testing/pam
SHA256
7
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

Factory #1

Merged
dgarcia merged 324 commits from factory into main 2025-10-08 12:57:08 +02:00
Conversation 0 Commits 324 Files Changed 13 +1713 -760
13 changed files with 1713 additions and 760 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Linux-PAM-1.6.1.tar.xz LFS
View File

Binary file not shown.

16
Linux-PAM-1.6.1.tar.xz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
UoUkHsbCWJU/ksn/9BIQ
=Dbz2
-----END PGP SIGNATURE-----

BIN
Linux-PAM-1.7.1.tar.xz LFS Normal file
View File

Binary file not shown.

16
Linux-PAM-1.7.1.tar.xz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJoUTDGAAoJEKgEH6g54W42RDQQAIKq+ltEn0g/lB0g+xU9SArO
ItMiZDp6RaLDIRgOxbl1hnQyXvXcW5LYBT36u+e5PLKrtMzc8/S3kDtn2FRsS5KW
aZaKmZI6UlEQVErMfX2F8/uPvcMRNmqHL7h3+BW8aIWp+WTBO3TIOZxVqNoDFbxj
L/9G3KYTgcuKjb6XoDlicS68ImcLJC2BPjcaisaoqKRyK504jgYK6Wl6AFo7Fu8r
PS134LM6gUUxMzdYCpISmO5tZh+uOqtCfbdeOY3bwBeupe2J4D6v7uASF7RqEXPX
/imsmUkmqLmOOolvLflGDsiz1HaY05LW7CcJngXOV6WKU+HqBg9E5Xclnr0RyvBD
tmFPeWlgPw+zg+BVUhGAUeLoFCknbtY/7TEB4Jh0Z/Tm+pOUVoQbhrUCI0rAgapN
dA9i5DCUuEBXRul2YvG7EZGuYs77fzpf/J++b9XKB9kH1Bc3vaaZoaO+lbN8g6Ei
CbZCmD0ct0UhUTX+FEUG9SkMTomyd9ihz6kuHcuo4eCVbVuDJpF+vEUjVb7no9Aw
KlZ6/I45GRRjIYYk/vxpgNX05D8xeMxDkXEMcKAHsI/q4oOe7Hsuess47WioiVXL
xNl6AHjJ4VMcz1xLPR8COA8L3uaZNtxuIGhazZFeJbrfJct5gsf9iv04pdAA73/B
NtgHrE6GjGSmw+/xX22z
=RQhR
-----END PGP SIGNATURE-----

36
pam-bsc1194818-cursor-escape.patch
View File

@@ -1,36 +0,0 @@
From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Mon, 22 Jul 2024 23:18:16 +0200
Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
cursor escape from the login prompt using arrows or escape sequences.
ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
for example not on pty, allowing cursor to escape.
Stanislav Brabec <sbrabec@suse.com>
---
libpam_misc/misc_conv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
index 7410e929..6b839b48 100644
--- a/libpam_misc/misc_conv.c
+++ b/libpam_misc/misc_conv.c
@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
return -1;
}
memcpy(&term_tmp, &term_before, sizeof(term_tmp));
- if (!echo) {
+ if (echo)
+ term_tmp.c_lflag |= ICANON | ECHOCTL;
+ else
term_tmp.c_lflag &= ~(ECHO);
- }
have_term = 1;
/*
--
2.45.2

75
pam.changes
View File

@@ -1,3 +1,77 @@
-------------------------------------------------------------------
Mon Sep 15 07:53:29 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- pam_mkhomedir: building with vendordir option allows fetching skeleton
directory from the vendor directory when creating the user home directory.
[+ pam_mkhomedir-Use-vendordir-when-defined.patch, bsc#1245524]
-------------------------------------------------------------------
Wed Aug 27 14:20:14 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
- Update to 1.7.1+git (post-v1.7.1.patch)
- disable unix_chkpwd by default, only used as fallback again
- pam_modutil_get-overwrite-password-at-free.patch is included
-------------------------------------------------------------------
Tue Aug 19 10:12:13 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- Make sure that the buffer containing encrypted passwords get's erased,
before free.
[pam_modutil_get-overwrite-password-at-free.patch, bsc#1232234,
CVE-2024-10041]
-------------------------------------------------------------------
Wed Jun 18 12:01:57 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
- hardcode disabling elogind, meson detection is unreliable in OBS
-------------------------------------------------------------------
Wed Jun 18 05:38:35 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 1.7.1
- pam_access: do not resolve ttys or display variables as hostnames.
- pam_access: added "nodns" option to disallow resolving of tokens
as hostnames (CVE-2024-10963).
- pam_limits: added support for rttime (RLIMIT_RTTIME).
- pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
- meson: added support of elogind as a logind provider.
- Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
- pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted
-------------------------------------------------------------------
Mon Mar 24 17:41:34 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
- Remove unix2_chkpwd, no consumer left
-------------------------------------------------------------------
Thu Dec 5 12:44:33 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- pam_access: rework resolving of tokens as hostname
- separate resolving of IP addresses from hostnames. Don't resolve TTYs or
display variables as hostname.
- Add "nodns" option to disallow resolving of tokens as hostname.
- [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078,
CVE-2024-10963]
-------------------------------------------------------------------
Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 1.7.0
- build: changed build system from autotools to meson.
- libpam_misc: use ECHOCTL in the terminal input
- pam_access: support UID and GID in access.conf
- pam_env: install environment file in vendordir if vendordir is enabled
- pam_issue: only count class user if logind support is enabled
- pam_limits: use systemd-logind instead of utmp if logind support is enabled
- pam_unix: compare password hashes in constant time
- Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
- Drop upstream patches:
- pam-bsc1194818-cursor-escape.patch
- pam_limits-systemd.patch
- pam_issue-systemd.patch
-------------------------------------------------------------------
Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
@@ -1208,7 +1282,6 @@ Wed Feb 23 12:45:03 UTC 2011 - vcizek@novell.com
* correct parsing of "quiet" option
-------------------------------------------------------------------
Wed Feb 23 10:00:22 UTC 2011 - vcizek@novell.com
- fix for bnc#673826 (pam_listfile)

112
pam.spec
View File

@@ -36,10 +36,10 @@
%endif
%bcond_without selinux
%bcond_with debug
%define flavor @BUILD_FLAVOR@%{nil}
# List of config files for migration to /usr/etc
%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
security/namespace.conf security/namespace.init security/sepermit.conf
@@ -64,14 +64,13 @@
%define libpamc_so_version 0.82.1
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%define config_noreplace 1
%endif
#
%{load:%{_sourcedir}/macros.pam}
#
Name: pam%{name_suffix}
#
Version: 1.6.1
Version: 1.7.1
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
@@ -86,8 +85,6 @@ Source5: common-account.pamd
Source6: common-password.pamd
Source7: common-session.pamd
Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
Source13: pam.tmpfiles
Source20: common-session-nonlogin.pamd
@@ -96,16 +93,14 @@ Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/816
Patch2: pam-bsc1194818-cursor-escape.patch
# https://github.com/linux-pam/linux-pam/pull/826
Patch3: pam_limits-systemd.patch
# https://github.com/linux-pam/linux-pam/pull/825
Patch4: pam_issue-systemd.patch
# PATCH-FIX-UPSTREAM
Patch2: post-v1.7.1.patch
# PATCH-FIX-UPSTREAM
Patch3: pam_mkhomedir-Use-vendordir-when-defined.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
BuildRequires: libtool
BuildRequires: meson >= 0.62.0
BuildRequires: xz
Requires(post): permissions
# All login.defs variables require support from shadow side.
@@ -149,9 +144,7 @@ username/password pair against values stored in a Berkeley DB database.
%package -n pam-extra
Summary: PAM module with extended dependencies
Group: System/Libraries
#BuildRequires: pkgconfig(systemd)
# The systemd-mini package does not pass configure checks
BuildRequires: systemd-devel >= 254
BuildRequires: pkgconfig(libsystemd) >= 254
BuildRequires: pam-devel
Provides: pam:%{_sbindir}/pam_timestamp_check
Provides: pam:%{_pam_moduledir}/pam_limits.so
@@ -217,32 +210,28 @@ cp -a %{SOURCE12} .
%build
bash ./pam-login_defs-check.sh
export CFLAGS="%{optflags}"
%if !%{with debug}
CFLAGS="$CFLAGS -DNDEBUG"
%endif
%if %{livepatchable}
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
%endif
autoreconf
%configure \
--includedir=%{_includedir}/security \
--docdir=%{_docdir}/pam \
--htmldir=%{_docdir}/pam/html \
--pdfdir=%{_docdir}/pam/pdf \
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \
%if "%{flavor}" == "full"
--enable-logind \
%endif
--disable-examples \
--disable-nis \
%if %{with debug}
--enable-debug
%endif
%make_build
%meson -Dvendordir=%{_distconfdir} \
-Ddocdir=%{_docdir}/pam \
-Dhtmldir=%{_docdir}/pam/html \
-Dpdfdir=%{_docdir}/pam/pdf \
-Dsecuredir=%{_pam_moduledir} \
-Dpam_unix-try-getspnam=true \
%if "%{flavor}" != "full"
-Dlogind=disabled \
-Dpam_userdb=disabled \
-Ddocs=disabled \
%else
-Dlogind=enabled \
%endif
-Dpwaccess=disabled \
-Delogind=disabled \
-Dexamples=false \
-Dnis=disabled
%meson_build
%if %{livepatchable}
@@ -270,29 +259,17 @@ cp %{tar_package_name} %{_other}
%endif # livepatchable
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
%if %{build_main}
%check
%make_build check
%meson_test
%endif
%install
%meson_install
mkdir -p %{buildroot}%{_pam_confdir}
mkdir -p %{buildroot}%{_pam_vendordir}
mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}%{_pam_moduledir}
mkdir -p %{buildroot}/sbin
mkdir -p -m 755 %{buildroot}%{_libdir}
# For compat reasons
mkdir -p %{buildroot}%{_distconfdir}/pam.d
%make_install
/sbin/ldconfig -n %{buildroot}%{_libdir}
# Install documentation
%make_install -C doc
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
install -d %{buildroot}%{_pam_secconfdir}/namespace.d
# install other.pamd and common-*.pamd
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
@@ -304,23 +281,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
mkdir -p %{buildroot}%{_prefix}/lib/motd.d
#
# Remove crap
#
find %{buildroot} -type f -name "*.la" -delete -print
#
# Install READMEs of PAM modules
#
DOC=%{buildroot}%{_defaultdocdir}/pam
%if "%{flavor}" == "full"
mkdir -p $DOC/modules
pushd modules
for i in pam_*/README; do
cp -fpv "$i" "$DOC/modules/README.${i%/*}"
done
popd
# Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
%endif
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
@@ -328,13 +296,11 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
# Remove manual pages for main package
%if !%{build_doc}
rm -rf %{buildroot}%{_mandir}/man?/*
%else
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# bsc#1188724
echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
%endif
@@ -357,12 +323,10 @@ rm -rf %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limi
%verifyscript
%verify_permissions -e %{_sbindir}/unix_chkpwd
%verify_permissions -e %{_sbindir}/unix2_chkpwd
%post
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
@@ -380,23 +344,13 @@ done
%files -f Linux-PAM.lang
%doc NEWS
%license COPYING
%exclude %{_defaultdocdir}/pam/html
%exclude %{_defaultdocdir}/pam/modules
%exclude %{_defaultdocdir}/pam/pdf
%exclude %{_defaultdocdir}/pam/*.txt
%dir %{_pam_confdir}
%dir %{_pam_vendordir}
%dir %{_pam_secconfdir}
%dir %{_pam_secdistconfdir}
%dir %{_prefix}/lib/motd.d
%if %{defined config_noreplace}
%config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_pam_confdir}/common-*
%else
%{_pam_vendordir}/other
%{_pam_vendordir}/common-*
%{_pam_vendordir}/postlogin-*
%endif
%{_distconfdir}/environment
%{_pam_secdistconfdir}/access.conf
%{_pam_secdistconfdir}/group.conf
@@ -466,7 +420,6 @@ done
%{_sbindir}/pam_namespace_helper
%{_sbindir}/pwhistory_helper
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/pam.conf
@@ -570,7 +523,6 @@ done
%{_mandir}/man8/pam_wheel.8%{?ext_man}
%{_mandir}/man8/pam_xauth.8%{?ext_man}
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_update.8%{?ext_man}

51
pam_issue-systemd.patch
View File

@@ -1,51 +0,0 @@
From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Wed, 4 Sep 2024 16:07:56 +0200
Subject: [PATCH] pam_issue: only count class user
Since systemd added new types of classes (e.g. manager*), we cannot
use the count of all sessions anymore, but have to check which class
this is.
This is backward compatible, systemd v209 or newer is required.
---
modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
index aade642ec5..e2c555c405 100644
--- a/modules/pam_issue/pam_issue.c
+++ b/modules/pam_issue/pam_issue.c
@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
{
unsigned int users = 0;
#ifdef USE_LOGIND
- int sessions = sd_get_sessions(NULL);
+ char **sessions_list;
+ int sessions = sd_get_sessions(&sessions_list);
if (sessions < 0) {
pam_syslog(pamh, LOG_ERR, "logind error: %s",
strerror(-sessions));
_pam_drop(issue);
return PAM_SERVICE_ERR;
+ } else if (sessions > 0 && sessions_list != NULL) {
+ int i;
+
+ for (i = 0; i < sessions; i++) {
+ char *class;
+
+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
+ continue;
+
+ if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete
+ users++;
+ free(class);
+ }
+
+ for (i = 0; i < sessions; i++)
+ free(sessions_list[i]);
+ free(sessions_list);
} else {
users = sessions;
}

157
pam_limits-systemd.patch
View File

@@ -1,157 +0,0 @@
From 12bb33b56dee6d6b05200d4b776c7e6de3d0df91 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 6 Sep 2024 11:55:46 +0200
Subject: [PATCH] pam_limits: use systemd-logind instead of utmp (#822)
The utmp database is unreliable for counting logged in users, since
there is no standard which defines who should create an entry at which
time for which reason. And it has a Y2038 problem with glibc/x86-64.
Query systemd-logind for the number of user sessions instead.
---
modules/pam_limits/Makefile.am | 4 +-
modules/pam_limits/pam_limits.c | 81 +++++++++++++++++++++++++++++++--
2 files changed, 80 insertions(+), 5 deletions(-)
diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am
index ab3cf33ed..3f64d79bb 100644
--- a/modules/pam_limits/Makefile.am
+++ b/modules/pam_limits/Makefile.am
@@ -24,7 +24,7 @@ limits_conf_dir = $(SCONFIGDIR)/limits.d
AM_CFLAGS = -I$(top_srcdir)/libpam/include \
-DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \
- $(WARN_CFLAGS)
+ $(LOGIND_CFLAGS) $(WARN_CFLAGS)
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
@@ -32,7 +32,7 @@ endif
securelib_LTLIBRARIES = pam_limits.la
pam_limits_la_LIBADD = $(top_builddir)/libpam_internal/libpam_internal.la \
- $(top_builddir)/libpam/libpam.la
+ $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS)
dist_secureconf_DATA = limits.conf
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 75c584fca..1e4dfa3d0 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -36,7 +36,12 @@
#include <sys/resource.h>
#include <limits.h>
#include <glob.h>
+#ifdef USE_LOGIND
+#include <systemd/sd-login.h>
+#else
#include <utmp.h>
+#endif
+
#ifndef UT_USER /* some systems have ut_name instead of ut_user */
#define UT_USER ut_user
#endif
@@ -240,7 +245,6 @@ static int
check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
struct pam_limit_s *pl)
{
- struct utmp *ut;
int count;
if (ctrl & PAM_DEBUG_ARG) {
@@ -255,8 +259,6 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
return LOGIN_ERR;
}
- setutent();
-
/* Because there is no definition about when an application
actually adds a utmp entry, some applications bizarrely do the
utmp call before the have PAM authenticate them to the system:
@@ -273,6 +275,78 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
count = 1;
}
+#ifdef USE_LOGIND
+ char **sessions_list;
+ int sessions = sd_get_sessions(&sessions_list);
+
+ /* maxlogins needs to be 2 with systemd-logind because
+ of the systemd --user process started with first login by
+ pam_systemd.
+ Which is also calling pam_limits, but in this very first special
+ case the session does already exist and is counted twice.
+ With start of the second session, session manager is already running
+ and no longer counted. */
+ if (limit == 1) {
+ pam_syslog(pamh, LOG_WARNING, "Maxlogin limit needs to be 2 or higher with systemd-logind");
+ return LIMIT_ERR;
+ }
+
+ if (sessions < 0) {
+ pam_syslog(pamh, LOG_ERR, "logind error getting session list: %s",
+ strerror(-sessions));
+ return LIMIT_ERR;
+ } else if (sessions > 0 && sessions_list != NULL && !pl->flag_numsyslogins) {
+ int i;
+
+ for (i = 0; i < sessions; i++) {
+ char *user = NULL;
+ char *class = NULL;
+
+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
+ continue;
+
+ if (strncmp(class, "user", 4) != 0) { /* user, user-early, user-incomplete */
+ free (class);
+ continue;
+ }
+ free (class);
+
+ if (sd_session_get_username(sessions_list[i], &user) < 0 || user == NULL) {
+ pam_syslog(pamh, LOG_ERR, "logind error getting username: %s",
+ strerror(-sessions));
+ return LIMIT_ERR;
+ }
+
+ if (((pl->login_limit_def == LIMITS_DEF_USER)
+ || (pl->login_limit_def == LIMITS_DEF_GROUP)
+ || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
+ && strcmp(name, user) != 0) {
+ free(user);
+ continue;
+ }
+ if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
+ && pl->login_group != NULL
+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
+ free(user);
+ continue;
+ }
+ free(user);
+
+ if (++count > limit) {
+ break;
+ }
+ }
+ for (i = 0; i < sessions; i++)
+ free(sessions_list[i]);
+ free(sessions_list);
+ } else {
+ count = sessions;
+ }
+#else
+ struct utmp *ut;
+
+ setutent();
+
while((ut = getutent())) {
#ifdef USER_PROCESS
if (ut->ut_type != USER_PROCESS) {
@@ -311,6 +385,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
}
}
endutent();
+#endif
if (count > limit) {
if (name) {
pam_syslog(pamh, LOG_NOTICE,

315
pam_mkhomedir-Use-vendordir-when-defined.patch Normal file
View File

@@ -0,0 +1,315 @@
From c4a53492e1b7aebcf7a65a778d9e3a78f196d117 Mon Sep 17 00:00:00 2001
From: vlefebvre <valentin.lefebvre@suse.com>
Date: Tue, 15 Jul 2025 15:42:50 +0200
Subject: [PATCH] pam_mkhomedir: Use vendordir when defined
* When the configuration is split between /etc and vendordir,
pam_mkhomedir now takes care of the distribution-provided
skeleton directory.
* mkhomedir_helper gets a new optional argument: vendordir.
If specified, the home directory will be populated by contents of
the directory specified by skeldir argument, followed by contents
of the directory specified by vendordir argument.
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
---
modules/pam_mkhomedir/mkhomedir_helper.8.xml | 12 ++-
modules/pam_mkhomedir/mkhomedir_helper.c | 91 +++++++++++++-------
modules/pam_mkhomedir/pam_mkhomedir.8.xml | 8 +-
modules/pam_mkhomedir/pam_mkhomedir.c | 14 ++-
4 files changed, 88 insertions(+), 37 deletions(-)
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.8.xml b/modules/pam_mkhomedir/mkhomedir_helper.8.xml
index 0f4c4b40..87b83a40 100644
--- a/modules/pam_mkhomedir/mkhomedir_helper.8.xml
+++ b/modules/pam_mkhomedir/mkhomedir_helper.8.xml
@@ -24,6 +24,9 @@
<replaceable>path-to-skel</replaceable>
<arg choice="opt" rep="norepeat">
<replaceable>home_mode</replaceable>
+ <arg choice="opt" rep="norepeat">
+ <replaceable>path-to-vendor-skel</replaceable>
+ </arg>
</arg>
</arg>
</arg>
@@ -48,6 +51,13 @@
<replaceable>umask</replaceable>.
</para>
+ <para>
+ <replaceable>path-to-vendor-skel</replaceable> doesn't have default
+ value. When set to a <emphasis>path</emphasis>, home directory will be
+ populated by contents of <replaceable>path-to-skel</replaceable> first,
+ and then by contents of <emphasis>path</emphasis>.
+ </para>
+
<para>
The helper is separated from the module to not require direct access from
login SELinux domains to the contents of user home directories. The
@@ -77,4 +87,4 @@
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
index 0c05ee9c..1d741c5d 100644
--- a/modules/pam_mkhomedir/mkhomedir_helper.c
+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
@@ -36,7 +36,7 @@ static unsigned long u_mask = 0022;
static const char *skeldir = "/etc/skel";
static int create_homedir(struct dir_spec *, const struct passwd *, mode_t,
- const char *, const char *);
+ const char *, const char *, const char *);
static int
dir_spec_open(struct dir_spec *spec, const char *path)
@@ -88,7 +88,7 @@ dir_spec_close(struct dir_spec *spec)
static int
copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
- const char *source, struct dirent *dent)
+ const char *source, struct dirent *dent, const char *vendordir)
{
char remark[BUFSIZ];
int srcfd = -1, destfd = -1;
@@ -96,6 +96,7 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
int retval = PAM_SESSION_ERR;
struct stat st;
char *newsource;
+ char *newvendordir = NULL;
/* Determine what kind of file it is. */
if ((newsource = pam_asprintf("%s/%s", source, dent->d_name)) == NULL)
@@ -114,8 +115,23 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
/* If it's a directory, recurse. */
if (S_ISDIR(st.st_mode))
{
+ if (vendordir != NULL)
+ {
+ if ((newvendordir = pam_asprintf("%s/%s", vendordir, dent->d_name)) == NULL)
+ {
+ pam_syslog(NULL, LOG_CRIT, "asprintf failed for 'newvendordir'");
+ retval = PAM_BUF_ERR;
+ goto go_out;
+ }
+ if (lstat(newvendordir, &st) != 0)
+ {
+ free(newvendordir);
+ newvendordir = NULL;
+ }
+ }
+
retval = create_homedir(parent, pwd, dir_mode & (~u_mask), newsource,
- dent->d_name);
+ dent->d_name, newvendordir);
goto go_out;
}
@@ -259,19 +275,22 @@ copy_entry(struct dir_spec *parent, const struct passwd *pwd, mode_t dir_mode,
close(destfd);
free(newsource);
-
+ free(newvendordir);
return retval;
}
/* Do the actual work of creating a home dir */
static int
create_homedir(struct dir_spec *parent, const struct passwd *pwd,
- mode_t dir_mode, const char *source, const char *dest)
+ mode_t dir_mode, const char *source, const char *dest,
+ const char *vendordir)
{
DIR *d = NULL;
struct dirent *dent;
struct dir_spec base;
int retval = PAM_SESSION_ERR;
+ const char *sourcedirs[] = {source, vendordir};
+ unsigned int idx = 0;
/* Create the new directory */
if (mkdirat(parent->fd, dest, 0700))
@@ -289,32 +308,35 @@ create_homedir(struct dir_spec *parent, const struct passwd *pwd,
goto go_out;
}
- /* See if we need to copy the skel dir over. */
- if ((source == NULL) || (strlen(source) == 0))
- {
- retval = PAM_SUCCESS;
- goto go_out;
- }
-
- /* Scan the directory */
- d = opendir(source);
- if (d == NULL)
- {
- pam_syslog(NULL, LOG_DEBUG, "unable to read directory %s: %m", source);
- retval = PAM_PERM_DENIED;
- goto go_out;
- }
-
- for (dent = readdir(d); dent != NULL; dent = readdir(d))
+ /* Scan source directories */
+ for (idx = 0; idx < PAM_ARRAY_SIZE(sourcedirs); idx++)
{
- /* Skip some files.. */
- if (strcmp(dent->d_name,".") == 0 ||
- strcmp(dent->d_name,"..") == 0)
- continue;
+ /* See if we need to copy the source skel dir over. */
+ if ((sourcedirs[idx] == NULL) || strlen(sourcedirs[idx]) == 0)
+ continue;
+ d = opendir(sourcedirs[idx]);
+ if (d == NULL)
+ {
+ pam_syslog(NULL, LOG_DEBUG, "unable to read directory %s: %m",
+ sourcedirs[idx]);
+ retval = PAM_PERM_DENIED;
+ goto go_out;
+ }
- retval = copy_entry(&base, pwd, dir_mode, source, dent);
- if (retval != PAM_SUCCESS)
- goto go_out;
+ for (dent = readdir(d); dent != NULL; dent = readdir(d))
+ {
+ /* Skip some files.. */
+ if (strcmp(dent->d_name,".") == 0 ||
+ strcmp(dent->d_name,"..") == 0)
+ continue;
+
+ retval = copy_entry(&base, pwd, dir_mode, sourcedirs[idx], dent,
+ sourcedirs[idx] == vendordir ? NULL : vendordir);
+ if (retval != PAM_SUCCESS)
+ goto go_out;
+ }
+ closedir(d);
+ d = NULL;
}
retval = PAM_SUCCESS;
@@ -340,7 +362,8 @@ create_homedir(struct dir_spec *parent, const struct passwd *pwd,
static int
create_homedir_helper(const struct passwd *_pwd, mode_t home_mode,
- const char *_skeldir, const char *_homedir)
+ const char *_skeldir, const char *_homedir,
+ const char *_vendordir)
{
int retval = PAM_SESSION_ERR;
struct dir_spec base;
@@ -357,7 +380,7 @@ create_homedir_helper(const struct passwd *_pwd, mode_t home_mode,
}
*cp = '/';
- retval = create_homedir(&base, _pwd, home_mode, _skeldir, cp + 1);
+ retval = create_homedir(&base, _pwd, home_mode, _skeldir, cp + 1, _vendordir);
go_out:
dir_spec_close(&base);
@@ -399,6 +422,7 @@ main(int argc, char *argv[])
struct stat st;
char *eptr;
unsigned long home_mode = 0;
+ const char *vendordir = NULL;
if (argc < 2) {
fprintf(stderr, "Usage: %s <username> [<umask> [<skeldir> [<home_mode>]]]\n", argv[0]);
@@ -433,6 +457,9 @@ main(int argc, char *argv[])
}
}
+ if (argc >= 6)
+ vendordir = argv[5];
+
if (home_mode == 0)
home_mode = 0777 & ~u_mask;
@@ -449,5 +476,5 @@ main(int argc, char *argv[])
if (make_parent_dirs(pwd->pw_dir, 0) != PAM_SUCCESS)
return PAM_PERM_DENIED;
- return create_homedir_helper(pwd, home_mode, skeldir, pwd->pw_dir);
+ return create_homedir_helper(pwd, home_mode, skeldir, pwd->pw_dir, vendordir);
}
diff --git a/modules/pam_mkhomedir/pam_mkhomedir.8.xml b/modules/pam_mkhomedir/pam_mkhomedir.8.xml
index ad957248..42f42c58 100644
--- a/modules/pam_mkhomedir/pam_mkhomedir.8.xml
+++ b/modules/pam_mkhomedir/pam_mkhomedir.8.xml
@@ -46,6 +46,12 @@
<filename>/etc/skel/</filename>) is used to copy default files
and also sets a umask for the creation.
</para>
+
+ <para condition="with_vendordir">
+ <emphasis>%vendordir%/skel</emphasis> will also be used unless
+ <replaceable>skel</replaceable> option is specified.
+ </para>
+
<para>
The new users home directory will not be removed after logout
of the user.
@@ -213,4 +219,4 @@
pam_mkhomedir was written by Jason Gunthorpe &lt;jgg@debian.org&gt;.
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c
index f090deee..5b08b6fd 100644
--- a/modules/pam_mkhomedir/pam_mkhomedir.c
+++ b/modules/pam_mkhomedir/pam_mkhomedir.c
@@ -60,6 +60,11 @@
#define LOGIN_DEFS "/etc/login.defs"
#define UMASK_DEFAULT "0022"
+#define SKELDIR "/etc/skel"
+#ifdef VENDORDIR
+#define VENDOR_SKELDIR (VENDORDIR "/skel")
+#endif
+
struct options_t {
int ctrl;
const char *umask;
@@ -73,7 +78,7 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv,
{
opt->ctrl = 0;
opt->umask = NULL;
- opt->skeldir = "/etc/skel";
+ opt->skeldir = NULL;
/* does the application require quiet? */
if ((flags & PAM_SILENT) == PAM_SILENT)
@@ -154,7 +159,7 @@ create_homedir (pam_handle_t *pamh, options_t *opt,
child = fork();
if (child == 0) {
static char *envp[] = { NULL };
- const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
+ const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD,
PAM_MODUTIL_PIPE_FD,
@@ -165,8 +170,11 @@ create_homedir (pam_handle_t *pamh, options_t *opt,
args[0] = MKHOMEDIR_HELPER;
args[1] = user;
args[2] = opt->umask ? opt->umask : UMASK_DEFAULT;
- args[3] = opt->skeldir;
+ args[3] = opt->skeldir ? opt->skeldir : SKELDIR;
args[4] = login_homemode;
+#ifdef VENDORDIR
+ args[5] = opt->skeldir ? NULL : VENDOR_SKELDIR;
+#endif
DIAG_PUSH_IGNORE_CAST_QUAL;
execve(MKHOMEDIR_HELPER, (char **)args, envp);
--
2.51.0

1273
post-v1.7.1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

79
unix2_chkpwd.8
View File

@@ -1,79 +0,0 @@
.\" Copyright (C) 2003 International Business Machines Corporation
.\" This file is distributed according to the GNU General Public License.
.\" See the file COPYING in the top level source directory for details.
.\"
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
.SH NAME
unix2_chkpwd \- helper binary that verifies the password of the current user
.SH "SYNOPSIS"
.ad l
.hy 0
/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
.sp
.ad
.hy
.SH "DESCRIPTION"
.PP
\fBunix2_chkpwd\fR is a helper program for applications that verifies
the password of the current user. It is not intended to be run directly from
the command line and logs a security violation if done so.
It is typically installed setuid root or setgid shadow and called by
applications, which only wishes to do an user authentification and
nothing more.
.SH "OPTIONS"
.PP
unix2_chkpwd requires the following arguments:
.TP
\fIpam_service\fR
The name of the service using unix2_chkpwd. This is required to be one of
the services in /etc/pam.d
.TP
\fIusername\fR
The name of the user whose password you want to verify.
.SH "INPUTS"
.PP
unix2_chkpwd expects the password via stdin.
.SH "RETURN CODES"
.PP
\fBunix2_chkpwd\fR has the following return codes:
.TP
1
unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
.TP
0
The password is correct.
.SH "HISTORY"
Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH AUTHOR
Emily Ratliff.

337
unix2_chkpwd.c
View File

@@ -1,337 +0,0 @@
/*
* Set*id helper program for PAM authentication.
*
* It is supposed to be called from pam_unix2's
* pam_sm_authenticate function if the function notices
* that it's unable to get the password from the shadow file
* because it doesn't have sufficient permissions.
*
* Copyright (C) 2002 SuSE Linux AG
*
* Written by okir@suse.de, loosely based on unix_chkpwd
* by Andrew Morgan.
*/
#include <security/pam_appl.h>
#include <security/_pam_macros.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <pwd.h>
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
#define BUFLEN 1024
#ifndef LOGINDEFS
#define LOGINDEFS "/etc/login.defs"
#endif
#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY"
#define DEFAULT_FAIL_DELAY_S 10
#define PASSWD_CRACKER_DELAY_MS 100
enum {
UNIX_PASSED = 0,
UNIX_FAILED = 1
};
static char * program_name;
static char pass[64];
static int npass = -1;
/*
* Log error messages
*/
static void
_log_err(int err, const char *format,...)
{
va_list args;
va_start(args, format);
openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
}
static void
su_sighandler(int sig)
{
if (sig > 0) {
_log_err(LOG_NOTICE, "caught signal %d.", sig);
exit(sig);
}
}
/*
* Setup signal handlers
*/
static void
setup_signals(void)
{
struct sigaction action;
memset((void *) &action, 0, sizeof(action));
action.sa_handler = su_sighandler;
action.sa_flags = SA_RESETHAND;
sigaction(SIGILL, &action, NULL);
sigaction(SIGTRAP, &action, NULL);
sigaction(SIGBUS, &action, NULL);
sigaction(SIGSEGV, &action, NULL);
action.sa_handler = SIG_IGN;
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
}
static int
_converse(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int num;
if (!(reply = malloc(sizeof(*reply) * num_msg)))
return PAM_CONV_ERR;
for (num = 0; num < num_msg; num++) {
reply[num].resp_retcode = PAM_SUCCESS;
reply[num].resp = NULL;
switch (msg[num]->msg_style) {
case PAM_PROMPT_ECHO_ON:
return PAM_CONV_ERR;
case PAM_PROMPT_ECHO_OFF:
/* read the password from stdin */
if (npass < 0) {
npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
if (npass < 0) {
_log_err(LOG_DEBUG, "error reading password");
return UNIX_FAILED;
}
pass[npass] = '\0';
}
reply[num].resp = strdup(pass);
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
/* ignored */
break;
default:
/* Must be an error of some sort... */
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
static int
_authenticate(const char *service, const char *user)
{
struct pam_conv conv = { _converse, NULL };
pam_handle_t *pamh;
int err;
err = pam_start(service, user, &conv, &pamh);
if (err != PAM_SUCCESS) {
_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
service, user, err);
return UNIX_FAILED;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
if (err == PAM_SUCCESS)
{
err = pam_acct_mgmt(pamh, 0);
if (err == PAM_SUCCESS)
{
int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
if (err2 != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
service, user,
pam_strerror(pamh, err2));
/*
* ignore errors on refresh credentials.
* If this did not work we use the old once.
*/
} else {
_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
}
}
pam_end(pamh, err);
if (err != PAM_SUCCESS)
return UNIX_FAILED;
return UNIX_PASSED;
}
static char *
getuidname(uid_t uid)
{
struct passwd *pw;
static char username[32];
pw = getpwuid(uid);
if (pw == NULL)
return NULL;
strncpy(username, pw->pw_name, sizeof(username));
username[sizeof(username) - 1] = '\0';
endpwent();
return username;
}
static int
sane_pam_service(const char *name)
{
const char *sp;
char path[128];
if (strlen(name) > 32)
return 0;
for (sp = name; *sp; sp++) {
if (!isalnum(*sp) && *sp != '_' && *sp != '-')
return 0;
}
snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
return access(path, R_OK) == 0;
}
static int
get_system_fail_delay (void)
{
FILE *fs;
char buf[BUFLEN];
long int delay = -1;
char *s;
int l;
fs = fopen(LOGINDEFS, "r");
if (NULL == fs) {
goto bail_out;
}
while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
continue;
}
s = buf + strspn(buf, " \t");
l = strcspn(s, " \t");
if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
continue;
}
s += l;
s += strspn(s, " \t");
errno = 0;
delay = strtol(s, NULL, 10);
if (errno) {
delay = -1;
}
break;
}
fclose (fs);
bail_out:
delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
return (int)delay;
}
int
main(int argc, char *argv[])
{
const char *program_name;
char *service, *user;
int fd;
int result = UNIX_FAILED;
uid_t uid;
uid = getuid();
/*
* Make sure standard file descriptors are connected.
*/
while ((fd = open("/dev/null", O_RDWR)) <= 2)
;
close(fd);
/*
* Get the program name
*/
if (argc == 0)
program_name = "unix2_chkpwd";
else if ((program_name = strrchr(argv[0], '/')) != NULL)
program_name++;
else
program_name = argv[0];
/*
* Catch or ignore as many signal as possible.
*/
setup_signals();
/*
* Check argument list
*/
if (argc < 2 || argc > 3) {
_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
return UNIX_FAILED;
}
/*
* Get the service name and do some sanity checks on it
*/
service = argv[1];
if (!sane_pam_service(service)) {
_log_err(LOG_ERR, "Illegal service name '%s'", service);
return UNIX_FAILED;
}
/*
* Discourage users messing around (fat chance)
*/
if (isatty(STDIN_FILENO) && uid != 0) {
_log_err(LOG_NOTICE,
"Inappropriate use of Unix helper binary [UID=%d]",
uid);
fprintf(stderr,
"This binary is not designed for running in this way\n"
"-- the system administrator has been informed\n");
sleep(10); /* this should discourage/annoy the user */
return UNIX_FAILED;
}
/*
* determine the caller's user name
*/
user = getuidname(uid);
if (argc == 3 && strcmp(user, argv[2])) {
user = argv[2];
}
result = _authenticate(service, user);
/* Discourage use of this program as a
* password cracker */
usleep(PASSWD_CRACKER_DELAY_MS * 1000);
if (result != UNIX_PASSED && uid != 0)
sleep(get_system_fail_delay());
return result;
}