pool/pam
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1045205 from Linux-PAM

Browse Source 
- Also obsolete pam_unix-32bit to have clean upgrade path.

- Merge pam_unix back into pam, seperate package not needed anymore

- Update pam-git.diff to current upstream
  - pam_env: Use vendor specific pam_env.conf and environment as fallback
  - pam_shells: Use the vendor directory
  obsoletes pam_env_econf.patch
- Refresh docbook5.patch

OBS-URL: https://build.opensuse.org/request/show/1045205
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=126
This commit is contained in:
Dominique Leuenberger 2022-12-25 14:14:17 +00:00 committed by Git OBS Bridge
commit a42fcc6da5
6 changed files with 1114 additions and 734 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
baselibs.conf
View File

@ -1,6 +1,6 @@
pam
requires "(systemd-<targettype> if systemd)"
obsoletes "pam_unix-<targettype>"
obsoletes "pam_unix-nis-<targettype>"
pam-extra
pam-devel
pam_unix
conflicts "pam_unix-nis-<targettype>"

63
docbook5.patch
View File

@ -1,4 +1,4 @@
From 681e88a5428904b478a37e65154d7cf0ba1a9eb5 Mon Sep 17 00:00:00 2001
From 55e4d5c4aac39602518dd5d4ce03a4313775180f Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Tue, 25 Oct 2022 16:29:41 +0200
Subject: [PATCH] doc: Update PAM documentation from DockBook 4 to DocBook 5
@ -14,7 +14,7 @@ doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Added a new option for selecting RNG check file (-enable-docbook-rng)
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
@ -152,7 +152,6 @@ Update from DockBook 4 to DocBook 5
doc/sag/pam_warn.xml | 42 ++--
doc/sag/pam_wheel.xml | 42 ++--
doc/sag/pam_xauth.xml | 42 ++--
examples/.gitignore | 2 +-
modules/pam_access/README.xml | 32 +--
modules/pam_access/access.conf.5.xml | 20 +-
modules/pam_access/pam_access.8.xml | 63 +++--
@ -163,7 +162,7 @@ Update from DockBook 4 to DocBook 5
modules/pam_echo/README.xml | 29 +--
modules/pam_echo/pam_echo.8.xml | 45 ++--
modules/pam_env/README.xml | 34 +--
modules/pam_env/pam_env.8.xml | 59 +++--
modules/pam_env/pam_env.8.xml | 63 +++--
modules/pam_env/pam_env.conf.5.xml | 19 +-
modules/pam_exec/README.xml | 32 +--
modules/pam_exec/pam_exec.8.xml | 65 +++--
@ -257,7 +256,7 @@ Update from DockBook 4 to DocBook 5
modules/pam_wheel/pam_wheel.8.xml | 59 +++--
modules/pam_xauth/README.xml | 35 +--
modules/pam_xauth/pam_xauth.8.xml | 65 +++--
236 files changed, 3398 insertions(+), 5101 deletions(-)
235 files changed, 3399 insertions(+), 5102 deletions(-)
diff --git a/Make.xml.rules.in b/Make.xml.rules.in
index 27bb510ec..98beb9ed7 100644
@ -292,7 +291,7 @@ index 27bb510ec..98beb9ed7 100644
#CLEANFILES += $(man_MANS) README
diff --git a/configure.ac b/configure.ac
index 2f74d1b49..84cda219d 100644
index 538195e55..afa749cf6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -243,26 +243,35 @@ if test x"$enable_debug" = x"yes" ; then
@ -339,7 +338,7 @@ index 2f74d1b49..84cda219d 100644
AC_SUBST(MAN_STYLESHEET)
sed "s+MAN_STYLESHEET+$MAN_STYLESHEET+g" <doc/custom-man.xsl.in >doc/custom-man.xsl
@@ -605,10 +614,10 @@ if test -z "$XSLTPROC"; then
@@ -608,10 +617,10 @@ if test -z "$XSLTPROC"; then
enable_docu=no
fi
AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
@ -9561,7 +9560,7 @@ index 21a9b8555..8becf8700 100644
+</article>
\ No newline at end of file
diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
index 75ff862be..bcb16036f 100644
index d7687d6c9..fb172e17b 100644
--- a/modules/pam_env/pam_env.8.xml
+++ b/modules/pam_env/pam_env.8.xml
@@ -1,16 +1,13 @@
@ -9625,7 +9624,7 @@ index 75ff862be..bcb16036f 100644
<title>DESCRIPTION</title>
<para>
The pam_env PAM module allows the (un)setting of environment
@@ -77,13 +74,13 @@
@@ -119,13 +116,13 @@
</para>
</refsect1>
@ -9641,7 +9640,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -96,7 +93,7 @@
@@ -138,7 +135,7 @@
<varlistentry>
<term>
@ -9650,7 +9649,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -108,7 +105,7 @@
@@ -150,7 +147,7 @@
<varlistentry>
<term>
@ -9659,7 +9658,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -124,7 +121,7 @@
@@ -166,7 +163,7 @@
<varlistentry>
<term>
@ -9668,7 +9667,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -137,7 +134,7 @@
@@ -179,7 +176,7 @@
<varlistentry>
<term>
@ -9677,7 +9676,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -153,7 +150,7 @@
@@ -195,7 +192,7 @@
<varlistentry>
<term>
@ -9686,7 +9685,7 @@ index 75ff862be..bcb16036f 100644
</term>
<listitem>
<para>
@@ -174,7 +171,7 @@
@@ -216,7 +213,7 @@
</variablelist>
</refsect1>
@ -9695,7 +9694,7 @@ index 75ff862be..bcb16036f 100644
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option> and <option>session</option> module
@@ -182,7 +179,7 @@
@@ -224,7 +221,7 @@
</para>
</refsect1>
@ -9704,7 +9703,7 @@ index 75ff862be..bcb16036f 100644
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
@@ -220,23 +217,23 @@
@@ -262,25 +259,25 @@
</variablelist>
</refsect1>
@ -9713,14 +9712,18 @@ index 75ff862be..bcb16036f 100644
<title>FILES</title>
<variablelist>
<varlistentry>
- <term condition="with_vendordir"><filename>/usr/etc/security/pam_env.conf</filename></term>
- <term><filename>/etc/security/pam_env.conf</filename></term>
+ <term condition="with_vendordir">%vendordir%/security/pam_env.conf</term>
+ <term>/etc/security/pam_env.conf</term>
<listitem>
<para>Default configuration file</para>
</listitem>
</varlistentry>
<varlistentry>
- <term condition="with_vendordir"><filename>/usr/etc/environment</filename></term>
- <term><filename>/etc/environment</filename></term>
+ <term condition="with_vendordir">%vendordir%/environment</term>
+ <term>/etc/environment</term>
<listitem>
<para>Default environment file</para>
@ -9732,7 +9735,7 @@ index 75ff862be..bcb16036f 100644
<listitem>
<para>User specific environment file</para>
</listitem>
@@ -244,7 +241,7 @@
@@ -288,7 +285,7 @@
</variablelist>
</refsect1>
@ -9741,7 +9744,7 @@ index 75ff862be..bcb16036f 100644
<title>SEE ALSO</title>
<para>
<citerefentry>
@@ -262,10 +259,10 @@
@@ -306,10 +303,10 @@
</para>
</refsect1>
@ -9756,7 +9759,7 @@ index 75ff862be..bcb16036f 100644
+</refentry>
\ No newline at end of file
diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
index fca046fe3..f88791676 100644
index 5c0dbcb8c..662ff0a00 100644
--- a/modules/pam_env/pam_env.conf.5.xml
+++ b/modules/pam_env/pam_env.conf.5.xml
@@ -1,13 +1,10 @@
@ -9784,8 +9787,8 @@ index fca046fe3..f88791676 100644
+ <refsect1 xml:id="pam_env.conf-description">
<title>DESCRIPTION</title>
<para>
@@ -71,7 +68,7 @@
<para condition="with_vendordir">
@@ -87,7 +84,7 @@
</para>
</refsect1>
@ -9794,7 +9797,7 @@ index fca046fe3..f88791676 100644
<title>EXAMPLES</title>
<para>
These are some example lines which might be specified in
@@ -117,7 +114,7 @@
@@ -133,7 +130,7 @@
</programlisting>
</refsect1>
@ -9803,7 +9806,7 @@ index fca046fe3..f88791676 100644
<title>SEE ALSO</title>
<para>
<citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
@@ -127,10 +124,10 @@
@@ -143,10 +140,10 @@
</para>
</refsect1>
@ -16961,7 +16964,7 @@ index 154b97b51..c4da1a060 100644
+</article>
\ No newline at end of file
diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml
index 15f476717..67d8ecf16 100644
index 73b4855a3..b9f90e94a 100644
--- a/modules/pam_shells/pam_shells.8.xml
+++ b/modules/pam_shells/pam_shells.8.xml
@@ -1,27 +1,24 @@
@ -16998,7 +17001,7 @@ index 15f476717..67d8ecf16 100644
<title>DESCRIPTION</title>
@@ -35,13 +32,13 @@
@@ -43,13 +40,13 @@
</para>
</refsect1>
@ -17014,7 +17017,7 @@ index 15f476717..67d8ecf16 100644
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option> and <option>account</option>
@@ -49,7 +46,7 @@
@@ -57,7 +54,7 @@
</para>
</refsect1>
@ -17023,7 +17026,7 @@ index 15f476717..67d8ecf16 100644
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
@@ -80,7 +77,7 @@
@@ -88,7 +85,7 @@
</variablelist>
</refsect1>
@ -17032,7 +17035,7 @@ index 15f476717..67d8ecf16 100644
<title>EXAMPLES</title>
<para>
<programlisting>
@@ -89,7 +86,7 @@ auth required pam_shells.so
@@ -97,7 +94,7 @@ auth required pam_shells.so
</para>
</refsect1>
@ -17041,7 +17044,7 @@ index 15f476717..67d8ecf16 100644
<title>SEE ALSO</title>
<para>
<citerefentry>
@@ -107,11 +104,11 @@ auth required pam_shells.so
@@ -115,11 +112,11 @@ auth required pam_shells.so
</para>
</refsect1>

1151
pam-git.diff
View File

File diff suppressed because it is too large Load Diff

19
pam.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Sat Dec 24 13:31:33 UTC 2022 - Dominique Leuenberger <dleuenberger@suse.com>
- Also obsolete pam_unix-32bit to have clean upgrade path.
-------------------------------------------------------------------
Fri Dec 16 09:37:15 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Merge pam_unix back into pam, seperate package not needed anymore
-------------------------------------------------------------------
Thu Dec 15 12:47:53 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Update pam-git.diff to current upstream
- pam_env: Use vendor specific pam_env.conf and environment as fallback
- pam_shells: Use the vendor directory
obsoletes pam_env_econf.patch
- Refresh docbook5.patch
-------------------------------------------------------------------
Tue Dec 6 16:43:49 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>

35
pam.spec
View File

@ -67,9 +67,8 @@ Source15: Linux-PAM-%{version}.tar.xz.asc
Patch1: pam-limit-nproc.patch
Patch3: pam-xauth_ownership.patch
Patch4: pam-bsc1177858-dont-free-environment-string.patch
Patch10: pam_xauth_data.3.xml.patch
Patch5: pam_xauth_data.3.xml.patch
Patch11: pam-git.diff
Patch12: pam_env_econf.patch
Patch13: pam_pwhistory-docu.patch
Patch14: docbook5.patch
BuildRequires: audit-devel
@ -88,8 +87,8 @@ BuildRequires: pkgconfig(libeconf)
%if %{enable_selinux}
BuildRequires: libselinux-devel
%endif
Requires: pam_unix.so
Suggests: pam_unix
Obsoletes: pam_unix
Obsoletes: pam_unix-nis
Recommends: pam-manpages
%if 0%{?suse_version} >= 1330
Requires(pre): group(shadow)
@ -101,18 +100,6 @@ PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
%package -n pam_unix
Summary: PAM module for standard UNIX authentication
Group: System/Libraries
Provides: pam:/%{_lib}/security/pam_unix.so
Provides: pam_unix.so
Conflicts: pam_unix-nis
%description -n pam_unix
This package contains the pam_unix module, which does the standard
UNIX authentication against the passwd and shadow database. This
module does not contain NIS support.
%package extra
Summary: PAM module to authenticate against a separate database
Group: System/Libraries
@ -181,8 +168,7 @@ cp -a %{SOURCE12} .
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch10 -p1
%patch12 -p1
%patch5 -p1
%if %{build_doc}
%patch13 -p1
%patch14 -p1
@ -396,6 +382,11 @@ done
%{_pam_moduledir}/pam_timestamp.so
%{_pam_moduledir}/pam_tty_audit.so
%{_pam_moduledir}/pam_umask.so
%{_pam_moduledir}/pam_unix.so
%{_pam_moduledir}/pam_unix_acct.so
%{_pam_moduledir}/pam_unix_auth.so
%{_pam_moduledir}/pam_unix_passwd.so
%{_pam_moduledir}/pam_unix_session.so
%{_pam_moduledir}/pam_usertype.so
%{_pam_moduledir}/pam_warn.so
%{_pam_moduledir}/pam_wheel.so
@ -411,14 +402,6 @@ done
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/pam.conf
%files -n pam_unix
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_unix.so
%{_pam_moduledir}/pam_unix_acct.so
%{_pam_moduledir}/pam_unix_auth.so
%{_pam_moduledir}/pam_unix_passwd.so
%{_pam_moduledir}/pam_unix_session.so
%files extra
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_userdb.so

576
pam_env_econf.patch
View File

@ -1,576 +0,0 @@
From 4b427724082fa2b77cccfa572881c5d2940c754e Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Fri, 3 Dec 2021 14:33:20 +0100
Subject: [PATCH] pam_env: Use vendor specific pam_env.conf and environment as
fallback
Use the vendor directory as fallback for a distribution provided default
config if there is no one in /etc.
* Makefile.am: Add libeconf setting.
* pam_env.c: Take care about the fallback configuration in the vendor directory.
* tst-pam_env-retval.c: Added tests for libeconf.
* configure.ac: Added ECONF settings for building man pages.
---
configure.ac | 7 +-
modules/pam_env/.gitignore | 1 +
modules/pam_env/Makefile.am | 4 +-
modules/pam_env/pam_env.c | 298 +++++++++++++++++++++++----
modules/pam_env/tst-pam_env-retval.c | 60 ++++++
7 files changed, 394 insertions(+), 44 deletions(-)
create mode 100644 modules/pam_env/.gitignore
diff --git a/configure.ac b/configure.ac
index 2f74d1b49..51ca0ad25 100644
--- a/configure.ac
+++ b/configure.ac
@@ -523,6 +523,7 @@ if test "$WITH_ECONF" = "yes" ; then
PKG_CHECK_MODULES([ECONF], [libeconf], [],
[AC_CHECK_LIB([econf],[econf_readDirs],[ECONF_LIBS="-leconf"],[ECONF_LIBS=""])])
if test -n "$ECONF_LIBS" ; then
+ AC_CHECK_LIB([econf],[econf_errLocation], [], [AC_MSG_ERROR([Please update libeconf])])
ECONF_CFLAGS="-DUSE_ECONF=1 $ECONF_CFLAGS"
fi
fi
@@ -535,7 +536,11 @@ if test -n "$enable_vendordir"; then
[Directory for distribution provided configuration files])
AC_DEFINE_UNQUOTED([VENDOR_SCONFIGDIR], ["$enable_vendordir/security"],
[Directory for PAM modules distribution provided configuration files])
- STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir'"
+ if test "$WITH_ECONF" = "yes" ; then
+ STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir;with_vendordir_and_with_econf'"
+ else
+ STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir;with_vendordir_and_without_econf"
+ fi
else
STRINGPARAM_VENDORDIR="--stringparam profile.condition 'without_vendordir'"
fi
diff --git a/modules/pam_env/.gitignore b/modules/pam_env/.gitignore
new file mode 100644
index 000000000..4c5b234b1
--- /dev/null
+++ b/modules/pam_env/.gitignore
@@ -0,0 +1 @@
+tst-pam_env-retval
diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am
index 02cd9d375..b99a83ecb 100644
--- a/modules/pam_env/Makefile.am
+++ b/modules/pam_env/Makefile.am
@@ -18,14 +18,14 @@ securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- $(WARN_CFLAGS)
+ $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS)
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
securelib_LTLIBRARIES = pam_env.la
-pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la
+pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS)
check_PROGRAMS = tst-pam_env-retval
tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 64a586454..aabab7992 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -7,6 +7,9 @@
*/
#define DEFAULT_ETC_ENVFILE "/etc/environment"
+#ifdef VENDORDIR
+#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/etc/environment")
+#endif
#define DEFAULT_READ_ENVFILE 1
#define DEFAULT_USER_ENVFILE ".pam_environment"
@@ -25,6 +28,9 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
+#ifdef USE_ECONF
+#include <libeconf.h>
+#endif
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
@@ -42,6 +48,9 @@ typedef struct var {
} VAR;
#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf")
+#ifdef VENDOR_SCONFIGDIR
+#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")
+#endif
#define BUF_SIZE 8192
#define MAX_ENV 8192
@@ -56,6 +65,16 @@ typedef struct var {
/* This is a special value used to designate an empty string */
static char quote='\0';
+static void free_string_array(char **array)
+{
+ if (array == NULL)
+ return;
+ for (char **entry = array; *entry != NULL; ++entry) {
+ free(*entry);
+ }
+ free(array);
+}
+
/* argument parsing */
#define PAM_DEBUG_ARG 0x01
@@ -68,10 +87,10 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
int ctrl=0;
*user_envfile = DEFAULT_USER_ENVFILE;
- *envfile = DEFAULT_ETC_ENVFILE;
+ *envfile = NULL;
*readenv = DEFAULT_READ_ENVFILE;
*user_readenv = DEFAULT_USER_READ_ENVFILE;
- *conffile = DEFAULT_CONF_FILE;
+ *conffile = NULL;
/* step through arguments */
for (; argc-- > 0; ++argv) {
@@ -119,6 +138,148 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
return ctrl;
}
+#ifdef USE_ECONF
+
+#define ENVIRONMENT "environment"
+#define PAM_ENV "pam_env"
+
+static int
+isDirectory(const char *path) {
+ struct stat statbuf;
+ if (stat(path, &statbuf) != 0)
+ return 0;
+ return S_ISDIR(statbuf.st_mode);
+}
+
+static int
+econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
+ const char *name, const char *suffix, const char *subpath,
+ char ***lines)
+{
+ econf_file *key_file = NULL;
+ econf_err error;
+ size_t key_number = 0;
+ char **keys = NULL;
+ const char *base_dir = "";
+
+ if (filename != NULL) {
+ if (isDirectory(filename)) {
+ /* Set base directory which can be different from root */
+ D(("filename argument is a directory: %s", filename));
+ base_dir = filename;
+ } else {
+ /* Read only one file */
+ error = econf_readFile (&key_file, filename, delim, "#");
+ D(("File name is: %s", filename));
+ if (error != ECONF_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %s", filename,
+ econf_errString(error));
+ if (error == ECONF_NOFILE)
+ return PAM_IGNORE;
+ else
+ return PAM_ABORT;
+ }
+ }
+ }
+ if (filename == NULL || base_dir[0] != '\0') {
+ /* Read and merge all setting in e.g. /usr/etc and /etc */
+ char *vendor_dir = NULL, *sysconf_dir;
+ if (subpath != NULL && subpath[0] != '\0') {
+#ifdef VENDORDIR
+ if (asprintf(&vendor_dir, "%s%s/%s/", base_dir, VENDORDIR, subpath) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ return PAM_BUF_ERR;
+ }
+#endif
+ if (asprintf(&sysconf_dir, "%s%s/%s/", base_dir, SYSCONFDIR, subpath) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ free(vendor_dir);
+ return PAM_BUF_ERR;
+ }
+ } else {
+#ifdef VENDORDIR
+ if (asprintf(&vendor_dir, "%s%s/", base_dir, VENDORDIR) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ return PAM_BUF_ERR;
+ }
+#endif
+ if (asprintf(&sysconf_dir, "%s%s/", base_dir, SYSCONFDIR) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ free(vendor_dir);
+ return PAM_BUF_ERR;
+ }
+ }
+
+ D(("Read configuration from directory %s and %s", vendor_dir, sysconf_dir));
+ error = econf_readDirs (&key_file, vendor_dir, sysconf_dir, name, suffix,
+ delim, "#");
+ free(vendor_dir);
+ free(sysconf_dir);
+ if (error != ECONF_SUCCESS) {
+ if (error == ECONF_NOFILE) {
+ pam_syslog(pamh, LOG_ERR, "Configuration file not found: %s%s", name, suffix);
+ return PAM_IGNORE;
+ } else {
+ char *error_filename = NULL;
+ uint64_t error_line = 0;
+
+ econf_errLocation(&error_filename, &error_line);
+ pam_syslog(pamh, LOG_ERR, "Unable to read configuration file %s line %ld: %s",
+ error_filename,
+ error_line,
+ econf_errString(error));
+ free(error_filename);
+ return PAM_ABORT;
+ }
+ }
+ }
+
+ error = econf_getKeys(key_file, NULL, &key_number, &keys);
+ if (error != ECONF_SUCCESS && error != ECONF_NOKEY) {
+ pam_syslog(pamh, LOG_ERR, "Unable to read keys: %s",
+ econf_errString(error));
+ econf_freeFile(key_file);
+ return PAM_ABORT;
+ }
+
+ *lines = malloc((key_number +1)* sizeof(char**));
+ if (*lines == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ econf_free(keys);
+ econf_freeFile(key_file);
+ return PAM_BUF_ERR;
+ }
+
+ (*lines)[key_number] = 0;
+
+ for (size_t i = 0; i < key_number; i++) {
+ char *val;
+
+ error = econf_getStringValue (key_file, NULL, keys[i], &val);
+ if (error != ECONF_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s",
+ keys[i],
+ econf_errString(error));
+ } else {
+ if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ econf_free(keys);
+ econf_freeFile(key_file);
+ free_string_array(*lines);
+ free (val);
+ return PAM_BUF_ERR;
+ }
+ free (val);
+ }
+ }
+
+ econf_free(keys);
+ econf_free(key_file);
+ return PAM_SUCCESS;
+}
+
+#else
+
/*
* This is where we read a line of the PAM config file. The line may be
* preceded by lines of comments and also extended with "\\\n"
@@ -212,6 +373,52 @@ _assemble_line(FILE *f, char *buffer, int buf_len)
return used;
}
+static int read_file(const pam_handle_t *pamh, const char*filename, char ***lines)
+{
+ FILE *conf;
+ char buffer[BUF_SIZE];
+
+ D(("Parsed file name is: %s", filename));
+
+ if ((conf = fopen(filename,"r")) == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s", filename);
+ return PAM_IGNORE;
+ }
+
+ size_t i = 0;
+ *lines = malloc((i + 1)* sizeof(char**));
+ if (*lines == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ (void) fclose(conf);
+ return PAM_BUF_ERR;
+ }
+ (*lines)[i] = 0;
+ while (_assemble_line(conf, buffer, BUF_SIZE) > 0) {
+ char **tmp = NULL;
+ D(("Read line: %s", buffer));
+ tmp = realloc(*lines, (++i + 1) * sizeof(char**));
+ if (tmp == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ (void) fclose(conf);
+ free_string_array(*lines);
+ return PAM_BUF_ERR;
+ }
+ *lines = tmp;
+ (*lines)[i-1] = strdup(buffer);
+ if ((*lines)[i-1] == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
+ (void) fclose(conf);
+ free_string_array(*lines);
+ return PAM_BUF_ERR;
+ }
+ (*lines)[i] = 0;
+ }
+
+ (void) fclose(conf);
+ return PAM_SUCCESS;
+}
+#endif
+
static int
_parse_line(const pam_handle_t *pamh, const char *buffer, VAR *var)
{
@@ -626,34 +833,38 @@ static int
_parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
{
int retval;
- char buffer[BUF_SIZE];
- FILE *conf;
VAR Var, *var=&Var;
-
- D(("Called."));
+ char **conf_list = NULL;
var->name=NULL; var->defval=NULL; var->override=NULL;
- D(("Config file name is: %s", file));
+ D(("Called."));
+#ifdef USE_ECONF
+ /* If "file" is not NULL, only this file will be parsed. */
+ retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
+#else
+ /* Only one file will be parsed. So, file has to be set. */
+ if (file == NULL) /* No filename has been set via argv. */
+ file = DEFAULT_CONF_FILE;
+#ifdef VENDOR_DEFAULT_CONF_FILE
/*
- * Lets try to open the config file, parse it and process
- * any variables found.
- */
-
- if ((conf = fopen(file,"r")) == NULL) {
- pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file);
- return PAM_IGNORE;
+ * Check whether file is available.
+ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
+ */
+ struct stat stat_buffer;
+ if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
+ file = VENDOR_DEFAULT_CONF_FILE;
}
+#endif
+ retval = read_file(pamh, file, &conf_list);
+#endif
- /* _pam_assemble_line will provide a complete line from the config file,
- * with all comments removed and any escaped newlines fixed up
- */
-
- while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
- D(("Read line: %s", buffer));
+ if (retval != PAM_SUCCESS)
+ return retval;
- if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) {
+ for (char **conf = conf_list; *conf != NULL; ++conf) {
+ if ((retval = _parse_line(pamh, *conf, var)) == GOOD_LINE) {
retval = _check_var(pamh, var);
if (DEFINE_VAR == retval) {
@@ -668,11 +879,10 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
_clean_var(var);
- } /* while */
-
- (void) fclose(conf);
+ } /* for */
/* tidy up */
+ free_string_array(conf_list);
_clean_var(var); /* We could have got here prematurely,
* this is safe though */
D(("Exit."));
@@ -683,19 +893,33 @@ static int
_parse_env_file(pam_handle_t *pamh, int ctrl, const char *file)
{
int retval=PAM_SUCCESS, i, t;
- char buffer[BUF_SIZE], *key, *mark;
- FILE *conf;
-
- D(("Env file name is: %s", file));
-
- if ((conf = fopen(file,"r")) == NULL) {
- pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file);
- return PAM_IGNORE;
+ char *key, *mark;
+ char **env_list = NULL;
+
+#ifdef USE_ECONF
+ retval = econf_read_file(pamh, file, "=", ENVIRONMENT, "", "", &env_list);
+#else
+ /* Only one file will be parsed. So, file has to be set. */
+ if (file == NULL) /* No filename has been set via argv. */
+ file = DEFAULT_ETC_ENVFILE;
+#ifdef VENDOR_DEFAULT_ETC_ENVFILE
+ /*
+ * Check whether file is available.
+ * If it does not exist, fall back to VENDOR_DEFAULT_ETC_ENVFILE; file.
+ */
+ struct stat stat_buffer;
+ if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
+ file = VENDOR_DEFAULT_ETC_ENVFILE;
}
+#endif
+ retval = read_file(pamh, file, &env_list);
+#endif
- while (_assemble_line(conf, buffer, BUF_SIZE) > 0) {
- D(("Read line: %s", buffer));
- key = buffer;
+ if (retval != PAM_SUCCESS)
+ return retval == PAM_IGNORE ? PAM_SUCCESS : retval;
+
+ for (char **env = env_list; *env != NULL; ++env) {
+ key = *env;
/* skip leading white space */
key += strspn(key, " \n\t");
@@ -767,11 +991,11 @@ _parse_env_file(pam_handle_t *pamh, int ctrl, const char *file)
pam_syslog(pamh, LOG_DEBUG,
"pam_putenv(\"%s\")", key);
}
+ free(*env);
}
- (void) fclose(conf);
-
/* tidy up */
+ free(env_list);
D(("Exit."));
return retval;
}
diff --git a/modules/pam_env/tst-pam_env-retval.c b/modules/pam_env/tst-pam_env-retval.c
index 6b9b3065a..99e2e2a54 100644
--- a/modules/pam_env/tst-pam_env-retval.c
+++ b/modules/pam_env/tst-pam_env-retval.c
@@ -17,11 +17,18 @@
#define MODULE_NAME "pam_env"
#define TEST_NAME "tst-" MODULE_NAME "-retval"
+#define TEST_NAME_DIR TEST_NAME ".dir"
static const char service_file[] = TEST_NAME ".service";
static const char missing_file[] = TEST_NAME ".missing";
+static const char dir[] = TEST_NAME_DIR;
+static const char dir_usr[] = TEST_NAME_DIR "/usr";
+static const char dir_usr_etc[] = TEST_NAME_DIR "/usr/etc";
+static const char dir_usr_etc_security[] = TEST_NAME_DIR "/usr/etc/security";
static const char my_conf[] = TEST_NAME ".conf";
static const char my_env[] = TEST_NAME ".env";
+static const char usr_env[] = TEST_NAME_DIR "/usr/etc/environment";
+static const char usr_conf[] = TEST_NAME_DIR "/usr/etc/security/pam_env.conf";
static struct pam_conv conv;
@@ -30,6 +37,11 @@ setup(void)
{
FILE *fp;
+ ASSERT_EQ(0, mkdir(dir, 0755));
+ ASSERT_EQ(0, mkdir(dir_usr, 0755));
+ ASSERT_EQ(0, mkdir(dir_usr_etc, 0755));
+ ASSERT_EQ(0, mkdir(dir_usr_etc_security, 0755));
+
ASSERT_NE(NULL, fp = fopen(my_conf, "w"));
ASSERT_LT(0, fprintf(fp,
"EDITOR\tDEFAULT=vim\n"
@@ -41,6 +53,18 @@ setup(void)
"test_value=foo\n"
"test2_value=bar\n"));
ASSERT_EQ(0, fclose(fp));
+
+ ASSERT_NE(NULL, fp = fopen(usr_env, "w"));
+ ASSERT_LT(0, fprintf(fp,
+ "usr_etc_test=foo\n"
+ "usr_etc_test2=bar\n"));
+ ASSERT_EQ(0, fclose(fp));
+
+ ASSERT_NE(NULL, fp = fopen(usr_conf, "w"));
+ ASSERT_LT(0, fprintf(fp,
+ "PAGER DEFAULT=emacs\n"
+ "MANPAGER DEFAULT=less\n"));
+ ASSERT_EQ(0, fclose(fp));
}
static void
@@ -48,6 +72,12 @@ cleanup(void)
{
ASSERT_EQ(0, unlink(my_conf));
ASSERT_EQ(0, unlink(my_env));
+ ASSERT_EQ(0, unlink(usr_env));
+ ASSERT_EQ(0, unlink(usr_conf));
+ ASSERT_EQ(0, rmdir(dir_usr_etc_security));
+ ASSERT_EQ(0, rmdir(dir_usr_etc));
+ ASSERT_EQ(0, rmdir(dir_usr));
+ ASSERT_EQ(0, rmdir(dir));
}
static void
@@ -191,6 +221,36 @@ main(void)
const char *env2[] = { "test_value=foo", "test2_value=bar", NULL };
check_env(env2);
+#if defined (USE_ECONF) && defined (VENDORDIR)
+
+ /* envfile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */
+ ASSERT_NE(NULL, fp = fopen(service_file, "w"));
+ ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
+ "session required %s/.libs/%s.so"
+ " conffile=%s envfile=%s/%s/\n",
+ cwd, MODULE_NAME,
+ "/dev/null",
+ cwd, dir));
+ ASSERT_EQ(0, fclose(fp));
+
+ const char *env3[] = {"usr_etc_test=foo", "usr_etc_test2=bar", NULL};
+ check_env(env3);
+
+ /* conffile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */
+ ASSERT_NE(NULL, fp = fopen(service_file, "w"));
+ ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
+ "session required %s/.libs/%s.so"
+ " conffile=%s/%s/ envfile=%s\n",
+ cwd, MODULE_NAME,
+ cwd, dir,
+ "/dev/null"));
+ ASSERT_EQ(0, fclose(fp));
+
+ const char *env4[] = {"PAGER=emacs", "MANPAGER=less", NULL};
+ check_env(env4);
+
+#endif
+
/* cleanup */
cleanup();
ASSERT_EQ(0, unlink(service_file));