[linux-pam] #35: 'logic list' format unexplained in group.conf manpage
by fedora-badges
#35: 'logic list' format unexplained in group.conf manpage
--------------------------+-----------------------------------
Reporter: robinmiller | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: documentation
Version: | Keywords: group.conf logic list
Blocked By: | Blocking:
--------------------------+-----------------------------------
The group.conf manpage refers to a 'logic list' several times as the way
to specify multiple ttys, users, etc, but does not give a clear example or
describe the syntax required.
After some fruitless searching and then trial and error, I discovered that
the format is:
{{{
item1 | item2 | item3
}}}
I think it would be a big help to users to make this clear in the man
page, either by describing the syntax or by giving a clear example in the
examples section (there is a convoluted example using &, but I don't think
this is obvious at first). For example, the example:
{{{
Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given
access to games (through membership of the floppy group) after work hours.
xsh; tty* ;sword;!Wk0900-1800;games, sound
}}}
Could be made into:
{{{
Running 'xsh' on tty* (any ttyXXX device), the users 'sword' and 'pike'
are given access to games (through membership of the floppy group) after
work hours.
xsh; tty* ; sword | pike ;!Wk0900-1800;games, sound
}}}
That small change alone would have saved me an hour. Perhaps the term
'logic list' is a well known format to some, but I don't think to many.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/35>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[linux-pam] #33: pam_timestamp: timestampdir option not documented properly
by fedora-badges
#33: pam_timestamp: timestampdir option not documented properly
---------------------+------------------------------
Reporter: thoger | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
pam_timestamp module supports `timestampdir` option, which is not properly
mentioned in the documentation / man page for the module. The only
mention is:
When an application opens a session using
<emphasis>pam_timestamp</emphasis>,
a timestamp file is created in the <emphasis>timestampdir</emphasis>
directory
for the user.
but it is not listed in SYNOPSIS or OPTIONS sections.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/33>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[linux-pam] #36: pam_fail_delay() inconsistent delay distribution
by fedora-badges
#36: pam_fail_delay() inconsistent delay distribution
---------------------+------------------------------
Reporter: szidek | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
Man page says: Should pam_authenticate(3) fail, the failing return to the
application is delayed by an amount of time randomly distributed (by up to
25%) about this longest value.
However, code uses distribution 50%.
(Comments also say 25%.)
I think these values should be consistent.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/36>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[PATCH v2 1/3] build-sys: rename configure.in to configure.ac
by Ronny Chevalier
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
* configure.in: Renamed to configure.ac
---
configure.in => configure.ac | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename configure.in => configure.ac (100%)
diff --git a/configure.in b/configure.ac
similarity index 100%
rename from configure.in
rename to configure.ac
--
2.1.3
9 years, 2 months
[PATCH] libpam: Only print "Password change aborted" when it's true.
by Luke Shumaker
pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.
This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead. As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().
libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
---
libpam/pam_get_authtok.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb162..663f1f3 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS || resp[0] == NULL ||
(chpass > 1 && resp[1] == NULL))
{
- /* We want to abort the password change */
- pam_error (pamh, _("Password change aborted."));
+ /* We want to abort */
+ if (chpass)
+ pam_error (pamh, _("Password change aborted."));
return PAM_AUTHTOK_ERR;
}
--
2.2.0
9 years, 2 months
[PATCH 1/6] build-sys: rename configure.in to configure.ac
by Ronny Chevalier
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
* configure.in: Renamed to configure.ac
---
configure.ac | 638 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
configure.in | 638 -----------------------------------------------------------
2 files changed, 638 insertions(+), 638 deletions(-)
create mode 100644 configure.ac
delete mode 100644 configure.in
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..2597802
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,638 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_INIT([Linux-PAM], [1.1.8], , [Linux-PAM])
+AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
+AC_CONFIG_AUX_DIR([build-aux])
+AM_INIT_AUTOMAKE
+AC_PREREQ([2.61])
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
+AC_CANONICAL_HOST
+
+AC_SUBST(PACKAGE)
+AC_SUBST(VERSION)
+
+dnl
+dnl By default, everything under PAM is installed below /usr.
+dnl
+AC_PREFIX_DEFAULT(/usr)
+
+dnl and some hacks to use /etc and /lib
+test "${prefix}" = "NONE" && prefix="/usr"
+if test ${prefix} = '/usr'
+then
+dnl If we use /usr as prefix, use /etc for config files
+ if test ${sysconfdir} = '${prefix}/etc'
+ then
+ sysconfdir="/etc"
+ fi
+ if test ${libdir} = '${exec_prefix}/lib'
+ then
+ case "`uname -m`" in
+ x86_64|ppc64|s390x|sparc64)
+ libdir="/lib64" ;;
+ *)
+ libdir="/lib" ;;
+ esac
+ fi
+ if test ${sbindir} = '${exec_prefix}/sbin'
+ then
+ sbindir="/sbin"
+ fi
+dnl If we use /usr as prefix, use /usr/share/man for manual pages
+ if test ${mandir} = '${prefix}/man'
+ then
+ mandir='${prefix}/share/man'
+ fi
+dnl Add security to include directory
+ if test ${includedir} = '${prefix}/include'
+ then
+ includedir="${prefix}/include/security"
+ fi
+
+dnl Add /var directory
+ if test ${localstatedir} = '${prefix}/var'
+ then
+ localstatedir="/var"
+ fi
+
+fi
+
+dnl This should be called before any macros that run the C compiler.
+AC_USE_SYSTEM_EXTENSIONS
+
+LT_INIT([disable-static])
+
+dnl
+dnl check if we should link everything static into libpam
+dnl
+AC_ARG_ENABLE(static-modules,AS_HELP_STRING([--enable-static-modules],
+ [do not make the modules dynamically loadable]),
+ STATIC_MODULES=$enableval,STATIC_MODULES=no)
+if test "$STATIC_MODULES" != "no" ; then
+ CFLAGS="$CFLAGS -DPAM_STATIC"
+ AC_ENABLE_STATIC([yes])
+ AC_ENABLE_SHARED([no])
+else
+# per default don't build static libraries
+ AC_ENABLE_STATIC([no])
+ AC_ENABLE_SHARED([yes])
+fi
+AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
+
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_YACC
+AM_PROG_LEX
+AC_PROG_INSTALL
+AC_PROG_LN_S
+AC_PROG_MAKE_SET
+AM_PROG_CC_C_O
+PAM_LD_AS_NEEDED
+PAM_LD_NO_UNDEFINED
+PAM_LD_O1
+
+dnl Largefile support
+AC_SYS_LARGEFILE
+
+dnl icc claims to be GCC compatible, but use other flags for warnings
+if eval "test x$GCC = xyes -a $CC != icc"; then
+ for flag in \
+ -W \
+ -Wall \
+ -Wbad-function-cast \
+ -Wcast-align \
+ -Wcast-qual \
+ -Wmissing-declarations \
+ -Wmissing-prototypes \
+ -Wpointer-arith \
+ -Wreturn-type \
+ -Wstrict-prototypes \
+ -Wwrite-strings \
+ -Winline \
+ -Wshadow
+ do
+ JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
+ done
+fi
+dnl icc has special warning flags
+if eval "test x$CC = xicc"; then
+ for flag in \
+ -Wall \
+ -Wmissing-prototypes \
+ -Wpointer-arith \
+ -Wreturn-type \
+ -Wstrict-prototypes \
+ -Wwrite-strings \
+ -Wshadow \
+ -Wp64 \
+ -Wdeprecated \
+ -Wuninitialized \
+ -Wmain
+ do
+ JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
+ done
+fi
+
+if test "x${CC_FOR_BUILD+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ AC_CHECK_PROGS(CC_FOR_BUILD, gcc cc)
+ else
+ CC_FOR_BUILD=${CC}
+ fi
+fi
+AC_MSG_CHECKING([for CC_FOR_BUILD])
+AC_MSG_RESULT([$CC_FOR_BUILD])
+AC_SUBST(CC_FOR_BUILD)
+
+if test "x${BUILD_CFLAGS+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ BUILD_CFLAGS=
+ else
+ BUILD_CFLAGS=${CFLAGS}
+ fi
+fi
+AC_SUBST(BUILD_CFLAGS)
+
+if test "x${BUILD_LDFLAGS+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ BUILD_LDFLAGS=
+ else
+ BUILD_LDFLAGS=${LDFLAGS}
+ fi
+fi
+AC_SUBST(BUILD_LDFLAGS)
+
+AC_C___ATTRIBUTE__
+
+dnl
+dnl Check if --version-script is supported by ld
+dnl
+AC_CACHE_CHECK(for .symver assembler directive, libc_cv_asm_symver_directive,
+[cat > conftest.s <<EOF
+${libc_cv_dot_text}
+_sym:
+.symver _sym,sym@VERS
+EOF
+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
+ libc_cv_asm_symver_directive=yes
+else
+ libc_cv_asm_symver_directive=no
+fi
+rm -f conftest*])
+AC_CACHE_CHECK(for ld --version-script, libc_cv_ld_version_script_option, [dnl
+if test $libc_cv_asm_symver_directive = yes; then
+ cat > conftest.s <<EOF
+${libc_cv_dot_text}
+_sym:
+.symver _sym,sym@VERS
+EOF
+ cat > conftest.map <<EOF
+VERS_1 {
+ global: sym;
+};
+
+VERS_2 {
+ global: sym;
+} VERS_1;
+EOF
+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD;
+then
+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
+ -o conftest.so conftest.o
+ -nostartfiles -nostdlib
+ -Wl,--version-script,conftest.map
+ 1>&AS_MESSAGE_LOG_FD]);
+ then
+ libc_cv_ld_version_script_option=yes
+ else
+ libc_cv_ld_version_script_option=no
+ fi
+ else
+ libc_cv_ld_version_script_option=no
+ fi
+else
+ libc_cv_ld_version_script_option=no
+fi
+rm -f conftest*])
+AM_CONDITIONAL([HAVE_VERSIONING],
+ [test "$libc_cv_ld_version_script_option" = "yes"])
+
+dnl
+dnl check for -fPIE/-pie support
+dnl
+dnl icc handles -fpie as -fp without error, so blacklist icc
+dnl
+AC_ARG_ENABLE(pie,AS_HELP_STRING([--disable-pie],
+ [disable position-independent executeables (PIE)]),
+ USE_PIE=$enableval, USE_PIE=yes)
+
+AC_CACHE_CHECK(for -fpie, libc_cv_fpie, [dnl
+ cat > conftest.c <<EOF
+int foo;
+main () { return 0;}
+EOF
+ if test "$USE_PIE" = "yes" -a "$CC" != "icc" &&
+ AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -pie -fpie
+ -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
+ then
+ libc_cv_fpie=yes
+ PIE_CFLAGS="-fpie"
+ PIE_LDFLAGS="-pie"
+ else
+ libc_cv_fpie=no
+ PIE_CFLAGS=""
+ PIE_LDFLAGS=""
+ fi
+ rm -f conftest*])
+AC_SUBST(libc_cv_fpie)
+AC_SUBST(PIE_CFLAGS)
+AC_SUBST(PIE_LDFLAGS)
+
+
+dnl
+dnl options and defaults
+dnl
+
+AC_ARG_ENABLE([prelude],
+ AS_HELP_STRING([--disable-prelude],[do not use prelude]),
+ WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)
+if test "$WITH_PRELUDE" == "yes" ; then
+ AM_PATH_LIBPRELUDE([0.9.0])
+ if test "$LIBPRELUDE_CONFIG" != "no" ; then
+ LIBPRELUDE_CFLAGS="$LIBPRELUDE_CFLAGS -DPRELUDE=1"
+ fi
+fi
+
+dnl lots of debugging information goes to /var/run/pam-debug.log
+AC_ARG_ENABLE([debug],
+ AS_HELP_STRING([--enable-debug],[specify you are building with debugging on]))
+
+if test x"$enable_debug" = x"yes" ; then
+ AC_DEFINE([PAM_DEBUG],,
+ [lots of stuff gets written to /var/run/pam-debug.log])
+fi
+
+AC_ARG_ENABLE(securedir,
+ AS_HELP_STRING([--enable-securedir=DIR],[path to location of PAMs @<:@default=$libdir/security@:>@]),
+ SECUREDIR=$enableval, SECUREDIR=$libdir/security)
+AC_SUBST(SECUREDIR)
+
+AC_ARG_ENABLE([isadir],
+ AS_HELP_STRING([--enable-isadir=DIR],[path to arch-specific module files @<:@default=../../(basename of $libdir)/security@:>@]),
+ISA=$enableval,
+ISA=../../`basename $libdir`/security)
+unset mylibdirbase
+AC_DEFINE_UNQUOTED(_PAM_ISA,"$ISA",[Define to the path, relative to SECUREDIR, where PAMs specific to this architecture can be found.])
+AC_MSG_RESULT([Defining \$ISA to "$ISA"])
+
+AC_ARG_ENABLE(sconfigdir,
+ AS_HELP_STRING([--enable-sconfigdir=DIR],[path to module conf files @<:@default=$sysconfdir/security@:>@]),
+ SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security)
+AC_SUBST(SCONFIGDIR)
+
+AC_ARG_ENABLE(pamlocking,
+ AS_HELP_STRING([--enable-pamlocking],[configure libpam to observe a global authentication lock]))
+
+if test x"$enable_pamlocking" = "xyes"; then
+ AC_DEFINE([PAM_LOCKING],,
+ [libpam should observe a global authentication lock])
+fi
+
+AC_ARG_ENABLE(read-both-confs,
+ AS_HELP_STRING([--enable-read-both-confs],[read both /etc/pam.d and /etc/pam.conf files]))
+
+if test x"$enable_read_both_confs" = "xyes"; then
+ AC_DEFINE([PAM_READ_BOTH_CONFS],,
+ [read both /etc/pam.d and /etc/pam.conf files])
+fi
+
+AC_ARG_ENABLE([lckpwdf],
+ AS_HELP_STRING([--disable-lckpwdf],[do not use the lckpwdf function]),
+ WITH_LCKPWDF=$enableval, WITH_LCKPWDF=yes)
+if test "$WITH_LCKPWDF" == "yes" ; then
+ AC_DEFINE([USE_LCKPWDF], 1,
+ [Define to 1 if the lckpwdf function should be used])
+fi
+
+AC_CHECK_HEADERS(paths.h)
+AC_ARG_WITH(mailspool,
+[ --with-mailspool path to mail spool directory
+ [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]],
+with_mailspool=${withval})
+if test x$with_mailspool != x ; then
+ pam_mail_spool="\"$with_mailspool\""
+else
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#include <paths.h>
+int main() {
+#ifdef _PATH_MAILDIR
+exit(0);
+#else
+exit(1);
+#endif
+}]])],[pam_mail_spool="_PATH_MAILDIR"],[pam_mail_spool="\"/var/spool/mail\""],[pam_mail_spool="\"/var/spool/mail\""])
+fi
+AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool,
+ [Path where mails are stored])
+
+AC_ARG_WITH(xauth,
+[ --with-xauth additional path to check for xauth when it is called from pam_xauth
+ [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]],
+pam_xauth_path=${withval})
+if test x$with_xauth == x ; then
+ AC_PATH_PROG(pam_xauth_path, xauth)
+dnl There is no sense in adding the first default path
+ if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then
+ unset pam_xauth_path
+ fi
+fi
+
+if test x$pam_xauth_path != x ; then
+ AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path",
+ [Additional path of xauth executable])
+fi
+
+dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
+AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="")
+AC_SUBST(LIBDL)
+
+# Check for cracklib
+AC_ARG_ENABLE([cracklib],
+ AS_HELP_STRING([--disable-cracklib],[do not use cracklib]),
+ WITH_CRACKLIB=$enableval, WITH_CRACKLIB=yes)
+if test x"$WITH_CRACKLIB" != xno ; then
+ AC_CHECK_HEADERS([crack.h],
+ AC_CHECK_LIB([crack], [FascistCheck], LIBCRACK="-lcrack", LIBCRACK=""))
+else
+ LIBCRACK=""
+fi
+if test -n "$LIBCRACK"; then
+ AC_DEFINE([HAVE_LIBCRACK], [1], [Define to 1 if you have cracklib.])
+fi
+AC_SUBST(LIBCRACK)
+AM_CONDITIONAL([HAVE_LIBCRACK], [test -n "$LIBCRACK"])
+
+dnl Look for Linux Auditing library - see documentation
+AC_ARG_ENABLE([audit],
+ AS_HELP_STRING([--disable-audit],[do not enable audit support]),
+ WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes)
+if test x"$WITH_LIBAUDIT" != xno ; then
+ AC_CHECK_HEADER([libaudit.h],
+ [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")
+ AC_CHECK_TYPE([struct audit_tty_status],
+ [HAVE_AUDIT_TTY_STATUS=yes],
+ [HAVE_AUDIT_TTY_STATUS=""],
+ [#include <libaudit.h>])]
+ )
+ if test ! -z "$LIBAUDIT" -a "$ac_cv_header_libaudit_h" != "no" ; then
+ AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.])
+ fi
+ if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
+ AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
+ fi
+else
+ LIBAUDIT=""
+fi
+AC_SUBST(LIBAUDIT)
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
+ [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+
+AC_CHECK_HEADERS(xcrypt.h crypt.h)
+AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
+ [crypt_libs="xcrypt crypt"],
+ [crypt_libs="crypt"])
+
+BACKUP_LIBS=$LIBS
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
+LIBS=$BACKUP_LIBS
+AC_SUBST(LIBCRYPT)
+if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
+ AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
+fi
+
+AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
+if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
+ opt_randomdev="/dev/urandom"
+elif test "$opt_randomdev" = no; then
+ opt_randomdev=
+fi
+if test -n "$opt_randomdev"; then
+ AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
+fi
+
+dnl check for libdb or libndbm as fallback. Some libndbm compat
+dnl libraries are unuseable, so try libdb first.
+AC_ARG_ENABLE([db],
+ AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]),
+ WITH_DB=$enableval, WITH_DB=yes)
+AC_ARG_WITH([db-uniquename],
+ AS_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
+if test x"$WITH_DB" != xno ; then
+ if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
+ old_libs=$LIBS
+ LIBS="$LIBS -ldb$with_db_uniquename"
+ AC_CHECK_FUNCS([db_create$with_db_uniquename db_create dbm_store$with_db_uniquename dbm_store],
+ [LIBDB="-ldb$with_db_uniquename"; break])
+ LIBS=$old_libs
+ fi
+ if test -z "$LIBDB" ; then
+ AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
+ if test ! -z "$LIBDB" ; then
+ AC_CHECK_HEADERS(ndbm.h)
+ fi
+ else
+ AC_CHECK_HEADERS(db.h)
+ fi
+fi
+AC_SUBST(LIBDB)
+AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
+
+AC_ARG_ENABLE([nis],
+ AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
+
+AS_IF([test "x$enable_nis" != "xno"], [
+ CFLAGS=$old_CFLAGS
+ LIBS=$old_LIBS
+
+ dnl if there's libtirpc available, prefer that over the system
+ dnl implementation.
+ PKG_CHECK_MODULES([libtirpc], [libtirpc], [
+ CFLAGS="$CFLAGS $libtirpc_CFLAGS"
+ LIBS="$LIBS $libtirpc_LIBS"
+ ], [:;])
+
+ AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
+
+ AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
+ AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
+ AC_CHECK_DECLS([getrpcport], , , [
+ #if HAVE_RPC_RPC_H
+ # include <rpc/rpc.h>
+ #endif
+ ])
+
+ NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
+ NIS_LIBS="${LIBS%${old_LIBS}}"
+
+ CFLAGS="$old_CFLAGS"
+ LIBS="$old_LIBS"
+])
+
+AC_SUBST([NIS_CFLAGS])
+AC_SUBST([NIS_LIBS])
+
+AC_ARG_ENABLE([selinux],
+ AS_HELP_STRING([--disable-selinux],[do not use SELinux]),
+ WITH_SELINUX=$enableval, WITH_SELINUX=yes)
+if test "$WITH_SELINUX" == "yes" ; then
+ AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
+else
+ LIBSELINUX=""
+fi
+AC_SUBST(LIBSELINUX)
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+if test ! -z "$LIBSELINUX" ; then
+ AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+ BACKUP_LIBS=$LIBS
+ LIBS="$LIBS $LIBSELINUX"
+ AC_CHECK_FUNCS(setkeycreatecon)
+ AC_CHECK_FUNCS(getseuser)
+ LIBS=$BACKUP_LIBS
+fi
+
+dnl Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
+
+dnl For module/pam_lastlog
+AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_BIGENDIAN
+AC_C_CONST
+AC_TYPE_UID_T
+AC_TYPE_OFF_T
+AC_TYPE_PID_T
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+dnl Checks for library functions.
+AC_TYPE_GETGROUPS
+AC_PROG_GCC_TRADITIONAL
+AC_FUNC_MEMCMP
+AC_FUNC_VPRINTF
+AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir select)
+AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+AC_CHECK_FUNCS(getgrouplist getline getdelim)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+
+AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+
+AC_ARG_ENABLE([regenerate-docu],
+ AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
+ [enable_docu=$enableval], [enable_docu=yes])
+dnl
+dnl Check for xsltproc
+dnl
+AC_PATH_PROG([XSLTPROC], [xsltproc])
+if test -z "$XSLTPROC"; then
+ enable_docu=no
+fi
+AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
+dnl check for DocBook DTD and stylesheets in the local catalog.
+JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.4//EN],
+ [DocBook XML DTD V4.4], [], enable_docu=no)
+JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
+ [DocBook XSL Stylesheets], [], enable_docu=no)
+
+AC_PATH_PROG([BROWSER], [w3m])
+if test ! -z "$BROWSER"; then
+ BROWSER="$BROWSER -T text/html -dump"
+else
+ enable_docu=no
+fi
+
+AC_PATH_PROG([FO2PDF], [fop])
+
+AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test x$enable_docu != xno)
+AM_CONDITIONAL(ENABLE_GENERATE_PDF, test ! -z "$FO2PDF")
+
+
+AM_GNU_GETTEXT_VERSION([0.15])
+AM_GNU_GETTEXT([external])
+AC_CHECK_FUNCS(dngettext)
+
+AH_BOTTOM([#ifdef ENABLE_NLS
+#include <libintl.h>
+#define _(msgid) dgettext(PACKAGE, msgid)
+#define N_(msgid) msgid
+#else
+#define _(msgid) (msgid)
+#define N_(msgid) msgid
+#endif /* ENABLE_NLS */])
+
+dnl
+dnl Check for the availability of the kernel key management facility
+dnl - The pam_keyinit module only requires the syscalls, not the error codes
+dnl
+AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>])
+AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>])
+
+HAVE_KEY_MANAGEMENT=0
+if test $have_key_syscalls$have_key_errors = 11
+then
+ HAVE_KEY_MANAGEMENT=1
+fi
+
+if test $HAVE_KEY_MANAGEMENT = 1; then
+ AC_DEFINE([HAVE_KEY_MANAGEMENT], 1,
+ [Defined if the kernel key management facility is available])
+fi
+AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KEY_MANAGEMENT)
+
+AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
+
+dnl Files to be created from when we run configure
+AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
+ libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
+ po/Makefile.in \
+ modules/Makefile \
+ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ modules/pam_echo/Makefile modules/pam_env/Makefile \
+ modules/pam_faildelay/Makefile \
+ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
+ modules/pam_ftp/Makefile modules/pam_group/Makefile \
+ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
+ modules/pam_lastlog/Makefile modules/pam_limits/Makefile \
+ modules/pam_listfile/Makefile modules/pam_localuser/Makefile \
+ modules/pam_loginuid/Makefile modules/pam_mail/Makefile \
+ modules/pam_mkhomedir/Makefile modules/pam_motd/Makefile \
+ modules/pam_namespace/Makefile \
+ modules/pam_nologin/Makefile modules/pam_permit/Makefile \
+ modules/pam_pwhistory/Makefile modules/pam_rhosts/Makefile \
+ modules/pam_rootok/Makefile modules/pam_exec/Makefile \
+ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \
+ modules/pam_sepermit/Makefile \
+ modules/pam_shells/Makefile modules/pam_stress/Makefile \
+ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \
+ modules/pam_tally2/Makefile modules/pam_time/Makefile \
+ modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
+ modules/pam_umask/Makefile \
+ modules/pam_unix/Makefile modules/pam_userdb/Makefile \
+ modules/pam_warn/Makefile modules/pam_wheel/Makefile \
+ modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
+ doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
+ doc/mwg/Makefile examples/Makefile tests/Makefile \
+ xtests/Makefile])
+AC_OUTPUT
diff --git a/configure.in b/configure.in
deleted file mode 100644
index 2597802..0000000
--- a/configure.in
+++ /dev/null
@@ -1,638 +0,0 @@
-dnl Process this file with autoconf to produce a configure script.
-AC_INIT([Linux-PAM], [1.1.8], , [Linux-PAM])
-AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
-AC_CONFIG_AUX_DIR([build-aux])
-AM_INIT_AUTOMAKE
-AC_PREREQ([2.61])
-AC_CONFIG_HEADERS([config.h])
-AC_CONFIG_MACRO_DIR([m4])
-AC_CANONICAL_HOST
-
-AC_SUBST(PACKAGE)
-AC_SUBST(VERSION)
-
-dnl
-dnl By default, everything under PAM is installed below /usr.
-dnl
-AC_PREFIX_DEFAULT(/usr)
-
-dnl and some hacks to use /etc and /lib
-test "${prefix}" = "NONE" && prefix="/usr"
-if test ${prefix} = '/usr'
-then
-dnl If we use /usr as prefix, use /etc for config files
- if test ${sysconfdir} = '${prefix}/etc'
- then
- sysconfdir="/etc"
- fi
- if test ${libdir} = '${exec_prefix}/lib'
- then
- case "`uname -m`" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)
- libdir="/lib" ;;
- esac
- fi
- if test ${sbindir} = '${exec_prefix}/sbin'
- then
- sbindir="/sbin"
- fi
-dnl If we use /usr as prefix, use /usr/share/man for manual pages
- if test ${mandir} = '${prefix}/man'
- then
- mandir='${prefix}/share/man'
- fi
-dnl Add security to include directory
- if test ${includedir} = '${prefix}/include'
- then
- includedir="${prefix}/include/security"
- fi
-
-dnl Add /var directory
- if test ${localstatedir} = '${prefix}/var'
- then
- localstatedir="/var"
- fi
-
-fi
-
-dnl This should be called before any macros that run the C compiler.
-AC_USE_SYSTEM_EXTENSIONS
-
-LT_INIT([disable-static])
-
-dnl
-dnl check if we should link everything static into libpam
-dnl
-AC_ARG_ENABLE(static-modules,AS_HELP_STRING([--enable-static-modules],
- [do not make the modules dynamically loadable]),
- STATIC_MODULES=$enableval,STATIC_MODULES=no)
-if test "$STATIC_MODULES" != "no" ; then
- CFLAGS="$CFLAGS -DPAM_STATIC"
- AC_ENABLE_STATIC([yes])
- AC_ENABLE_SHARED([no])
-else
-# per default don't build static libraries
- AC_ENABLE_STATIC([no])
- AC_ENABLE_SHARED([yes])
-fi
-AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
-
-dnl Checks for programs.
-AC_PROG_CC
-AC_PROG_YACC
-AM_PROG_LEX
-AC_PROG_INSTALL
-AC_PROG_LN_S
-AC_PROG_MAKE_SET
-AM_PROG_CC_C_O
-PAM_LD_AS_NEEDED
-PAM_LD_NO_UNDEFINED
-PAM_LD_O1
-
-dnl Largefile support
-AC_SYS_LARGEFILE
-
-dnl icc claims to be GCC compatible, but use other flags for warnings
-if eval "test x$GCC = xyes -a $CC != icc"; then
- for flag in \
- -W \
- -Wall \
- -Wbad-function-cast \
- -Wcast-align \
- -Wcast-qual \
- -Wmissing-declarations \
- -Wmissing-prototypes \
- -Wpointer-arith \
- -Wreturn-type \
- -Wstrict-prototypes \
- -Wwrite-strings \
- -Winline \
- -Wshadow
- do
- JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
- done
-fi
-dnl icc has special warning flags
-if eval "test x$CC = xicc"; then
- for flag in \
- -Wall \
- -Wmissing-prototypes \
- -Wpointer-arith \
- -Wreturn-type \
- -Wstrict-prototypes \
- -Wwrite-strings \
- -Wshadow \
- -Wp64 \
- -Wdeprecated \
- -Wuninitialized \
- -Wmain
- do
- JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
- done
-fi
-
-if test "x${CC_FOR_BUILD+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- AC_CHECK_PROGS(CC_FOR_BUILD, gcc cc)
- else
- CC_FOR_BUILD=${CC}
- fi
-fi
-AC_MSG_CHECKING([for CC_FOR_BUILD])
-AC_MSG_RESULT([$CC_FOR_BUILD])
-AC_SUBST(CC_FOR_BUILD)
-
-if test "x${BUILD_CFLAGS+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- BUILD_CFLAGS=
- else
- BUILD_CFLAGS=${CFLAGS}
- fi
-fi
-AC_SUBST(BUILD_CFLAGS)
-
-if test "x${BUILD_LDFLAGS+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- BUILD_LDFLAGS=
- else
- BUILD_LDFLAGS=${LDFLAGS}
- fi
-fi
-AC_SUBST(BUILD_LDFLAGS)
-
-AC_C___ATTRIBUTE__
-
-dnl
-dnl Check if --version-script is supported by ld
-dnl
-AC_CACHE_CHECK(for .symver assembler directive, libc_cv_asm_symver_directive,
-[cat > conftest.s <<EOF
-${libc_cv_dot_text}
-_sym:
-.symver _sym,sym@VERS
-EOF
-if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
- libc_cv_asm_symver_directive=yes
-else
- libc_cv_asm_symver_directive=no
-fi
-rm -f conftest*])
-AC_CACHE_CHECK(for ld --version-script, libc_cv_ld_version_script_option, [dnl
-if test $libc_cv_asm_symver_directive = yes; then
- cat > conftest.s <<EOF
-${libc_cv_dot_text}
-_sym:
-.symver _sym,sym@VERS
-EOF
- cat > conftest.map <<EOF
-VERS_1 {
- global: sym;
-};
-
-VERS_2 {
- global: sym;
-} VERS_1;
-EOF
- if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD;
-then
- if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
- -o conftest.so conftest.o
- -nostartfiles -nostdlib
- -Wl,--version-script,conftest.map
- 1>&AS_MESSAGE_LOG_FD]);
- then
- libc_cv_ld_version_script_option=yes
- else
- libc_cv_ld_version_script_option=no
- fi
- else
- libc_cv_ld_version_script_option=no
- fi
-else
- libc_cv_ld_version_script_option=no
-fi
-rm -f conftest*])
-AM_CONDITIONAL([HAVE_VERSIONING],
- [test "$libc_cv_ld_version_script_option" = "yes"])
-
-dnl
-dnl check for -fPIE/-pie support
-dnl
-dnl icc handles -fpie as -fp without error, so blacklist icc
-dnl
-AC_ARG_ENABLE(pie,AS_HELP_STRING([--disable-pie],
- [disable position-independent executeables (PIE)]),
- USE_PIE=$enableval, USE_PIE=yes)
-
-AC_CACHE_CHECK(for -fpie, libc_cv_fpie, [dnl
- cat > conftest.c <<EOF
-int foo;
-main () { return 0;}
-EOF
- if test "$USE_PIE" = "yes" -a "$CC" != "icc" &&
- AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -pie -fpie
- -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
- then
- libc_cv_fpie=yes
- PIE_CFLAGS="-fpie"
- PIE_LDFLAGS="-pie"
- else
- libc_cv_fpie=no
- PIE_CFLAGS=""
- PIE_LDFLAGS=""
- fi
- rm -f conftest*])
-AC_SUBST(libc_cv_fpie)
-AC_SUBST(PIE_CFLAGS)
-AC_SUBST(PIE_LDFLAGS)
-
-
-dnl
-dnl options and defaults
-dnl
-
-AC_ARG_ENABLE([prelude],
- AS_HELP_STRING([--disable-prelude],[do not use prelude]),
- WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)
-if test "$WITH_PRELUDE" == "yes" ; then
- AM_PATH_LIBPRELUDE([0.9.0])
- if test "$LIBPRELUDE_CONFIG" != "no" ; then
- LIBPRELUDE_CFLAGS="$LIBPRELUDE_CFLAGS -DPRELUDE=1"
- fi
-fi
-
-dnl lots of debugging information goes to /var/run/pam-debug.log
-AC_ARG_ENABLE([debug],
- AS_HELP_STRING([--enable-debug],[specify you are building with debugging on]))
-
-if test x"$enable_debug" = x"yes" ; then
- AC_DEFINE([PAM_DEBUG],,
- [lots of stuff gets written to /var/run/pam-debug.log])
-fi
-
-AC_ARG_ENABLE(securedir,
- AS_HELP_STRING([--enable-securedir=DIR],[path to location of PAMs @<:@default=$libdir/security@:>@]),
- SECUREDIR=$enableval, SECUREDIR=$libdir/security)
-AC_SUBST(SECUREDIR)
-
-AC_ARG_ENABLE([isadir],
- AS_HELP_STRING([--enable-isadir=DIR],[path to arch-specific module files @<:@default=../../(basename of $libdir)/security@:>@]),
-ISA=$enableval,
-ISA=../../`basename $libdir`/security)
-unset mylibdirbase
-AC_DEFINE_UNQUOTED(_PAM_ISA,"$ISA",[Define to the path, relative to SECUREDIR, where PAMs specific to this architecture can be found.])
-AC_MSG_RESULT([Defining \$ISA to "$ISA"])
-
-AC_ARG_ENABLE(sconfigdir,
- AS_HELP_STRING([--enable-sconfigdir=DIR],[path to module conf files @<:@default=$sysconfdir/security@:>@]),
- SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security)
-AC_SUBST(SCONFIGDIR)
-
-AC_ARG_ENABLE(pamlocking,
- AS_HELP_STRING([--enable-pamlocking],[configure libpam to observe a global authentication lock]))
-
-if test x"$enable_pamlocking" = "xyes"; then
- AC_DEFINE([PAM_LOCKING],,
- [libpam should observe a global authentication lock])
-fi
-
-AC_ARG_ENABLE(read-both-confs,
- AS_HELP_STRING([--enable-read-both-confs],[read both /etc/pam.d and /etc/pam.conf files]))
-
-if test x"$enable_read_both_confs" = "xyes"; then
- AC_DEFINE([PAM_READ_BOTH_CONFS],,
- [read both /etc/pam.d and /etc/pam.conf files])
-fi
-
-AC_ARG_ENABLE([lckpwdf],
- AS_HELP_STRING([--disable-lckpwdf],[do not use the lckpwdf function]),
- WITH_LCKPWDF=$enableval, WITH_LCKPWDF=yes)
-if test "$WITH_LCKPWDF" == "yes" ; then
- AC_DEFINE([USE_LCKPWDF], 1,
- [Define to 1 if the lckpwdf function should be used])
-fi
-
-AC_CHECK_HEADERS(paths.h)
-AC_ARG_WITH(mailspool,
-[ --with-mailspool path to mail spool directory
- [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]],
-with_mailspool=${withval})
-if test x$with_mailspool != x ; then
- pam_mail_spool="\"$with_mailspool\""
-else
- AC_RUN_IFELSE([AC_LANG_SOURCE([[
-#include <paths.h>
-int main() {
-#ifdef _PATH_MAILDIR
-exit(0);
-#else
-exit(1);
-#endif
-}]])],[pam_mail_spool="_PATH_MAILDIR"],[pam_mail_spool="\"/var/spool/mail\""],[pam_mail_spool="\"/var/spool/mail\""])
-fi
-AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool,
- [Path where mails are stored])
-
-AC_ARG_WITH(xauth,
-[ --with-xauth additional path to check for xauth when it is called from pam_xauth
- [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]],
-pam_xauth_path=${withval})
-if test x$with_xauth == x ; then
- AC_PATH_PROG(pam_xauth_path, xauth)
-dnl There is no sense in adding the first default path
- if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then
- unset pam_xauth_path
- fi
-fi
-
-if test x$pam_xauth_path != x ; then
- AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path",
- [Additional path of xauth executable])
-fi
-
-dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
-AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="")
-AC_SUBST(LIBDL)
-
-# Check for cracklib
-AC_ARG_ENABLE([cracklib],
- AS_HELP_STRING([--disable-cracklib],[do not use cracklib]),
- WITH_CRACKLIB=$enableval, WITH_CRACKLIB=yes)
-if test x"$WITH_CRACKLIB" != xno ; then
- AC_CHECK_HEADERS([crack.h],
- AC_CHECK_LIB([crack], [FascistCheck], LIBCRACK="-lcrack", LIBCRACK=""))
-else
- LIBCRACK=""
-fi
-if test -n "$LIBCRACK"; then
- AC_DEFINE([HAVE_LIBCRACK], [1], [Define to 1 if you have cracklib.])
-fi
-AC_SUBST(LIBCRACK)
-AM_CONDITIONAL([HAVE_LIBCRACK], [test -n "$LIBCRACK"])
-
-dnl Look for Linux Auditing library - see documentation
-AC_ARG_ENABLE([audit],
- AS_HELP_STRING([--disable-audit],[do not enable audit support]),
- WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes)
-if test x"$WITH_LIBAUDIT" != xno ; then
- AC_CHECK_HEADER([libaudit.h],
- [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")
- AC_CHECK_TYPE([struct audit_tty_status],
- [HAVE_AUDIT_TTY_STATUS=yes],
- [HAVE_AUDIT_TTY_STATUS=""],
- [#include <libaudit.h>])]
- )
- if test ! -z "$LIBAUDIT" -a "$ac_cv_header_libaudit_h" != "no" ; then
- AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.])
- fi
- if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
- AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
-
- AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
- AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
- [[#include <libaudit.h>]])
- fi
-else
- LIBAUDIT=""
-fi
-AC_SUBST(LIBAUDIT)
-AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
- [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
-
-AC_CHECK_HEADERS(xcrypt.h crypt.h)
-AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
- [crypt_libs="xcrypt crypt"],
- [crypt_libs="crypt"])
-
-BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
-AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
-LIBS=$BACKUP_LIBS
-AC_SUBST(LIBCRYPT)
-if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
- AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
-fi
-
-AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
-if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
- opt_randomdev="/dev/urandom"
-elif test "$opt_randomdev" = no; then
- opt_randomdev=
-fi
-if test -n "$opt_randomdev"; then
- AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
-fi
-
-dnl check for libdb or libndbm as fallback. Some libndbm compat
-dnl libraries are unuseable, so try libdb first.
-AC_ARG_ENABLE([db],
- AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]),
- WITH_DB=$enableval, WITH_DB=yes)
-AC_ARG_WITH([db-uniquename],
- AS_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
-if test x"$WITH_DB" != xno ; then
- if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
- old_libs=$LIBS
- LIBS="$LIBS -ldb$with_db_uniquename"
- AC_CHECK_FUNCS([db_create$with_db_uniquename db_create dbm_store$with_db_uniquename dbm_store],
- [LIBDB="-ldb$with_db_uniquename"; break])
- LIBS=$old_libs
- fi
- if test -z "$LIBDB" ; then
- AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
- if test ! -z "$LIBDB" ; then
- AC_CHECK_HEADERS(ndbm.h)
- fi
- else
- AC_CHECK_HEADERS(db.h)
- fi
-fi
-AC_SUBST(LIBDB)
-AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
-
-AC_ARG_ENABLE([nis],
- AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
-
-AS_IF([test "x$enable_nis" != "xno"], [
- CFLAGS=$old_CFLAGS
- LIBS=$old_LIBS
-
- dnl if there's libtirpc available, prefer that over the system
- dnl implementation.
- PKG_CHECK_MODULES([libtirpc], [libtirpc], [
- CFLAGS="$CFLAGS $libtirpc_CFLAGS"
- LIBS="$LIBS $libtirpc_LIBS"
- ], [:;])
-
- AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
-
- AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
- AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
- AC_CHECK_DECLS([getrpcport], , , [
- #if HAVE_RPC_RPC_H
- # include <rpc/rpc.h>
- #endif
- ])
-
- NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
- NIS_LIBS="${LIBS%${old_LIBS}}"
-
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-])
-
-AC_SUBST([NIS_CFLAGS])
-AC_SUBST([NIS_LIBS])
-
-AC_ARG_ENABLE([selinux],
- AS_HELP_STRING([--disable-selinux],[do not use SELinux]),
- WITH_SELINUX=$enableval, WITH_SELINUX=yes)
-if test "$WITH_SELINUX" == "yes" ; then
- AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
-else
- LIBSELINUX=""
-fi
-AC_SUBST(LIBSELINUX)
-AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
-if test ! -z "$LIBSELINUX" ; then
- AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
- BACKUP_LIBS=$LIBS
- LIBS="$LIBS $LIBSELINUX"
- AC_CHECK_FUNCS(setkeycreatecon)
- AC_CHECK_FUNCS(getseuser)
- LIBS=$BACKUP_LIBS
-fi
-
-dnl Checks for header files.
-AC_HEADER_DIRENT
-AC_HEADER_STDC
-AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
-
-dnl For module/pam_lastlog
-AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
-
-dnl Checks for typedefs, structures, and compiler characteristics.
-AC_C_BIGENDIAN
-AC_C_CONST
-AC_TYPE_UID_T
-AC_TYPE_OFF_T
-AC_TYPE_PID_T
-AC_TYPE_SIZE_T
-AC_HEADER_TIME
-AC_STRUCT_TM
-
-dnl Checks for library functions.
-AC_TYPE_GETGROUPS
-AC_PROG_GCC_TRADITIONAL
-AC_FUNC_MEMCMP
-AC_FUNC_VPRINTF
-AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir select)
-AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
-AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
-AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
-
-AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
-AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
-
-AC_ARG_ENABLE([regenerate-docu],
- AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
- [enable_docu=$enableval], [enable_docu=yes])
-dnl
-dnl Check for xsltproc
-dnl
-AC_PATH_PROG([XSLTPROC], [xsltproc])
-if test -z "$XSLTPROC"; then
- enable_docu=no
-fi
-AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
-dnl check for DocBook DTD and stylesheets in the local catalog.
-JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.4//EN],
- [DocBook XML DTD V4.4], [], enable_docu=no)
-JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
- [DocBook XSL Stylesheets], [], enable_docu=no)
-
-AC_PATH_PROG([BROWSER], [w3m])
-if test ! -z "$BROWSER"; then
- BROWSER="$BROWSER -T text/html -dump"
-else
- enable_docu=no
-fi
-
-AC_PATH_PROG([FO2PDF], [fop])
-
-AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test x$enable_docu != xno)
-AM_CONDITIONAL(ENABLE_GENERATE_PDF, test ! -z "$FO2PDF")
-
-
-AM_GNU_GETTEXT_VERSION([0.15])
-AM_GNU_GETTEXT([external])
-AC_CHECK_FUNCS(dngettext)
-
-AH_BOTTOM([#ifdef ENABLE_NLS
-#include <libintl.h>
-#define _(msgid) dgettext(PACKAGE, msgid)
-#define N_(msgid) msgid
-#else
-#define _(msgid) (msgid)
-#define N_(msgid) msgid
-#endif /* ENABLE_NLS */])
-
-dnl
-dnl Check for the availability of the kernel key management facility
-dnl - The pam_keyinit module only requires the syscalls, not the error codes
-dnl
-AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>])
-AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>])
-
-HAVE_KEY_MANAGEMENT=0
-if test $have_key_syscalls$have_key_errors = 11
-then
- HAVE_KEY_MANAGEMENT=1
-fi
-
-if test $HAVE_KEY_MANAGEMENT = 1; then
- AC_DEFINE([HAVE_KEY_MANAGEMENT], 1,
- [Defined if the kernel key management facility is available])
-fi
-AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KEY_MANAGEMENT)
-
-AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
-
-dnl Files to be created from when we run configure
-AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
- libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
- po/Makefile.in \
- modules/Makefile \
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
- modules/pam_faildelay/Makefile \
- modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
- modules/pam_ftp/Makefile modules/pam_group/Makefile \
- modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
- modules/pam_lastlog/Makefile modules/pam_limits/Makefile \
- modules/pam_listfile/Makefile modules/pam_localuser/Makefile \
- modules/pam_loginuid/Makefile modules/pam_mail/Makefile \
- modules/pam_mkhomedir/Makefile modules/pam_motd/Makefile \
- modules/pam_namespace/Makefile \
- modules/pam_nologin/Makefile modules/pam_permit/Makefile \
- modules/pam_pwhistory/Makefile modules/pam_rhosts/Makefile \
- modules/pam_rootok/Makefile modules/pam_exec/Makefile \
- modules/pam_securetty/Makefile modules/pam_selinux/Makefile \
- modules/pam_sepermit/Makefile \
- modules/pam_shells/Makefile modules/pam_stress/Makefile \
- modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \
- modules/pam_tally2/Makefile modules/pam_time/Makefile \
- modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
- modules/pam_umask/Makefile \
- modules/pam_unix/Makefile modules/pam_userdb/Makefile \
- modules/pam_warn/Makefile modules/pam_wheel/Makefile \
- modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
- doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
- doc/mwg/Makefile examples/Makefile tests/Makefile \
- xtests/Makefile])
-AC_OUTPUT
--
2.0.4
9 years, 3 months
[PATCH] build: extend cross compiling check to cover CPPFLAGS (ticket #21)
by Dmitry V. Levin
Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
and BUILD_LDFLAGS variables introduced earlier to override CC,
CFLAGS, and LDFLAGS, respectively.
* configure.in (BUILD_CPPFLAGS): Define.
* doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
---
configure.in | 9 +++++++++
doc/specs/Makefile.am | 1 +
2 files changed, 10 insertions(+)
diff --git a/configure.in b/configure.in
index 2597802..6797e2f 100644
--- a/configure.in
+++ b/configure.in
@@ -144,6 +144,15 @@ AC_MSG_CHECKING([for CC_FOR_BUILD])
AC_MSG_RESULT([$CC_FOR_BUILD])
AC_SUBST(CC_FOR_BUILD)
+if test "x${BUILD_CPPFLAGS+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ BUILD_CPPFLAGS=
+ else
+ BUILD_CPPFLAGS=${CPPFLAGS}
+ fi
+fi
+AC_SUBST(BUILD_CPPFLAGS)
+
if test "x${BUILD_CFLAGS+set}" != "xset" ; then
if test "x$cross_compiling" = "xyes" ; then
BUILD_CFLAGS=
diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
index 36d53ba..99ecc70 100644
--- a/doc/specs/Makefile.am
+++ b/doc/specs/Makefile.am
@@ -12,6 +12,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
AM_YFLAGS = -d
CC = @CC_FOR_BUILD@
+CPPFLAGS = @BUILD_CPPFLAGS@
CFLAGS = @BUILD_CFLAGS@
LDFLAGS = @BUILD_LDFLAGS@
--
ldv
9 years, 3 months
[linux-pam] #27: pam_timestamp path traversal issue
by fedora-badges
#27: pam_timestamp path traversal issue
-----------------------+------------------------------
Reporter: tmraz | Owner: pam-developers@…
Type: security | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
-----------------------+------------------------------
pam_timestamp uses PAM_RUSER and PAM_TTY directly without any checks. If
the user can mainpulate PAM_RUSER and PAM_TTY contents (which is mostly
not possible, but there might be scenarios where it is) he would be able
to get access to a service without proper checking.
See http://seclists.org/oss-sec/2014/q1/645 for the original report by
Sebastian Krahmer.
I suppose sufficient mitigation would be to look for ".." in both
PAM_RUSER and PAM_TTY and reject authentication attempt if they contain
this string.
I would also document that the module should never be used with services
where the authenticating user can manipulate the PAM_RUSER variable
contents.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/27>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 3 months
[linux-pam] #31: typos in doc install rules
by fedora-badges
#31: typos in doc install rules
---------------------+------------------------------
Reporter: vapier | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: documentation
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
the current Makefile.am doc install-data-local & releasedocs rules try to
test for files existing in the builddir to see whether it should install
from there or the srcdir. it used to largely work before this commit:
https://git.fedorahosted.org/cgit/linux-
pam.git/commit/doc/adg/Makefile.am?id=65b0aeaecd75e081993c48db2837958073185165
but now when you do out of tree builds, it ends up never installing any of
the doc files even though they exist in $srcdir.
there's also a typo in the adg and mwg files where they try to install
"sag" files.
reported here:
[https://bugs.gentoo.org/473650]
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/31>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 3 months