam_moduledir}/pam_namespace.so
%{_pam_moduledir}/pam_nologin.so
%{_pam_moduledir}/pam_permit.so
%{_pam_moduledir}/pam_pwhistory.so
%{_pam_moduledir}/pam_rhosts.so
%{_pam_moduledir}/pam_rootok.so
%{_pam_moduledir}/pam_securetty.so
%if %{with selinux}
%{_pam_moduledir}/pam_selinux.so
%{_pam_moduledir}/pam_sepermit.so
%endif
%{_pam_moduledir}/pam_setquota.so
%{_pam_moduledir}/pam_shells.so
%{_pam_moduledir}/pam_stress.so
%{_pam_moduledir}/pam_succeed_if.so
%{_pam_moduledir}/pam_time.so
%{_pam_moduledir}/pam_tty_audit.so
%{_pam_moduledir}/pam_umask.so
%{_pam_moduledir}/pam_unix.so
%{_pam_moduledir}/pam_usertype.so
%{_pam_moduledir}/pam_warn.so
%{_pam_moduledir}/pam_wheel.so
%{_pam_moduledir}/pam_xauth.so
%{_sbindir}/faillock
%{_sbindir}/mkhomedir_helper
%{_sbindir}/pam_namespace_helper
%{_sbindir}/pwhistory_helper
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/pam.conf
%files devel
%defattr(644,root,root,755)
%dir %{_includedir}/security
%{_includedir}/security/*.h
%{_libdir}/libpam.so
%{_libdir}/libpamc.so
%{_libdir}/libpam_misc.so
%{_rpmmacrodir}/macros.pam
%{_libdir}/pkgconfig/pam*.pc
%endif
%if %{build_userdb}
%files -n pam-userdb
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man}
%endif
%if %{build_extra}
%files -n pam-extra
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_issue.so
%{_pam_moduledir}/pam_timestamp.so
%{_sbindir}/pam_timestamp_check
%endif
%if %{build_doc}
%files -n pam-doc
%defattr(644,root,root,755)
%dir %{_defaultdocdir}/pam
%doc %{_defaultdocdir}/pam/html
%doc %{_defaultdocdir}/pam/modules
%doc %{_defaultdocdir}/pam/pdf
%doc %{_defaultdocdir}/pam/*.txt
%files -n pam-manpages
%{_mandir}/man3/pam*.3%{?ext_man}
%{_mandir}/man3/misc_conv.3%{?ext_man}
%{_mandir}/man5/environment.5%{?ext_man}
%{_mandir}/man5/*.conf.5%{?ext_man}
%{_mandir}/man5/pam.d.5%{?ext_man}
%{_mandir}/man5/motd.5%{?ext_man}
%{_mandir}/man8/PAM.8%{?ext_man}
%{_mandir}/man8/faillock.8%{?ext_man}
%{_mandir}/man8/mkhomedir_helper.8%{?ext_man}
%{_mandir}/man8/pam.8%{?ext_man}
%{_mandir}/man8/pam_access.8%{?ext_man}
%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man}
%{_mandir}/man8/pam_debug.8%{?ext_man}
%{_mandir}/man8/pam_deny.8%{?ext_man}
%{_mandir}/man8/pam_echo.8%{?ext_man}
%{_mandir}/man8/pam_env.8%{?ext_man}
%{_mandir}/man8/pam_exec.8%{?ext_man}
%{_mandir}/man8/pam_faildelay.8%{?ext_man}
%{_mandir}/man8/pam_faillock.8%{?ext_man}
%{_mandir}/man8/pam_filter.8%{?ext_man}
%{_mandir}/man8/pam_ftp.8%{?ext_man}
%{_mandir}/man8/pam_group.8%{?ext_man}
%{_mandir}/man8/pam_issue.8%{?ext_man}
%{_mandir}/man8/pam_keyinit.8%{?ext_man}
%{_mandir}/man8/pam_limits.8%{?ext_man}
%{_mandir}/man8/pam_listfile.8%{?ext_man}
%{_mandir}/man8/pam_localuser.8%{?ext_man}
%{_mandir}/man8/pam_loginuid.8%{?ext_man}
%{_mandir}/man8/pam_mail.8%{?ext_man}
%{_mandir}/man8/pam_mkhomedir.8%{?ext_man}
%{_mandir}/man8/pam_motd.8%{?ext_man}
%{_mandir}/man8/pam_namespace.8%{?ext_man}
%{_mandir}/man8/pam_namespace_helper.8%{?ext_man}
%{_mandir}/man8/pam_nologin.8%{?ext_man}
%{_mandir}/man8/pam_permit.8%{?ext_man}
%{_mandir}/man8/pam_pwhistory.8%{?ext_man}
%{_mandir}/man8/pam_rhosts.8%{?ext_man}
%{_mandir}/man8/pam_rootok.8%{?ext_man}
%{_mandir}/man8/pam_securetty.8%{?ext_man}
%if %{with selinux}
%{_mandir}/man8/pam_selinux.8%{?ext_man}
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
%endif
%{_mandir}/man8/pam_setquota.8%{?ext_man}
%{_mandir}/man8/pam_shells.8%{?ext_man}
%{_mandir}/man8/pam_stress.8%{?ext_man}
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
%{_mandir}/man8/pam_time.8%{?ext_man}
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
%{_mandir}/man8/pam_timestamp_check.8%{?ext_man}
%{_mandir}/man8/pam_tty_audit.8%{?ext_man}
%{_mandir}/man8/pam_umask.8%{?ext_man}
%{_mandir}/man8/pam_unix.8%{?ext_man}
%{_mandir}/man8/pam_usertype.8%{?ext_man}
%{_mandir}/man8/pam_warn.8%{?ext_man}
%{_mandir}/man8/pam_wheel.8%{?ext_man}
%{_mandir}/man8/pam_xauth.8%{?ext_man}
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_update.8%{?ext_man}
%endif
%changelog

4
pam.tmpfiles Normal file
View File

@ -0,0 +1,4 @@
#Type Path Mode User Group Age Argument
D /run/faillock 0755 root root - -
D /run/motd.d 0755 root root - -
D /run/pam_timestamp 0755 root root - -

51
pam_env-fix-enable-vendordir-fallback.patch Normal file
View File

@ -0,0 +1,51 @@
From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Thu, 18 Jan 2024 17:00:00 +0000
Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
if the config file is specified via module arguments.
Link: https://github.com/linux-pam/linux-pam/issues/738
Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
---
modules/pam_env/pam_env.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index a0b812fff..8b40b6a5a 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
#ifdef USE_ECONF
/* If "file" is not NULL, only this file will be parsed. */
retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
-#else
+#else /* !USE_ECONF */
/* Only one file will be parsed. So, file has to be set. */
- if (file == NULL) /* No filename has been set via argv. */
+ if (file == NULL) { /* No filename has been set via argv. */
file = DEFAULT_CONF_FILE;
-#ifdef VENDOR_DEFAULT_CONF_FILE
- /*
- * Check whether file is available.
- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
- */
- struct stat stat_buffer;
- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
- file = VENDOR_DEFAULT_CONF_FILE;
+# ifdef VENDOR_DEFAULT_CONF_FILE
+ /*
+ * Check whether DEFAULT_CONF_FILE file is available.
+ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
+ */
+ struct stat stat_buffer;
+ if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
+ file = VENDOR_DEFAULT_CONF_FILE;
+# endif
}
-#endif
retval = read_file(pamh, file, &conf_list);
#endif

51
pam_env-fix_vendordir.patch Normal file
View File

@ -0,0 +1,51 @@
From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 Jan 2024 18:08:05 +0100
Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
The VENDORDIR define has to be checked after config.h
inclusion, otherwise the ifdef test always yields false.
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_env/pam_env.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 59adc942c..a0b812fff 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -6,15 +6,6 @@
* template for this file (via pam_mail)
*/
-#define DEFAULT_ETC_ENVFILE "/etc/environment"
-#ifdef VENDORDIR
-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
-#endif
-#define DEFAULT_READ_ENVFILE 1
-
-#define DEFAULT_USER_ENVFILE ".pam_environment"
-#define DEFAULT_USER_READ_ENVFILE 0
-
#include "config.h"
#include <ctype.h>
@@ -52,6 +43,15 @@ typedef struct var {
char *override;
} VAR;
+#define DEFAULT_ETC_ENVFILE "/etc/environment"
+#ifdef VENDORDIR
+#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
+#endif
+#define DEFAULT_READ_ENVFILE 1
+
+#define DEFAULT_USER_ENVFILE ".pam_environment"
+#define DEFAULT_USER_READ_ENVFILE 0
+
#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf")
#ifdef VENDOR_SCONFIGDIR
#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")

54
pam_env-remove-escaped-newlines.patch Normal file
View File

@ -0,0 +1,54 @@
From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 Jan 2024 20:25:20 +0100
Subject: [PATCH] pam_env: remove escaped newlines from econf lines
The libeconf routines do not remove escaped newlines the way we want to
process them later on. Manually remove them from values.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index a0b812fff..5f53fbb10 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -160,6 +160,28 @@ isDirectory(const char *path) {
return S_ISDIR(statbuf.st_mode);
}
+/*
+ * Remove escaped newline from string.
+ *
+ * All occurrences of "\\n" will be removed from string.
+ */
+static void
+econf_unescnl(char *val)
+{
+ char *dest, *p;
+
+ dest = p = val;
+
+ while (*p != '\0') {
+ if (p[0] == '\\' && p[1] == '\n') {
+ p += 2;
+ } else {
+ *dest++ = *p++;
+ }
+ }
+ *dest = '\0';
+}
+
static int
econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
const char *name, const char *suffix, const char *subpath,
@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
keys[i],
econf_errString(error));
} else {
+ econf_unescnl(val);
if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
econf_free(keys);

27
pam_unix-fix-password-aging-disabled.patch Normal file
View File

@ -0,0 +1,27 @@
From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 19 Jan 2024 10:09:00 +0100
Subject: [PATCH] pam_unix: do not warn if password aging disabled
Later checks will print a warning if daysleft is 0. If password
aging is disabled, leave daysleft at -1.
Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_unix/passverify.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 5c4f862e7..1bc98fa25 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
}
if (spent->sp_lstchg < 0) {
D(("password aging disabled"));
- *daysleft = 0;
return PAM_SUCCESS;
}
if (curdays < spent->sp_lstchg) {

10
postlogin-account.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-account - account settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-account".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-auth.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-auth - authentication settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-auth".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-password.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-password - password settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-password".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-session.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-session - session settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-session".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

79
unix2_chkpwd.8 Normal file
View File

@ -0,0 +1,79 @@
.\" Copyright (C) 2003 International Business Machines Corporation
.\" This file is distributed according to the GNU General Public License.
.\" See the file COPYING in the top level source directory for details.
.\"
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
.SH NAME
unix2_chkpwd \- helper binary that verifies the password of the current user
.SH "SYNOPSIS"
.ad l
.hy 0
/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
.sp
.ad
.hy
.SH "DESCRIPTION"
.PP
\fBunix2_chkpwd\fR is a helper program for applications that verifies
the password of the current user. It is not intended to be run directly from
the command line and logs a security violation if done so.
It is typically installed setuid root or setgid shadow and called by
applications, which only wishes to do an user authentification and
nothing more.
.SH "OPTIONS"
.PP
unix2_chkpwd requires the following arguments:
.TP
\fIpam_service\fR
The name of the service using unix2_chkpwd. This is required to be one of
the services in /etc/pam.d
.TP
\fIusername\fR
The name of the user whose password you want to verify.
.SH "INPUTS"
.PP
unix2_chkpwd expects the password via stdin.
.SH "RETURN CODES"
.PP
\fBunix2_chkpwd\fR has the following return codes:
.TP
1
unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
.TP
0
The password is correct.
.SH "HISTORY"
Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH AUTHOR
Emily Ratliff.

337
unix2_chkpwd.c Normal file
View File

@ -0,0 +1,337 @@
/*
* Set*id helper program for PAM authentication.
*
* It is supposed to be called from pam_unix2's
* pam_sm_authenticate function if the function notices
* that it's unable to get the password from the shadow file
* because it doesn't have sufficient permissions.
*
* Copyright (C) 2002 SuSE Linux AG
*
* Written by okir@suse.de, loosely based on unix_chkpwd
* by Andrew Morgan.
*/
#include <security/pam_appl.h>
#include <security/_pam_macros.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <pwd.h>
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
#define BUFLEN 1024
#ifndef LOGINDEFS
#define LOGINDEFS "/etc/login.defs"
#endif
#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY"
#define DEFAULT_FAIL_DELAY_S 10
#define PASSWD_CRACKER_DELAY_MS 100
enum {
UNIX_PASSED = 0,
UNIX_FAILED = 1
};
static char * program_name;
static char pass[64];
static int npass = -1;
/*
* Log error messages
*/
static void
_log_err(int err, const char *format,...)
{
va_list args;
va_start(args, format);
openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
}
static void
su_sighandler(int sig)
{
if (sig > 0) {
_log_err(LOG_NOTICE, "caught signal %d.", sig);
exit(sig);
}
}
/*
* Setup signal handlers
*/
static void
setup_signals(void)
{
struct sigaction action;
memset((void *) &action, 0, sizeof(action));
action.sa_handler = su_sighandler;
action.sa_flags = SA_RESETHAND;
sigaction(SIGILL, &action, NULL);
sigaction(SIGTRAP, &action, NULL);
sigaction(SIGBUS, &action, NULL);
sigaction(SIGSEGV, &action, NULL);
action.sa_handler = SIG_IGN;
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
}
static int
_converse(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int num;
if (!(reply = malloc(sizeof(*reply) * num_msg)))
return PAM_CONV_ERR;
for (num = 0; num < num_msg; num++) {
reply[num].resp_retcode = PAM_SUCCESS;
reply[num].resp = NULL;
switch (msg[num]->msg_style) {
case PAM_PROMPT_ECHO_ON:
return PAM_CONV_ERR;
case PAM_PROMPT_ECHO_OFF:
/* read the password from stdin */
if (npass < 0) {
npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
if (npass < 0) {
_log_err(LOG_DEBUG, "error reading password");
return UNIX_FAILED;
}
pass[npass] = '\0';
}
reply[num].resp = strdup(pass);
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
/* ignored */
break;
default:
/* Must be an error of some sort... */
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
static int
_authenticate(const char *service, const char *user)
{
struct pam_conv conv = { _converse, NULL };
pam_handle_t *pamh;
int err;
err = pam_start(service, user, &conv, &pamh);
if (err != PAM_SUCCESS) {
_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
service, user, err);
return UNIX_FAILED;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
if (err == PAM_SUCCESS)
{
err = pam_acct_mgmt(pamh, 0);
if (err == PAM_SUCCESS)
{
int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
if (err2 != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
service, user,
pam_strerror(pamh, err2));
/*
* ignore errors on refresh credentials.
* If this did not work we use the old once.
*/
} else {
_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
}
}
pam_end(pamh, err);
if (err != PAM_SUCCESS)
return UNIX_FAILED;
return UNIX_PASSED;
}
static char *
getuidname(uid_t uid)
{
struct passwd *pw;
static char username[32];
pw = getpwuid(uid);
if (pw == NULL)
return NULL;
strncpy(username, pw->pw_name, sizeof(username));
username[sizeof(username) - 1] = '\0';
endpwent();
return username;
}
static int
sane_pam_service(const char *name)
{
const char *sp;
char path[128];
if (strlen(name) > 32)
return 0;
for (sp = name; *sp; sp++) {
if (!isalnum(*sp) && *sp != '_' && *sp != '-')
return 0;
}
snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
return access(path, R_OK) == 0;
}
static int
get_system_fail_delay (void)
{
FILE *fs;
char buf[BUFLEN];
long int delay = -1;
char *s;
int l;
fs = fopen(LOGINDEFS, "r");
if (NULL == fs) {
goto bail_out;
}
while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
continue;
}
s = buf + strspn(buf, " \t");
l = strcspn(s, " \t");
if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
continue;
}
s += l;
s += strspn(s, " \t");
errno = 0;
delay = strtol(s, NULL, 10);
if (errno) {
delay = -1;
}
break;
}
fclose (fs);
bail_out:
delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
return (int)delay;
}
int
main(int argc, char *argv[])
{
const char *program_name;
char *service, *user;
int fd;
int result = UNIX_FAILED;
uid_t uid;
uid = getuid();
/*
* Make sure standard file descriptors are connected.
*/
while ((fd = open("/dev/null", O_RDWR)) <= 2)
;
close(fd);
/*
* Get the program name
*/
if (argc == 0)
program_name = "unix2_chkpwd";
else if ((program_name = strrchr(argv[0], '/')) != NULL)
program_name++;
else
program_name = argv[0];
/*
* Catch or ignore as many signal as possible.
*/
setup_signals();
/*
* Check argument list
*/
if (argc < 2 || argc > 3) {
_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
return UNIX_FAILED;
}
/*
* Get the service name and do some sanity checks on it
*/
service = argv[1];
if (!sane_pam_service(service)) {
_log_err(LOG_ERR, "Illegal service name '%s'", service);
return UNIX_FAILED;
}
/*
* Discourage users messing around (fat chance)
*/
if (isatty(STDIN_FILENO) && uid != 0) {
_log_err(LOG_NOTICE,
"Inappropriate use of Unix helper binary [UID=%d]",
uid);
fprintf(stderr,
"This binary is not designed for running in this way\n"
"-- the system administrator has been informed\n");
sleep(10); /* this should discourage/annoy the user */
return UNIX_FAILED;
}
/*
* determine the caller's user name
*/
user = getuidname(uid);
if (argc == 3 && strcmp(user, argv[2])) {
user = argv[2];
}
result = _authenticate(service, user);
/* Discourage use of this program as a
* password cracker */
usleep(PASSWD_CRACKER_DELAY_MS * 1000);
if (result != UNIX_PASSED && uid != 0)
sleep(get_system_fail_delay());
return result;
}