Re: [Pam-developers] [linux-pam] pam_tty_audit: add an option to control logging of passwords: log_passwd
by Dmitry V. Levin
On Fri, Jun 21, 2013 at 09:04:03PM +0000, Tomáš Mráz wrote:
> commit 947b31e9494c198cffc6b4917ecf8723a5ad4486
> Author: Richard Guy Briggs <rgb(a)redhat.com>
> Date: Fri Jun 21 08:29:00 2013 -0400
>
> pam_tty_audit: add an option to control logging of passwords: log_passwd
>
> On Fri, Jun 21, 2013 at 04:38:16AM +0400, Dmitry V. Levin wrote:
> > On Tue, Jun 11, 2013 at 11:30:43AM -0400, Richard Guy Briggs wrote:
> > > On Mon, Jun 10, 2013 at 04:59:37PM -0400, Richard Guy Briggs wrote:
> > > > On Wed, Jun 05, 2013 at 02:54:09AM +0400, Dmitry V. Levin wrote:
> > > > > On Thu, May 23, 2013 at 10:29:59AM -0400, Richard Guy Briggs wrote:
> > > > > > Most commands are entered one line at a time and processed as complete lines
> > > > > > in non-canonical mode. Commands that interactively require a password, enter
> > > > > > canonical mode with echo set to off to do this. This feature (icanon and
> > > > > > !echo) can be used to avoid logging passwords by audit while still logging the
> > > > > > rest of the command.
> > > > > >
> > > > > > Adding a member to the struct audit_tty_status passed in by pam_tty_audit
> > > > > > allows control of logging passwords per task.
> > > > >
> > > > > Sorry for the long delay with review. Please see my comments below.
> > > >
> > > > Ditto...
> > >
> > > Please find a new patch at the end...
> >
> > The patch looks OK. If commit message contained a ChangeLog-style entry
> > for the change (see README-hacking file), it would be ready for commit.
>
> Here you go:
Tomáš, I think this part of commit message was not supposed to get into commit.
Could you amend the commit, please, while it isn't too late?
--
ldv
10 years, 10 months
Re: [Pam-developers] [linux-pam] Use hash from /etc/login.defs as default if no other one is specified as argument.
by Thorsten Kukuk
On Tue, Jun 18, kukuk wrote:
> commit a36df58aa78531a4629f90f732be475e9296a842
> Author: Thorsten Kukuk <kukuk(a)orinoco.thkukuk.de>
> Date: Tue Jun 18 16:27:15 2013 +0200
>
> Use hash from /etc/login.defs as default if no
> other one is specified as argument.
Sorry for the very late commit, I got ill and was in hospital
and I'm only slowly catching up with all the missing stuff ...
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
10 years, 10 months
[linux-pam] #13: pam_env: Unterminated expandable variable raises a critical error
by fedora-badges
#13: pam_env: Unterminated expandable variable raises a critical error
------------------------+------------------------------
Reporter: moritasho | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
------------------------+------------------------------
This is originated from Bug#699805 in Debian BTS http://bugs.debian.org
/cgi-bin/bugreport.cgi?bug=699805, and I'm forwarded here.
Hi,
When pam_env founds an unterminated expandable variable while parsing a
conffile, it makes a critical error. It results any login to be rejected.
To reproduce the problem, put the following line into
/etc/security/pam_env.conf
{{{
FOO DEFAULT="${VAR"
}}}
Any login will fail and the following error message will be logged to
syslog:
{{{
pam_env(login:session): Unterminated expandable variable: <${VAR>
Critical error - immediate abort
}}}
The error message is came from modules/pam_env/pam_env.c:
{{{
static int _expand_arg(pam_handle_t *pamh, char **value)
{
[...]
D(("Unterminated expandable variable: <%s>", orig-2));
pam_syslog(pamh, LOG_ERR,
"Unterminated expandable variable: <%s>", orig-2);
return PAM_ABORT;
}}}
When this function found an unterminated expandable variable, it returns
PAM_ABORT, and it will raises a critical error. I think unterminated
expandable variable is a small error, not so critical.
I suggest to change the function to return BAD_LINE instead of PAM_ABORT.
Regards,
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/13>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 10 months
Re: [Pam-developers] Linux-PAM-1.1.6 : Undocumented dependency on flex when cross-compiling
by Diego Elio Pettenò
Yes it is a known issue. It can also happen if you're not cross-compiling
and you don't have the whole flex package installed (forgot which
distributions separate the command from the library).
As I said you can find a thread on the topic on the mailing list if you
check the archives.
Diego Elio Pettenò — Flameeyes
flameeyes(a)flameeyes.eu — http://blog.flameeyes.eu/
On Mon, Jun 10, 2013 at 1:17 PM, James Allwright <jamesallwright(a)yahoo.co.uk
> wrote:
> Hi,
>
> Just to clarify this a bit, I only get a problem when cross-compiling. If
> I build
> natively then there is no problem. I did a comparison between the native
> Makefile
> and the Makefile for cross-compilation and spotted that the flag for the
> flex
> library was missing from the cross-compilation Makefile.
>
> Regards,
>
> James Allwright
>
> ------------------------------
> *From:* Diego Elio Pettenò <flameeyes(a)flameeyes.eu>
> *To:* James Allwright <jamesallwright(a)yahoo.co.uk>;
> pam-developers(a)lists.fedorahosted.org
> *Sent:* Monday, 10 June 2013, 10:51
> *Subject:* Re: [Pam-developers] Linux-PAM-1.1.6 : Undocumented dependency
> on flex when cross-compiling
>
> It issue a warning that it's hard to notice it. I'm pretty sure we had a
> thread on this topic recently.
>
>
> Diego Elio Pettenò — Flameeyes
> flameeyes(a)flameeyes.eu — http://blog.flameeyes.eu/
>
>
> On Mon, Jun 10, 2013 at 9:59 AM, Dmitry V. Levin <ldv(a)altlinux.org> wrote:
>
> Hi,
>
> On Mon, Jun 10, 2013 at 09:39:30AM +0100, James Allwright wrote:
> > Hi,
> >
> > I hope that at least one of you maintains Linux-PAM and that I am
> sending this
> > to the right place.
>
> The right place is the mailing list, but, unfortunately, there are no hints
> in the source code about that.
>
> > I have discovered a problem with Linux-PAM-1.1.6 that does not seem to be
> > documented and which I presume is not generally known. I am trying to
> > cross-compile PAM-Linux (for powerpc in my case). The software configures
> > OK, but then when I try to compile it, I get the compilation error below.
> > On investigating this, the problem seems to be that I need a flex library
> > compiled for powerpc. I was able to solve the problem by getting suitable
> > flex libraries compiled for powerpc and setting LDFLAGS to point to them.
> >
> > It took me some time to work this out. I suggest it would be helpful if
> > configure checked for the presence of a suitable library and issued a
> > warning message.
> > Regards,
>
> configure.in uses AM_PROG_LEX macro, I suppose it issues a warning
> on systems that have no lex.
>
>
> --
> ldv
>
> _______________________________________________
> Pam-developers mailing list
> Pam-developers(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/pam-developers
>
>
>
>
>
10 years, 10 months
Re: [Pam-developers] Linux-PAM-1.1.6 : Undocumented dependency on flex when cross-compiling
by Dmitry V. Levin
Hi,
On Mon, Jun 10, 2013 at 09:39:30AM +0100, James Allwright wrote:
> Hi,
>
> I hope that at least one of you maintains Linux-PAM and that I am sending this
> to the right place.
The right place is the mailing list, but, unfortunately, there are no hints
in the source code about that.
> I have discovered a problem with Linux-PAM-1.1.6 that does not seem to be
> documented and which I presume is not generally known. I am trying to
> cross-compile PAM-Linux (for powerpc in my case). The software configures
> OK, but then when I try to compile it, I get the compilation error below.
> On investigating this, the problem seems to be that I need a flex library
> compiled for powerpc. I was able to solve the problem by getting suitable
> flex libraries compiled for powerpc and setting LDFLAGS to point to them.
>
> It took me some time to work this out. I suggest it would be helpful if
> configure checked for the presence of a suitable library and issued a
> warning message.
> Regards,
configure.in uses AM_PROG_LEX macro, I suppose it issues a warning
on systems that have no lex.
--
ldv
10 years, 10 months