- pam_access: rework resolving of tokens as hostname
- separate resolving of IP addresses from hostnames. Don't resolve TTYs or display variables as hostname. - Add "nodns" option to disallow resolving of tokens as hostname. - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078, CVE-2024-10963] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=305
This commit is contained in:
commit
a01288951c
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
BIN
Linux-PAM-1.6.1.tar.xz
(Stored with Git LFS)
Normal file
BIN
Linux-PAM-1.6.1.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
Linux-PAM-1.6.1.tar.xz.asc
Normal file
16
Linux-PAM-1.6.1.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
|
||||
sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
|
||||
47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
|
||||
RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
|
||||
mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
|
||||
cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
|
||||
fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
|
||||
PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
|
||||
o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
|
||||
0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
|
||||
9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
|
||||
UoUkHsbCWJU/ksn/9BIQ
|
||||
=Dbz2
|
||||
-----END PGP SIGNATURE-----
|
BIN
Linux-PAM-1.7.0.tar.xz
(Stored with Git LFS)
Normal file
BIN
Linux-PAM-1.7.0.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
Linux-PAM-1.7.0.tar.xz.asc
Normal file
16
Linux-PAM-1.7.0.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJnGiIVAAoJEKgEH6g54W42kSsP/jsmwl1WMrtPlze2jtRZ1ZVD
|
||||
HvJPJMYNCeXKpXxSCL4rt97TeZKp+8WbrmrbG+zG8okIFDKl4rHuU9PpJocIpwDd
|
||||
+zAD1GQOqeUz0AyPPXBmsMshmQ3z+l8W9ykR1WCFrceXRAswSgNEDEavluVP9EHG
|
||||
epFA/+t1BR8G3GV6LH9LhRkTOOsE8O30hTEHZp1vCrR+xKJo41ZTq+VVvU8KFUrC
|
||||
lPGH9pX1ioe5rlLfvKNJthUKVoaNyDXED2la9sJPdTmc5hDBGLIo5hnBpvOn8Zfp
|
||||
cfMoB3lFBy6MHF7tb4ZfDxgG44D/xIwXd7Zddc6HenJl/SUjucXFq1OXHcK+MhqO
|
||||
63zFAci8k7ywwPPoGBpHMYZ2czZx3jo++It80b2CBMYKzi9YMVmaq/toEtMyI+Og
|
||||
W3gh4EfHkN98GQz4XC9yO4fjIno1J/Bwni6HNXBaumbg6xIPRwvxcOCdXZBUjKrx
|
||||
mDljxQetZJGzURidA+2cdJsAu1o0PDtzPguabno4aW2GMV9tUF3Q3aF+NClg18uZ
|
||||
+eXlGd/fsrLOIGfhYOpbFyIEE5h/dZq3vIj/NOVfKCsU0yajs6d3Zj2Y+2sxs7ob
|
||||
z9begFsadFZ6atqA77FL7i4781U2bTtqp8qsj9UXb+gJabqnQZ2k+qBXg4XtAWrn
|
||||
iJaal6uBXWOJG9BG5l8G
|
||||
=CVaC
|
||||
-----END PGP SIGNATURE-----
|
3
_multibuild
Normal file
3
_multibuild
Normal file
@ -0,0 +1,3 @@
|
||||
<multibuild>
|
||||
<flavor>full</flavor>
|
||||
</multibuild>
|
7
baselibs.conf
Normal file
7
baselibs.conf
Normal file
@ -0,0 +1,7 @@
|
||||
pam
|
||||
requires "(systemd-<targettype> if systemd)"
|
||||
obsoletes "pam_unix-<targettype>"
|
||||
obsoletes "pam_unix-nis-<targettype>"
|
||||
pam-extra
|
||||
pam-devel
|
||||
pam-userdb
|
9
common-account.pamd
Normal file
9
common-account.pamd
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# /etc/pam.d/common-account - account settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the account modules that define
|
||||
# the central access policy for use on the system. The default is to
|
||||
# only deny service to users whose accounts are expired.
|
||||
#
|
||||
account required pam_unix.so try_first_pass
|
11
common-auth.pamd
Normal file
11
common-auth.pamd
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# /etc/pam.d/common-auth - authentication settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authentication modules that define
|
||||
# the central authentication scheme for use on the system
|
||||
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||
# traditional Unix authentication mechanisms.
|
||||
#
|
||||
auth required pam_env.so
|
||||
auth required pam_unix.so try_first_pass
|
11
common-password.pamd
Normal file
11
common-password.pamd
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# /etc/pam.d/common-password - password-related modules common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define the services to be
|
||||
# used to change user passwords.
|
||||
#
|
||||
# The "nullok" option allows users to change an empty password, else
|
||||
# empty passwords are treated as locked accounts.
|
||||
#
|
||||
password required pam_unix.so nullok
|
13
common-session-nonlogin.pamd
Normal file
13
common-session-nonlogin.pamd
Normal file
@ -0,0 +1,13 @@
|
||||
#
|
||||
# /etc/pam.d/common-session-nonlogin - session-related modules common
|
||||
# to services not doing a real login
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define tasks to be performed
|
||||
# at the start and end of sessions of *any* kind (both interactive and
|
||||
# non-interactive), but not if they don't create a new login session
|
||||
# (e.g. like cron, chfn, chsh, ...)
|
||||
#
|
||||
session required pam_unix.so try_first_pass
|
||||
session optional pam_umask.so
|
||||
session optional pam_env.so
|
12
common-session.pamd
Normal file
12
common-session.pamd
Normal file
@ -0,0 +1,12 @@
|
||||
#
|
||||
# /etc/pam.d/common-session - session-related modules common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define tasks to be performed
|
||||
# at the start and end of sessions of *any* kind (both interactive and
|
||||
# non-interactive).
|
||||
#
|
||||
session optional pam_systemd.so
|
||||
session required pam_unix.so try_first_pass
|
||||
session optional pam_umask.so
|
||||
session optional pam_env.so
|
8
macros.pam
Normal file
8
macros.pam
Normal file
@ -0,0 +1,8 @@
|
||||
%_pam_libdir %{_libdir}
|
||||
%_pam_moduledir %{_libdir}/security
|
||||
%_pam_secconfdir %{_sysconfdir}/security
|
||||
%_pam_secdistconfdir %{_distconfdir}/security
|
||||
%_pam_confdir %{_sysconfdir}/pam.d
|
||||
%_pam_vendordir %{_prefix}/lib/pam.d
|
||||
# legacy, to be retired
|
||||
%_pamdir %{_pam_moduledir}
|
10
other.pamd
Normal file
10
other.pamd
Normal file
@ -0,0 +1,10 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_warn.so
|
||||
auth required pam_deny.so
|
||||
account required pam_warn.so
|
||||
account required pam_deny.so
|
||||
password required pam_warn.so
|
||||
password required pam_deny.so
|
||||
session required pam_warn.so
|
||||
session required pam_deny.so
|
||||
|
36
pam-bsc1194818-cursor-escape.patch
Normal file
36
pam-bsc1194818-cursor-escape.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Brabec <sbrabec@suse.cz>
|
||||
Date: Mon, 22 Jul 2024 23:18:16 +0200
|
||||
Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
|
||||
|
||||
Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
|
||||
cursor escape from the login prompt using arrows or escape sequences.
|
||||
|
||||
ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
|
||||
for example not on pty, allowing cursor to escape.
|
||||
|
||||
Stanislav Brabec <sbrabec@suse.com>
|
||||
---
|
||||
libpam_misc/misc_conv.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
|
||||
index 7410e929..6b839b48 100644
|
||||
--- a/libpam_misc/misc_conv.c
|
||||
+++ b/libpam_misc/misc_conv.c
|
||||
@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||
return -1;
|
||||
}
|
||||
memcpy(&term_tmp, &term_before, sizeof(term_tmp));
|
||||
- if (!echo) {
|
||||
+ if (echo)
|
||||
+ term_tmp.c_lflag |= ICANON | ECHOCTL;
|
||||
+ else
|
||||
term_tmp.c_lflag &= ~(ECHO);
|
||||
- }
|
||||
have_term = 1;
|
||||
|
||||
/*
|
||||
--
|
||||
2.45.2
|
||||
|
11
pam-limit-nproc.patch
Normal file
11
pam-limit-nproc.patch
Normal file
@ -0,0 +1,11 @@
|
||||
Index: Linux-PAM-1.3.1/modules/pam_limits/limits.conf
|
||||
===================================================================
|
||||
--- Linux-PAM-1.3.1.orig/modules/pam_limits/limits.conf
|
||||
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf
|
||||
@@ -47,4 +47,6 @@
|
||||
#ftp hard nproc 0
|
||||
#@student - maxlogins 4
|
||||
|
||||
+# No limits for nproc, use systemd configuration instead
|
||||
+
|
||||
# End of file
|
46
pam-login_defs-check.sh
Normal file
46
pam-login_defs-check.sh
Normal file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Extract list of variables supported by su/runuser.
|
||||
#
|
||||
# If you edit this file, you will probably need to edit
|
||||
# shadow-login_defs-check.sh from shadow sources in a similar way.
|
||||
|
||||
set -o errexit
|
||||
|
||||
echo -n "Checking login.defs variables in pam... " >&2
|
||||
grep -rh LOGIN_DEFS . |
|
||||
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
||||
|
||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
|
||||
|
||||
echo "does not match!" >&2
|
||||
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
||||
|
||||
cat >&2 <<EOF
|
||||
|
||||
You have to perform following steps:
|
||||
|
||||
Check whether the error is false positive (script failed to extract
|
||||
variables) or true positive (variable list changed).
|
||||
|
||||
If it is false positive:
|
||||
- Fix this script.
|
||||
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
|
||||
|
||||
If it is true positive:
|
||||
- Check-out shadow package and call shadow-login_defs-check.sh.
|
||||
- Compare its output shadow-login_defs-check-pam.lst with
|
||||
pam-login_defs-vars.lst in the pam build directory.
|
||||
- Update shadow encryption_method_nis.patch, if needed.
|
||||
- If encryption_method_nis.patch was updated, update
|
||||
login_defs-support-for-pam symbol version in both shadow and
|
||||
pam spec files accordingly.
|
||||
- Update checksum in this script.
|
||||
|
||||
EOF
|
||||
|
||||
exit 1
|
||||
else
|
||||
echo "OK" >&2
|
||||
fi
|
2390
pam.changes
Normal file
2390
pam.changes
Normal file
File diff suppressed because it is too large
Load Diff
535
pam.spec
Normal file
535
pam.spec
Normal file
@ -0,0 +1,535 @@
|
||||
#
|
||||
# spec file for package pam
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
||||
# Enable livepatching support for SLE15-SP4 onwards. It requires
|
||||
# compiler support introduced there.
|
||||
%define livepatchable 1
|
||||
|
||||
# Set variables for livepatching.
|
||||
%define _other %{_topdir}/OTHER
|
||||
%define tar_basename pam-livepatch-%{version}-%{release}
|
||||
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
|
||||
%define clones_dest_dir %{tar_basename}/%{_arch}
|
||||
%else
|
||||
# Unsupported operating system.
|
||||
%define livepatchable 0
|
||||
%endif
|
||||
|
||||
%ifnarch x86_64
|
||||
# Unsupported architectures must have livepatch disabled.
|
||||
%define livepatchable 0
|
||||
%endif
|
||||
|
||||
%bcond_without selinux
|
||||
|
||||
%define flavor @BUILD_FLAVOR@%{nil}
|
||||
|
||||
# List of config files for migration to /usr/etc
|
||||
%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
|
||||
security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
|
||||
security/namespace.conf security/namespace.init security/sepermit.conf
|
||||
|
||||
%if "%{flavor}" == "full"
|
||||
%define build_main 0
|
||||
%define build_doc 1
|
||||
%define build_extra 1
|
||||
%define build_userdb 1
|
||||
%define name_suffix -%{flavor}-src
|
||||
%else
|
||||
%define build_main 1
|
||||
%define build_doc 0
|
||||
%define build_extra 0
|
||||
%define build_userdb 0
|
||||
%define name_suffix %{nil}
|
||||
%endif
|
||||
|
||||
#
|
||||
%define libpam_so_version 0.85.1
|
||||
%define libpam_misc_so_version 0.82.1
|
||||
%define libpamc_so_version 0.82.1
|
||||
%if ! %{defined _distconfdir}
|
||||
%define _distconfdir %{_sysconfdir}
|
||||
%endif
|
||||
#
|
||||
%{load:%{_sourcedir}/macros.pam}
|
||||
#
|
||||
Name: pam%{name_suffix}
|
||||
#
|
||||
Version: 1.7.0
|
||||
Release: 0
|
||||
Summary: A Security Tool that Provides Authentication for Applications
|
||||
License: GPL-2.0-or-later OR BSD-3-Clause
|
||||
Group: System/Libraries
|
||||
URL: https://github.com/linux-pam/linux-pam
|
||||
Source: Linux-PAM-%{version}.tar.xz
|
||||
Source1: Linux-PAM-%{version}.tar.xz.asc
|
||||
Source2: macros.pam
|
||||
Source3: other.pamd
|
||||
Source4: common-auth.pamd
|
||||
Source5: common-account.pamd
|
||||
Source6: common-password.pamd
|
||||
Source7: common-session.pamd
|
||||
Source9: baselibs.conf
|
||||
Source10: unix2_chkpwd.c
|
||||
Source11: unix2_chkpwd.8
|
||||
Source12: pam-login_defs-check.sh
|
||||
Source13: pam.tmpfiles
|
||||
Source20: common-session-nonlogin.pamd
|
||||
Source21: postlogin-auth.pamd
|
||||
Source22: postlogin-account.pamd
|
||||
Source23: postlogin-password.pamd
|
||||
Source24: postlogin-session.pamd
|
||||
Patch1: pam-limit-nproc.patch
|
||||
# PATCH-FIX-UPSTREAM: CVE-2024-10963
|
||||
Patch2: pam_access-rework-resolving-of-tokens-as-hostname.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
BuildRequires: meson >= 0.62.0
|
||||
BuildRequires: xz
|
||||
Requires(post): permissions
|
||||
# All login.defs variables require support from shadow side.
|
||||
# Upgrade this symbol version only if new variables appear!
|
||||
# Verify by shadow-login_defs-check.sh from shadow source package.
|
||||
Recommends: login_defs-support-for-pam >= 1.5.2
|
||||
BuildRequires: pkgconfig(libeconf)
|
||||
%if %{with selinux}
|
||||
BuildRequires: libselinux-devel
|
||||
%endif
|
||||
Obsoletes: pam_unix
|
||||
Obsoletes: pam_unix-nis
|
||||
Recommends: pam-manpages
|
||||
Requires(pre): group(shadow)
|
||||
Requires(pre): user(root)
|
||||
|
||||
%description
|
||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
||||
allows system administrators to set authentication policies without
|
||||
having to recompile programs that do authentication.
|
||||
|
||||
%if %{build_userdb}
|
||||
%package -n pam-userdb
|
||||
Summary: PAM module to authenticate against a separate database
|
||||
Group: System/Libraries
|
||||
Provides: pam-extra:%{_pam_moduledir}/pam_userdb.so
|
||||
BuildRequires: libdb-4_8-devel
|
||||
BuildRequires: pam-devel
|
||||
|
||||
%description -n pam-userdb
|
||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
||||
allows system administrators to set authentication policies without
|
||||
having to recompile programs that do authentication.
|
||||
|
||||
This package contains pam_userdb which is used to verify a
|
||||
username/password pair against values stored in a Berkeley DB database.
|
||||
%endif
|
||||
|
||||
|
||||
%if %{build_extra}
|
||||
%package -n pam-extra
|
||||
Summary: PAM module with extended dependencies
|
||||
Group: System/Libraries
|
||||
BuildRequires: pkgconfig(libsystemd) >= 254
|
||||
BuildRequires: pam-devel
|
||||
Provides: pam:%{_sbindir}/pam_timestamp_check
|
||||
Provides: pam:%{_pam_moduledir}/pam_limits.so
|
||||
|
||||
%description -n pam-extra
|
||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
||||
allows system administrators to set authentication policies without
|
||||
having to recompile programs that do authentication.
|
||||
|
||||
This package contains extra modules eg pam_issue and pam_timestamp which
|
||||
can have extended dependencies.
|
||||
%endif
|
||||
|
||||
%if %{build_doc}
|
||||
|
||||
%package -n pam-doc
|
||||
Summary: Documentation for Pluggable Authentication Modules
|
||||
Group: Documentation/HTML
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n pam-doc
|
||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
||||
allows system administrators to set authentication policies without
|
||||
having to recompile programs that do authentication.
|
||||
|
||||
This package contains the documentation.
|
||||
|
||||
%package -n pam-manpages
|
||||
Summary: Manualpages for Pluggable Authentication Modules
|
||||
Group: Documentation/HTML
|
||||
Provides: pam:/%{_mandir}/man8/PAM.8.gz
|
||||
BuildArch: noarch
|
||||
BuildRequires: docbook5-xsl-stylesheets
|
||||
BuildRequires: elinks
|
||||
BuildRequires: xmlgraphics-fop
|
||||
|
||||
%description -n pam-manpages
|
||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
||||
allows system administrators to set authentication policies without
|
||||
having to recompile programs that do authentication.
|
||||
|
||||
This package contains the manual pages.
|
||||
|
||||
%endif
|
||||
|
||||
%package devel
|
||||
Summary: Include Files and Libraries for PAM Development
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: glibc-devel
|
||||
Requires: pam = %{version}
|
||||
|
||||
%description devel
|
||||
PAM (Pluggable Authentication Modules) is a system security tool which
|
||||
allows system administrators to set authentication policy without
|
||||
having to recompile programs which do authentication.
|
||||
|
||||
This package contains header files and static libraries used for
|
||||
building both PAM-aware applications and modules for use with PAM.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n Linux-PAM-%{version}
|
||||
cp -a %{SOURCE12} .
|
||||
|
||||
%build
|
||||
bash ./pam-login_defs-check.sh
|
||||
%if %{livepatchable}
|
||||
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
|
||||
%endif
|
||||
|
||||
%meson -Dvendordir=%{_distconfdir} \
|
||||
-Ddocdir=%{_docdir}/pam \
|
||||
-Dhtmldir=%{_docdir}/pam/html \
|
||||
-Dpdfdir=%{_docdir}/pam/pdf \
|
||||
-Dsecuredir=%{_pam_moduledir} \
|
||||
%if "%{flavor}" != "full"
|
||||
-Dlogind=disabled \
|
||||
-Dpam_userdb=disabled \
|
||||
-Ddocs=disabled \
|
||||
%endif
|
||||
-Dexamples=false \
|
||||
-Dnis=disabled
|
||||
%meson_build
|
||||
|
||||
%if %{livepatchable}
|
||||
|
||||
# Ipa-clones are files generated by gcc which logs changes made across
|
||||
# functions, and we need to know such changes to build livepatches
|
||||
# correctly. These files are intended to be used by the livepatch
|
||||
# developers and may be retrieved by using `osc getbinaries`.
|
||||
#
|
||||
# Create list of ipa-clones.
|
||||
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
|
||||
|
||||
# Create ipa-clones destination folder and move clones there.
|
||||
mkdir -p ipa-clones/%{clones_dest_dir}
|
||||
while read f; do
|
||||
_dest=ipa-clones/%{clones_dest_dir}/$f
|
||||
mkdir -p ${_dest%/*}
|
||||
cp $f $_dest
|
||||
done < ipa-clones.list
|
||||
|
||||
# Create tar package with the clone files.
|
||||
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
|
||||
|
||||
# Copy tar package to the OTHERS folder
|
||||
cp %{tar_package_name} %{_other}
|
||||
|
||||
%endif # livepatchable
|
||||
|
||||
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam
|
||||
|
||||
%if %{build_main}
|
||||
%check
|
||||
%meson_test
|
||||
%endif
|
||||
|
||||
%install
|
||||
%meson_install
|
||||
|
||||
mkdir -p %{buildroot}%{_pam_confdir}
|
||||
mkdir -p %{buildroot}%{_pam_vendordir}
|
||||
|
||||
# install other.pamd and common-*.pamd
|
||||
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
|
||||
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
|
||||
install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
|
||||
install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin
|
||||
install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
|
||||
install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
|
||||
install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
|
||||
install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
|
||||
#
|
||||
# Install READMEs of PAM modules
|
||||
#
|
||||
DOC=%{buildroot}%{_defaultdocdir}/pam
|
||||
%if "%{flavor}" == "full"
|
||||
mkdir -p $DOC/modules
|
||||
cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
|
||||
%endif
|
||||
# Install unix2_chkpwd
|
||||
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
|
||||
|
||||
# rpm macros
|
||||
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
|
||||
# /run/motd.d
|
||||
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
|
||||
|
||||
mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
|
||||
|
||||
# Remove manual pages for main package
|
||||
%if !%{build_doc}
|
||||
rm -rf %{buildroot}%{_mandir}/man?/*
|
||||
%else
|
||||
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
|
||||
# bsc#1188724
|
||||
echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
|
||||
%endif
|
||||
|
||||
%if !%{build_main}
|
||||
rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
|
||||
rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
|
||||
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
|
||||
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
|
||||
%else
|
||||
# Delete files for extra package
|
||||
rm -rf %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
|
||||
|
||||
# Create filelist with translations
|
||||
%find_lang Linux-PAM
|
||||
|
||||
%endif
|
||||
|
||||
%if %{build_main}
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e %{_sbindir}/unix_chkpwd
|
||||
%verify_permissions -e %{_sbindir}/unix2_chkpwd
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
%set_permissions %{_sbindir}/unix_chkpwd
|
||||
%set_permissions %{_sbindir}/unix2_chkpwd
|
||||
%tmpfiles_create %{_tmpfilesdir}/pam.conf
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
%pre
|
||||
for i in securetty %{config_files} ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
|
||||
done
|
||||
|
||||
%posttrans
|
||||
# Migration to /usr/etc.
|
||||
for i in securetty %{config_files} ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
|
||||
done
|
||||
|
||||
%files -f Linux-PAM.lang
|
||||
%doc NEWS
|
||||
%license COPYING
|
||||
%dir %{_pam_confdir}
|
||||
%dir %{_pam_vendordir}
|
||||
%dir %{_pam_secconfdir}
|
||||
%dir %{_pam_secdistconfdir}
|
||||
%{_pam_vendordir}/other
|
||||
%{_pam_vendordir}/common-*
|
||||
%{_pam_vendordir}/postlogin-*
|
||||
%{_distconfdir}/environment
|
||||
%{_pam_secdistconfdir}/access.conf
|
||||
%{_pam_secdistconfdir}/group.conf
|
||||
%{_pam_secdistconfdir}/faillock.conf
|
||||
%{_pam_secdistconfdir}/pam_env.conf
|
||||
%if %{with selinux}
|
||||
%{_pam_secdistconfdir}/sepermit.conf
|
||||
%endif
|
||||
%{_pam_secdistconfdir}/time.conf
|
||||
%{_pam_secdistconfdir}/namespace.conf
|
||||
%{_pam_secdistconfdir}/namespace.init
|
||||
%{_pam_secdistconfdir}/pwhistory.conf
|
||||
%dir %{_pam_secdistconfdir}/namespace.d
|
||||
%{_libdir}/libpam.so.0
|
||||
%{_libdir}/libpam.so.%{libpam_so_version}
|
||||
%{_libdir}/libpamc.so.0
|
||||
%{_libdir}/libpamc.so.%{libpamc_so_version}
|
||||
%{_libdir}/libpam_misc.so.0
|
||||
%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
|
||||
%dir %{_pam_moduledir}
|
||||
%{_pam_moduledir}/pam_access.so
|
||||
%{_pam_moduledir}/pam_canonicalize_user.so
|
||||
%{_pam_moduledir}/pam_debug.so
|
||||
%{_pam_moduledir}/pam_deny.so
|
||||
%{_pam_moduledir}/pam_echo.so
|
||||
%{_pam_moduledir}/pam_env.so
|
||||
%{_pam_moduledir}/pam_exec.so
|
||||
%{_pam_moduledir}/pam_faildelay.so
|
||||
%{_pam_moduledir}/pam_faillock.so
|
||||
%{_pam_moduledir}/pam_filter.so
|
||||
%dir %{_pam_moduledir}/pam_filter
|
||||
%{_pam_moduledir}//pam_filter/upperLOWER
|
||||
%{_pam_moduledir}/pam_ftp.so
|
||||
%{_pam_moduledir}/pam_group.so
|
||||
%{_pam_moduledir}/pam_keyinit.so
|
||||
%{_pam_moduledir}/pam_listfile.so
|
||||
%{_pam_moduledir}/pam_localuser.so
|
||||
%{_pam_moduledir}/pam_loginuid.so
|
||||
%{_pam_moduledir}/pam_mail.so
|
||||
%{_pam_moduledir}/pam_mkhomedir.so
|
||||
%{_pam_moduledir}/pam_motd.so
|
||||
%{_pam_moduledir}/pam_namespace.so
|
||||
%{_pam_moduledir}/pam_nologin.so
|
||||
%{_pam_moduledir}/pam_permit.so
|
||||
%{_pam_moduledir}/pam_pwhistory.so
|
||||
%{_pam_moduledir}/pam_rhosts.so
|
||||
%{_pam_moduledir}/pam_rootok.so
|
||||
%{_pam_moduledir}/pam_securetty.so
|
||||
%if %{with selinux}
|
||||
%{_pam_moduledir}/pam_selinux.so
|
||||
%{_pam_moduledir}/pam_sepermit.so
|
||||
%endif
|
||||
%{_pam_moduledir}/pam_setquota.so
|
||||
%{_pam_moduledir}/pam_shells.so
|
||||
%{_pam_moduledir}/pam_stress.so
|
||||
%{_pam_moduledir}/pam_succeed_if.so
|
||||
%{_pam_moduledir}/pam_time.so
|
||||
%{_pam_moduledir}/pam_tty_audit.so
|
||||
%{_pam_moduledir}/pam_umask.so
|
||||
%{_pam_moduledir}/pam_unix.so
|
||||
%{_pam_moduledir}/pam_usertype.so
|
||||
%{_pam_moduledir}/pam_warn.so
|
||||
%{_pam_moduledir}/pam_wheel.so
|
||||
%{_pam_moduledir}/pam_xauth.so
|
||||
%{_sbindir}/faillock
|
||||
%{_sbindir}/mkhomedir_helper
|
||||
%{_sbindir}/pam_namespace_helper
|
||||
%{_sbindir}/pwhistory_helper
|
||||
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
|
||||
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
|
||||
%attr(0700,root,root) %{_sbindir}/unix_update
|
||||
%{_unitdir}/pam_namespace.service
|
||||
%{_tmpfilesdir}/pam.conf
|
||||
|
||||
%files devel
|
||||
%defattr(644,root,root,755)
|
||||
%dir %{_includedir}/security
|
||||
%{_includedir}/security/*.h
|
||||
%{_libdir}/libpam.so
|
||||
%{_libdir}/libpamc.so
|
||||
%{_libdir}/libpam_misc.so
|
||||
%{_rpmmacrodir}/macros.pam
|
||||
%{_libdir}/pkgconfig/pam*.pc
|
||||
%endif
|
||||
|
||||
%if %{build_userdb}
|
||||
%files -n pam-userdb
|
||||
%defattr(-,root,root,755)
|
||||
%{_pam_moduledir}/pam_userdb.so
|
||||
%{_mandir}/man8/pam_userdb.8%{?ext_man}
|
||||
%endif
|
||||
|
||||
%if %{build_extra}
|
||||
%files -n pam-extra
|
||||
%defattr(-,root,root,755)
|
||||
%dir %{_pam_secdistconfdir}
|
||||
%dir %{_pam_secdistconfdir}/limits.d
|
||||
%{_pam_secdistconfdir}/limits.conf
|
||||
%{_pam_moduledir}/pam_limits.so
|
||||
%{_pam_moduledir}/pam_issue.so
|
||||
%{_pam_moduledir}/pam_timestamp.so
|
||||
%{_sbindir}/pam_timestamp_check
|
||||
%endif
|
||||
|
||||
%if %{build_doc}
|
||||
|
||||
%files -n pam-doc
|
||||
%defattr(644,root,root,755)
|
||||
%dir %{_defaultdocdir}/pam
|
||||
%doc %{_defaultdocdir}/pam/html
|
||||
%doc %{_defaultdocdir}/pam/modules
|
||||
%doc %{_defaultdocdir}/pam/pdf
|
||||
%doc %{_defaultdocdir}/pam/*.txt
|
||||
|
||||
%files -n pam-manpages
|
||||
%{_mandir}/man3/pam*.3%{?ext_man}
|
||||
%{_mandir}/man3/misc_conv.3%{?ext_man}
|
||||
%{_mandir}/man5/environment.5%{?ext_man}
|
||||
%{_mandir}/man5/*.conf.5%{?ext_man}
|
||||
%{_mandir}/man5/pam.d.5%{?ext_man}
|
||||
%{_mandir}/man5/motd.5%{?ext_man}
|
||||
%{_mandir}/man8/PAM.8%{?ext_man}
|
||||
%{_mandir}/man8/faillock.8%{?ext_man}
|
||||
%{_mandir}/man8/mkhomedir_helper.8%{?ext_man}
|
||||
%{_mandir}/man8/pam.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_access.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_debug.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_deny.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_echo.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_env.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_exec.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_faildelay.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_faillock.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_filter.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_ftp.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_group.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_issue.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_keyinit.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_limits.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_listfile.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_localuser.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_loginuid.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_mail.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_mkhomedir.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_motd.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_namespace.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_namespace_helper.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_nologin.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_permit.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_pwhistory.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_rhosts.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_rootok.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_securetty.8%{?ext_man}
|
||||
%if %{with selinux}
|
||||
%{_mandir}/man8/pam_selinux.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
|
||||
%endif
|
||||
%{_mandir}/man8/pam_setquota.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_shells.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_stress.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_time.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_timestamp_check.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_tty_audit.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_umask.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_unix.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_usertype.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_warn.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_wheel.8%{?ext_man}
|
||||
%{_mandir}/man8/pam_xauth.8%{?ext_man}
|
||||
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
|
||||
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
|
||||
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
|
||||
%{_mandir}/man8/unix_update.8%{?ext_man}
|
||||
|
||||
%endif
|
||||
|
||||
%changelog
|
4
pam.tmpfiles
Normal file
4
pam.tmpfiles
Normal file
@ -0,0 +1,4 @@
|
||||
#Type Path Mode User Group Age Argument
|
||||
D /run/faillock 0755 root root - -
|
||||
D /run/motd.d 0755 root root - -
|
||||
D /run/pam_timestamp 0755 root root - -
|
225
pam_access-rework-resolving-of-tokens-as-hostname.patch
Normal file
225
pam_access-rework-resolving-of-tokens-as-hostname.patch
Normal file
@ -0,0 +1,225 @@
|
||||
From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001
|
||||
From: Thorsten Kukuk <kukuk@suse.com>
|
||||
Date: Thu, 14 Nov 2024 10:27:28 +0100
|
||||
Subject: [PATCH] pam_access: rework resolving of tokens as hostname
|
||||
|
||||
* modules/pam_access/pam_access.c: separate resolving of IP addresses
|
||||
from hostnames. Don't resolve TTYs or display variables as hostname
|
||||
(#834).
|
||||
Add "nodns" option to disallow resolving of tokens as hostname.
|
||||
* modules/pam_access/pam_access.8.xml: document nodns option
|
||||
* modules/pam_access/access.conf.5.xml: document that hostnames should
|
||||
be written as FQHN.
|
||||
---
|
||||
modules/pam_access/access.conf.5.xml | 4 ++
|
||||
modules/pam_access/pam_access.8.xml | 46 ++++++++++++------
|
||||
modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++-
|
||||
3 files changed, 105 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
|
||||
index 0b93db00..10b8ba92 100644
|
||||
--- a/modules/pam_access/access.conf.5.xml
|
||||
+++ b/modules/pam_access/access.conf.5.xml
|
||||
@@ -233,6 +233,10 @@
|
||||
An IPv6 link local host address must contain the interface
|
||||
identifier. IPv6 link local network/netmask is not supported.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
|
||||
+ confusion with device names or PAM service names.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 xml:id="access.conf-see_also">
|
||||
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
|
||||
index c991d7a0..71a4f7ee 100644
|
||||
--- a/modules/pam_access/pam_access.8.xml
|
||||
+++ b/modules/pam_access/pam_access.8.xml
|
||||
@@ -22,11 +22,14 @@
|
||||
<arg choice="opt" rep="norepeat">
|
||||
debug
|
||||
</arg>
|
||||
+ <arg choice="opt" rep="norepeat">
|
||||
+ noaudit
|
||||
+ </arg>
|
||||
<arg choice="opt" rep="norepeat">
|
||||
nodefgroup
|
||||
</arg>
|
||||
<arg choice="opt" rep="norepeat">
|
||||
- noaudit
|
||||
+ nodns
|
||||
</arg>
|
||||
<arg choice="opt" rep="norepeat">
|
||||
quiet_log
|
||||
@@ -132,6 +135,33 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ nodefgroup
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ User tokens which are not enclosed in parentheses will not be
|
||||
+ matched against the group database. The backwards compatible default is
|
||||
+ to try the group database match even for tokens not enclosed
|
||||
+ in parentheses.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ nodns
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
|
||||
+ addresses will be resolved. Which means to allow login from a
|
||||
+ remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>
|
||||
quiet_log
|
||||
@@ -185,20 +215,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
- <varlistentry>
|
||||
- <term>
|
||||
- nodefgroup
|
||||
- </term>
|
||||
- <listitem>
|
||||
- <para>
|
||||
- User tokens which are not enclosed in parentheses will not be
|
||||
- matched against the group database. The backwards compatible default is
|
||||
- to try the group database match even for tokens not enclosed
|
||||
- in parentheses.
|
||||
- </para>
|
||||
- </listitem>
|
||||
- </varlistentry>
|
||||
-
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||
index 48e7c7e9..109115e9 100644
|
||||
--- a/modules/pam_access/pam_access.c
|
||||
+++ b/modules/pam_access/pam_access.c
|
||||
@@ -100,6 +100,7 @@ struct login_info {
|
||||
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
|
||||
int noaudit; /* Do not audit denials */
|
||||
int quiet_log; /* Do not log denials */
|
||||
+ int nodns; /* Do not try to resolve tokens as hostnames */
|
||||
const char *fs; /* field separator */
|
||||
const char *sep; /* list-element separator */
|
||||
int from_remote_host; /* If PAM_RHOST was used for from */
|
||||
@@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
|
||||
loginfo->noaudit = YES;
|
||||
} else if (strcmp (argv[i], "quiet_log") == 0) {
|
||||
loginfo->quiet_log = YES;
|
||||
+ } else if (strcmp (argv[i], "nodns") == 0) {
|
||||
+ loginfo->nodns = YES;
|
||||
} else {
|
||||
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
|
||||
}
|
||||
@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
|
||||
if ((str_len = strlen(string)) > tok_len
|
||||
&& strcasecmp(tok, string + str_len - tok_len) == 0)
|
||||
return YES;
|
||||
- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
|
||||
+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */
|
||||
struct addrinfo hint;
|
||||
|
||||
memset (&hint, '\0', sizeof (hint));
|
||||
@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
|
||||
}
|
||||
|
||||
|
||||
+static int
|
||||
+is_device (pam_handle_t *pamh, const char *tok)
|
||||
+{
|
||||
+ struct stat st;
|
||||
+ const char *dev = "/dev/";
|
||||
+ char *devname;
|
||||
+
|
||||
+ devname = malloc (strlen(dev) + strlen (tok) + 1);
|
||||
+ if (devname == NULL) {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
|
||||
+ /*
|
||||
+ * We should return an error and abort, but pam_access has no good
|
||||
+ * error handling.
|
||||
+ */
|
||||
+ return NO;
|
||||
+ }
|
||||
+
|
||||
+ char *cp = stpcpy (devname, dev);
|
||||
+ strcpy (cp, tok);
|
||||
+
|
||||
+ if (lstat(devname, &st) != 0)
|
||||
+ {
|
||||
+ free (devname);
|
||||
+ return NO;
|
||||
+ }
|
||||
+ free (devname);
|
||||
+
|
||||
+ if (S_ISCHR(st.st_mode))
|
||||
+ return YES;
|
||||
+
|
||||
+ return NO;
|
||||
+}
|
||||
+
|
||||
/* network_netmask_match - match a string against one token
|
||||
* where string is a hostname or ip (v4,v6) address and tok
|
||||
* represents either a hostname, a single ip (v4,v6) address
|
||||
@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh,
|
||||
return NO;
|
||||
}
|
||||
}
|
||||
+ else if (isipaddr(tok, NULL, NULL) == YES)
|
||||
+ {
|
||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||||
+ {
|
||||
+ if (item->debug)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
|
||||
+
|
||||
+ return NO;
|
||||
+ }
|
||||
+ netmask_ptr = NULL;
|
||||
+ }
|
||||
+ else if (item->nodns)
|
||||
+ {
|
||||
+ /* Only hostnames are left, which we would need to resolve via DNS */
|
||||
+ return NO;
|
||||
+ }
|
||||
else
|
||||
{
|
||||
+ /* Bail out on X11 Display entries and ttys. */
|
||||
+ if (tok[0] == ':')
|
||||
+ {
|
||||
+ if (item->debug)
|
||||
+ pam_syslog (pamh, LOG_DEBUG,
|
||||
+ "network_netmask_match: tok=%s is X11 display", tok);
|
||||
+ return NO;
|
||||
+ }
|
||||
+ if (is_device (pamh, tok))
|
||||
+ {
|
||||
+ if (item->debug)
|
||||
+ pam_syslog (pamh, LOG_DEBUG,
|
||||
+ "network_netmask_match: tok=%s is a TTY", tok);
|
||||
+ return NO;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
- * It is either an IP address or a hostname.
|
||||
+ * It is most likely a hostname.
|
||||
* Let getaddrinfo sort everything out
|
||||
*/
|
||||
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||||
--
|
||||
2.47.0
|
||||
|
51
pam_issue-systemd.patch
Normal file
51
pam_issue-systemd.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001
|
||||
From: Thorsten Kukuk <kukuk@suse.com>
|
||||
Date: Wed, 4 Sep 2024 16:07:56 +0200
|
||||
Subject: [PATCH] pam_issue: only count class user
|
||||
|
||||
Since systemd added new types of classes (e.g. manager*), we cannot
|
||||
use the count of all sessions anymore, but have to check which class
|
||||
this is.
|
||||
|
||||
This is backward compatible, systemd v209 or newer is required.
|
||||
---
|
||||
modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
|
||||
index aade642ec5..e2c555c405 100644
|
||||
--- a/modules/pam_issue/pam_issue.c
|
||||
+++ b/modules/pam_issue/pam_issue.c
|
||||
@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
|
||||
{
|
||||
unsigned int users = 0;
|
||||
#ifdef USE_LOGIND
|
||||
- int sessions = sd_get_sessions(NULL);
|
||||
+ char **sessions_list;
|
||||
+ int sessions = sd_get_sessions(&sessions_list);
|
||||
|
||||
if (sessions < 0) {
|
||||
pam_syslog(pamh, LOG_ERR, "logind error: %s",
|
||||
strerror(-sessions));
|
||||
_pam_drop(issue);
|
||||
return PAM_SERVICE_ERR;
|
||||
+ } else if (sessions > 0 && sessions_list != NULL) {
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < sessions; i++) {
|
||||
+ char *class;
|
||||
+
|
||||
+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
|
||||
+ continue;
|
||||
+
|
||||
+ if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete
|
||||
+ users++;
|
||||
+ free(class);
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < sessions; i++)
|
||||
+ free(sessions_list[i]);
|
||||
+ free(sessions_list);
|
||||
} else {
|
||||
users = sessions;
|
||||
}
|
10
postlogin-account.pamd
Normal file
10
postlogin-account.pamd
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# /etc/pam.d/postlogin-account - account settings common to login services
|
||||
#
|
||||
# This file is included from login service-specific PAM config files,
|
||||
# and contains the PAM modules which should be called after
|
||||
# the modules of "common-account".
|
||||
#
|
||||
# This file should only be included from services doing real logins,
|
||||
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
|
||||
#
|
10
postlogin-auth.pamd
Normal file
10
postlogin-auth.pamd
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# /etc/pam.d/postlogin-auth - authentication settings common to login services
|
||||
#
|
||||
# This file is included from login service-specific PAM config files,
|
||||
# and contains the PAM modules which should be called after
|
||||
# the modules of "common-auth".
|
||||
#
|
||||
# This file should only be included from services doing real logins,
|
||||
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
|
||||
#
|
10
postlogin-password.pamd
Normal file
10
postlogin-password.pamd
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# /etc/pam.d/postlogin-password - password settings common to login services
|
||||
#
|
||||
# This file is included from login service-specific PAM config files,
|
||||
# and contains the PAM modules which should be called after
|
||||
# the modules of "common-password".
|
||||
#
|
||||
# This file should only be included from services doing real logins,
|
||||
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
|
||||
#
|
10
postlogin-session.pamd
Normal file
10
postlogin-session.pamd
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# /etc/pam.d/postlogin-session - session settings common to login services
|
||||
#
|
||||
# This file is included from login service-specific PAM config files,
|
||||
# and contains the PAM modules which should be called after
|
||||
# the modules of "common-session".
|
||||
#
|
||||
# This file should only be included from services doing real logins,
|
||||
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
|
||||
#
|
79
unix2_chkpwd.8
Normal file
79
unix2_chkpwd.8
Normal file
@ -0,0 +1,79 @@
|
||||
.\" Copyright (C) 2003 International Business Machines Corporation
|
||||
.\" This file is distributed according to the GNU General Public License.
|
||||
.\" See the file COPYING in the top level source directory for details.
|
||||
.\"
|
||||
.de Sh \" Subsection
|
||||
.br
|
||||
.if t .Sp
|
||||
.ne 5
|
||||
.PP
|
||||
\fB\\$1\fR
|
||||
.PP
|
||||
..
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Ip \" List item
|
||||
.br
|
||||
.ie \\n(.$>=3 .ne \\$3
|
||||
.el .ne 3
|
||||
.IP "\\$1" \\$2
|
||||
..
|
||||
.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
unix2_chkpwd \- helper binary that verifies the password of the current user
|
||||
.SH "SYNOPSIS"
|
||||
.ad l
|
||||
.hy 0
|
||||
|
||||
/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
|
||||
.sp
|
||||
.ad
|
||||
.hy
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBunix2_chkpwd\fR is a helper program for applications that verifies
|
||||
the password of the current user. It is not intended to be run directly from
|
||||
the command line and logs a security violation if done so.
|
||||
|
||||
It is typically installed setuid root or setgid shadow and called by
|
||||
applications, which only wishes to do an user authentification and
|
||||
nothing more.
|
||||
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
unix2_chkpwd requires the following arguments:
|
||||
.TP
|
||||
\fIpam_service\fR
|
||||
The name of the service using unix2_chkpwd. This is required to be one of
|
||||
the services in /etc/pam.d
|
||||
.TP
|
||||
\fIusername\fR
|
||||
The name of the user whose password you want to verify.
|
||||
|
||||
.SH "INPUTS"
|
||||
.PP
|
||||
unix2_chkpwd expects the password via stdin.
|
||||
|
||||
.SH "RETURN CODES"
|
||||
.PP
|
||||
\fBunix2_chkpwd\fR has the following return codes:
|
||||
.TP
|
||||
1
|
||||
unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
|
||||
|
||||
.TP
|
||||
0
|
||||
The password is correct.
|
||||
|
||||
.SH "HISTORY"
|
||||
Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
|
||||
|
||||
.SH "SEE ALSO"
|
||||
|
||||
.PP
|
||||
\fBpam\fR(8)
|
||||
|
||||
.SH AUTHOR
|
||||
Emily Ratliff.
|
337
unix2_chkpwd.c
Normal file
337
unix2_chkpwd.c
Normal file
@ -0,0 +1,337 @@
|
||||
/*
|
||||
* Set*id helper program for PAM authentication.
|
||||
*
|
||||
* It is supposed to be called from pam_unix2's
|
||||
* pam_sm_authenticate function if the function notices
|
||||
* that it's unable to get the password from the shadow file
|
||||
* because it doesn't have sufficient permissions.
|
||||
*
|
||||
* Copyright (C) 2002 SuSE Linux AG
|
||||
*
|
||||
* Written by okir@suse.de, loosely based on unix_chkpwd
|
||||
* by Andrew Morgan.
|
||||
*/
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/_pam_macros.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
|
||||
#define BUFLEN 1024
|
||||
#ifndef LOGINDEFS
|
||||
#define LOGINDEFS "/etc/login.defs"
|
||||
#endif
|
||||
#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY"
|
||||
#define DEFAULT_FAIL_DELAY_S 10
|
||||
|
||||
#define PASSWD_CRACKER_DELAY_MS 100
|
||||
|
||||
enum {
|
||||
UNIX_PASSED = 0,
|
||||
UNIX_FAILED = 1
|
||||
};
|
||||
|
||||
static char * program_name;
|
||||
static char pass[64];
|
||||
static int npass = -1;
|
||||
|
||||
/*
|
||||
* Log error messages
|
||||
*/
|
||||
static void
|
||||
_log_err(int err, const char *format,...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, format);
|
||||
openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
|
||||
vsyslog(err, format, args);
|
||||
va_end(args);
|
||||
closelog();
|
||||
}
|
||||
|
||||
static void
|
||||
su_sighandler(int sig)
|
||||
{
|
||||
if (sig > 0) {
|
||||
_log_err(LOG_NOTICE, "caught signal %d.", sig);
|
||||
exit(sig);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Setup signal handlers
|
||||
*/
|
||||
static void
|
||||
setup_signals(void)
|
||||
{
|
||||
struct sigaction action;
|
||||
|
||||
memset((void *) &action, 0, sizeof(action));
|
||||
action.sa_handler = su_sighandler;
|
||||
action.sa_flags = SA_RESETHAND;
|
||||
sigaction(SIGILL, &action, NULL);
|
||||
sigaction(SIGTRAP, &action, NULL);
|
||||
sigaction(SIGBUS, &action, NULL);
|
||||
sigaction(SIGSEGV, &action, NULL);
|
||||
action.sa_handler = SIG_IGN;
|
||||
action.sa_flags = 0;
|
||||
sigaction(SIGTERM, &action, NULL);
|
||||
sigaction(SIGHUP, &action, NULL);
|
||||
sigaction(SIGINT, &action, NULL);
|
||||
sigaction(SIGQUIT, &action, NULL);
|
||||
sigaction(SIGALRM, &action, NULL);
|
||||
}
|
||||
|
||||
static int
|
||||
_converse(int num_msg, const struct pam_message **msg,
|
||||
struct pam_response **resp, void *appdata_ptr)
|
||||
{
|
||||
struct pam_response *reply;
|
||||
int num;
|
||||
|
||||
if (!(reply = malloc(sizeof(*reply) * num_msg)))
|
||||
return PAM_CONV_ERR;
|
||||
|
||||
for (num = 0; num < num_msg; num++) {
|
||||
reply[num].resp_retcode = PAM_SUCCESS;
|
||||
reply[num].resp = NULL;
|
||||
switch (msg[num]->msg_style) {
|
||||
case PAM_PROMPT_ECHO_ON:
|
||||
return PAM_CONV_ERR;
|
||||
case PAM_PROMPT_ECHO_OFF:
|
||||
/* read the password from stdin */
|
||||
if (npass < 0) {
|
||||
npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
|
||||
if (npass < 0) {
|
||||
_log_err(LOG_DEBUG, "error reading password");
|
||||
return UNIX_FAILED;
|
||||
}
|
||||
pass[npass] = '\0';
|
||||
}
|
||||
reply[num].resp = strdup(pass);
|
||||
break;
|
||||
case PAM_TEXT_INFO:
|
||||
case PAM_ERROR_MSG:
|
||||
/* ignored */
|
||||
break;
|
||||
default:
|
||||
/* Must be an error of some sort... */
|
||||
return PAM_CONV_ERR;
|
||||
}
|
||||
}
|
||||
|
||||
*resp = reply;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
static int
|
||||
_authenticate(const char *service, const char *user)
|
||||
{
|
||||
struct pam_conv conv = { _converse, NULL };
|
||||
pam_handle_t *pamh;
|
||||
int err;
|
||||
|
||||
err = pam_start(service, user, &conv, &pamh);
|
||||
if (err != PAM_SUCCESS) {
|
||||
_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
|
||||
service, user, err);
|
||||
return UNIX_FAILED;
|
||||
}
|
||||
|
||||
err = pam_authenticate(pamh, 0);
|
||||
if (err != PAM_SUCCESS)
|
||||
_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
|
||||
service, user,
|
||||
pam_strerror(pamh, err));
|
||||
|
||||
if (err == PAM_SUCCESS)
|
||||
{
|
||||
err = pam_acct_mgmt(pamh, 0);
|
||||
if (err == PAM_SUCCESS)
|
||||
{
|
||||
int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
|
||||
if (err2 != PAM_SUCCESS)
|
||||
_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
|
||||
service, user,
|
||||
pam_strerror(pamh, err2));
|
||||
/*
|
||||
* ignore errors on refresh credentials.
|
||||
* If this did not work we use the old once.
|
||||
*/
|
||||
} else {
|
||||
_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
|
||||
service, user,
|
||||
pam_strerror(pamh, err));
|
||||
}
|
||||
}
|
||||
|
||||
pam_end(pamh, err);
|
||||
|
||||
if (err != PAM_SUCCESS)
|
||||
return UNIX_FAILED;
|
||||
return UNIX_PASSED;
|
||||
}
|
||||
|
||||
static char *
|
||||
getuidname(uid_t uid)
|
||||
{
|
||||
struct passwd *pw;
|
||||
static char username[32];
|
||||
|
||||
pw = getpwuid(uid);
|
||||
if (pw == NULL)
|
||||
return NULL;
|
||||
|
||||
strncpy(username, pw->pw_name, sizeof(username));
|
||||
username[sizeof(username) - 1] = '\0';
|
||||
|
||||
endpwent();
|
||||
return username;
|
||||
}
|
||||
|
||||
static int
|
||||
sane_pam_service(const char *name)
|
||||
{
|
||||
const char *sp;
|
||||
char path[128];
|
||||
|
||||
if (strlen(name) > 32)
|
||||
return 0;
|
||||
for (sp = name; *sp; sp++) {
|
||||
if (!isalnum(*sp) && *sp != '_' && *sp != '-')
|
||||
return 0;
|
||||
}
|
||||
|
||||
snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
|
||||
return access(path, R_OK) == 0;
|
||||
}
|
||||
|
||||
static int
|
||||
get_system_fail_delay (void)
|
||||
{
|
||||
FILE *fs;
|
||||
char buf[BUFLEN];
|
||||
long int delay = -1;
|
||||
char *s;
|
||||
int l;
|
||||
|
||||
fs = fopen(LOGINDEFS, "r");
|
||||
if (NULL == fs) {
|
||||
goto bail_out;
|
||||
}
|
||||
|
||||
while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
|
||||
if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
|
||||
continue;
|
||||
}
|
||||
s = buf + strspn(buf, " \t");
|
||||
l = strcspn(s, " \t");
|
||||
if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
|
||||
continue;
|
||||
}
|
||||
s += l;
|
||||
s += strspn(s, " \t");
|
||||
errno = 0;
|
||||
delay = strtol(s, NULL, 10);
|
||||
if (errno) {
|
||||
delay = -1;
|
||||
}
|
||||
break;
|
||||
}
|
||||
fclose (fs);
|
||||
bail_out:
|
||||
delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
|
||||
return (int)delay;
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
const char *program_name;
|
||||
char *service, *user;
|
||||
int fd;
|
||||
int result = UNIX_FAILED;
|
||||
uid_t uid;
|
||||
|
||||
uid = getuid();
|
||||
|
||||
/*
|
||||
* Make sure standard file descriptors are connected.
|
||||
*/
|
||||
while ((fd = open("/dev/null", O_RDWR)) <= 2)
|
||||
;
|
||||
close(fd);
|
||||
|
||||
/*
|
||||
* Get the program name
|
||||
*/
|
||||
if (argc == 0)
|
||||
program_name = "unix2_chkpwd";
|
||||
else if ((program_name = strrchr(argv[0], '/')) != NULL)
|
||||
program_name++;
|
||||
else
|
||||
program_name = argv[0];
|
||||
|
||||
/*
|
||||
* Catch or ignore as many signal as possible.
|
||||
*/
|
||||
setup_signals();
|
||||
|
||||
/*
|
||||
* Check argument list
|
||||
*/
|
||||
if (argc < 2 || argc > 3) {
|
||||
_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
|
||||
return UNIX_FAILED;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the service name and do some sanity checks on it
|
||||
*/
|
||||
service = argv[1];
|
||||
if (!sane_pam_service(service)) {
|
||||
_log_err(LOG_ERR, "Illegal service name '%s'", service);
|
||||
return UNIX_FAILED;
|
||||
}
|
||||
|
||||
/*
|
||||
* Discourage users messing around (fat chance)
|
||||
*/
|
||||
if (isatty(STDIN_FILENO) && uid != 0) {
|
||||
_log_err(LOG_NOTICE,
|
||||
"Inappropriate use of Unix helper binary [UID=%d]",
|
||||
uid);
|
||||
fprintf(stderr,
|
||||
"This binary is not designed for running in this way\n"
|
||||
"-- the system administrator has been informed\n");
|
||||
sleep(10); /* this should discourage/annoy the user */
|
||||
return UNIX_FAILED;
|
||||
}
|
||||
|
||||
/*
|
||||
* determine the caller's user name
|
||||
*/
|
||||
user = getuidname(uid);
|
||||
if (argc == 3 && strcmp(user, argv[2])) {
|
||||
user = argv[2];
|
||||
}
|
||||
result = _authenticate(service, user);
|
||||
/* Discourage use of this program as a
|
||||
* password cracker */
|
||||
usleep(PASSWD_CRACKER_DELAY_MS * 1000);
|
||||
if (result != UNIX_PASSED && uid != 0)
|
||||
sleep(get_system_fail_delay());
|
||||
return result;
|
||||
}
|
Loading…
Reference in New Issue
Block a user