[linux-pam] #23: pam_loginuid fails even when changing loginuid unnecessary
by fedora-badges
#23: pam_loginuid fails even when changing loginuid unnecessary
----------------------+------------------------------
Reporter: dtucker | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
----------------------+------------------------------
OpenSSH's regression tests fail when PAM is enabled on Fedora 18 (and
presumably newer). This is because pam_loginuid fails when writing to
/proc/self/loginuid as per
https://bugzilla.redhat.com/show_bug.cgi?id=959418.
The irritating thing is in this case, the uid it's trying to write is the
one already there, so leaving aside RH bug #959418 it's relatively simple
for pam_loginuid to skip the write and succeed in this case.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/23>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 4 months
[PATCH 1/2] Fix autoconf warnings
by Dmitry V. Levin
Before this change, autoconf complained that AC_COMPILE_IFELSE
and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.
* configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.
---
configure.in | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/configure.in b/configure.in
index 424a634..f16020b 100644
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,6 @@ AC_INIT
AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE("Linux-PAM", 1.1.8)
-LT_INIT([disable-static])
AC_PREREQ([2.61])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@@ -58,6 +57,11 @@ dnl Add /var directory
fi
+dnl This should be called before any macros that run the C compiler.
+AC_USE_SYSTEM_EXTENSIONS
+
+LT_INIT([disable-static])
+
dnl
dnl check if we should link everything static into libpam
dnl
@@ -76,7 +80,6 @@ fi
AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
dnl Checks for programs.
-AC_USE_SYSTEM_EXTENSIONS
AC_PROG_CC
AC_PROG_YACC
AM_PROG_LEX
--
ldv
10 years, 4 months
[PATCH] pam_securetty: check return value of fgets
by Dmitry V. Levin
Checking return value of fgets not only silences the warning from glibc
but also leads to a cleaner code.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Check return value of fgets.
---
modules/pam_securetty/pam_securetty.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 5f2d1be..0474130 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -159,11 +159,10 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
if (cmdlinefile != NULL) {
char line[LINE_MAX], *p;
- line[0] = 0;
- fgets(line, sizeof(line), cmdlinefile);
+ p = fgets(line, sizeof(line), cmdlinefile);
fclose(cmdlinefile);
- for (p = line; p; p = strstr(p+1, "console=")) {
+ for (; p; p = strstr(p+1, "console=")) {
char *e;
/* Test whether this is a beginning of a word? */
--
ldv
10 years, 4 months
[PATCH] pam_lastlog: fix format string
by Dmitry V. Levin
gcc -Wformat justly complains:
format '%d' expects argument of type 'int', but argument 5 has type 'time_t'
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
string.
---
modules/pam_lastlog/pam_lastlog.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index bd454ff..c0e3b94 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
lltime = (time(NULL) - lltime) / (24*60*60);
if (lltime > inactive_days) {
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
+ user, lltime);
return PAM_AUTH_ERR;
}
--
ldv
10 years, 4 months
[PATCH] pam_warn: log flags passed to the module (ticket #25)
by Dmitry V. Levin
* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
log it using pam_syslog.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
"flags" argument to log_items.
---
modules/pam_warn/pam_warn.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/modules/pam_warn/pam_warn.c b/modules/pam_warn/pam_warn.c
index 268e228..a26c48d 100644
--- a/modules/pam_warn/pam_warn.c
+++ b/modules/pam_warn/pam_warn.c
@@ -33,7 +33,7 @@
value = value ? value : default_value ; \
} while (0)
-static void log_items(pam_handle_t *pamh, const char *function)
+static void log_items(pam_handle_t *pamh, const char *function, int flags)
{
const void *service=NULL, *user=NULL, *terminal=NULL,
*rhost=NULL, *ruser=NULL;
@@ -45,8 +45,8 @@ static void log_items(pam_handle_t *pamh, const char *function)
OBTAIN(PAM_RHOST, rhost, "<unknown>");
pam_syslog(pamh, LOG_NOTICE,
- "function=[%s] service=[%s] terminal=[%s] user=[%s]"
- " ruser=[%s] rhost=[%s]\n", function,
+ "function=[%s] flags=%#x service=[%s] terminal=[%s] user=[%s]"
+ " ruser=[%s] rhost=[%s]\n", function, flags,
(const char *) service, (const char *) terminal,
(const char *) user, (const char *) ruser,
(const char *) rhost);
@@ -55,52 +55,52 @@ static void log_items(pam_handle_t *pamh, const char *function)
/* --- authentication management functions (only) --- */
PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
/* password updating functions */
PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_close_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
--
ldv
10 years, 4 months
pam_unix.so and DES option
by Thorsten Kukuk
Hi,
pam_unix.so can now read /etc/login.defs. A valid option for
ENCRYPT_METHOD is "DES", but since this is the default, pam_unix.so
reports an error.
I would like to add the following patch to avoid this error.
Ok to commit?
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6575938..6f5b2eb 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -97,8 +97,9 @@ typedef struct {
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
+#define UNIX_DES 28 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
10 years, 4 months