[linux-pam] #36: pam_fail_delay() inconsistent delay distribution
by fedora-badges
#36: pam_fail_delay() inconsistent delay distribution
---------------------+------------------------------
Reporter: szidek | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
Man page says: Should pam_authenticate(3) fail, the failing return to the
application is delayed by an amount of time randomly distributed (by up to
25%) about this longest value.
However, code uses distribution 50%.
(Comments also say 25%.)
I think these values should be consistent.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/36>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[PATCH 1/6] build-sys: rename configure.in to configure.ac
by Ronny Chevalier
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
* configure.in: Renamed to configure.ac
---
configure.ac | 638 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
configure.in | 638 -----------------------------------------------------------
2 files changed, 638 insertions(+), 638 deletions(-)
create mode 100644 configure.ac
delete mode 100644 configure.in
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..2597802
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,638 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_INIT([Linux-PAM], [1.1.8], , [Linux-PAM])
+AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
+AC_CONFIG_AUX_DIR([build-aux])
+AM_INIT_AUTOMAKE
+AC_PREREQ([2.61])
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
+AC_CANONICAL_HOST
+
+AC_SUBST(PACKAGE)
+AC_SUBST(VERSION)
+
+dnl
+dnl By default, everything under PAM is installed below /usr.
+dnl
+AC_PREFIX_DEFAULT(/usr)
+
+dnl and some hacks to use /etc and /lib
+test "${prefix}" = "NONE" && prefix="/usr"
+if test ${prefix} = '/usr'
+then
+dnl If we use /usr as prefix, use /etc for config files
+ if test ${sysconfdir} = '${prefix}/etc'
+ then
+ sysconfdir="/etc"
+ fi
+ if test ${libdir} = '${exec_prefix}/lib'
+ then
+ case "`uname -m`" in
+ x86_64|ppc64|s390x|sparc64)
+ libdir="/lib64" ;;
+ *)
+ libdir="/lib" ;;
+ esac
+ fi
+ if test ${sbindir} = '${exec_prefix}/sbin'
+ then
+ sbindir="/sbin"
+ fi
+dnl If we use /usr as prefix, use /usr/share/man for manual pages
+ if test ${mandir} = '${prefix}/man'
+ then
+ mandir='${prefix}/share/man'
+ fi
+dnl Add security to include directory
+ if test ${includedir} = '${prefix}/include'
+ then
+ includedir="${prefix}/include/security"
+ fi
+
+dnl Add /var directory
+ if test ${localstatedir} = '${prefix}/var'
+ then
+ localstatedir="/var"
+ fi
+
+fi
+
+dnl This should be called before any macros that run the C compiler.
+AC_USE_SYSTEM_EXTENSIONS
+
+LT_INIT([disable-static])
+
+dnl
+dnl check if we should link everything static into libpam
+dnl
+AC_ARG_ENABLE(static-modules,AS_HELP_STRING([--enable-static-modules],
+ [do not make the modules dynamically loadable]),
+ STATIC_MODULES=$enableval,STATIC_MODULES=no)
+if test "$STATIC_MODULES" != "no" ; then
+ CFLAGS="$CFLAGS -DPAM_STATIC"
+ AC_ENABLE_STATIC([yes])
+ AC_ENABLE_SHARED([no])
+else
+# per default don't build static libraries
+ AC_ENABLE_STATIC([no])
+ AC_ENABLE_SHARED([yes])
+fi
+AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
+
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_YACC
+AM_PROG_LEX
+AC_PROG_INSTALL
+AC_PROG_LN_S
+AC_PROG_MAKE_SET
+AM_PROG_CC_C_O
+PAM_LD_AS_NEEDED
+PAM_LD_NO_UNDEFINED
+PAM_LD_O1
+
+dnl Largefile support
+AC_SYS_LARGEFILE
+
+dnl icc claims to be GCC compatible, but use other flags for warnings
+if eval "test x$GCC = xyes -a $CC != icc"; then
+ for flag in \
+ -W \
+ -Wall \
+ -Wbad-function-cast \
+ -Wcast-align \
+ -Wcast-qual \
+ -Wmissing-declarations \
+ -Wmissing-prototypes \
+ -Wpointer-arith \
+ -Wreturn-type \
+ -Wstrict-prototypes \
+ -Wwrite-strings \
+ -Winline \
+ -Wshadow
+ do
+ JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
+ done
+fi
+dnl icc has special warning flags
+if eval "test x$CC = xicc"; then
+ for flag in \
+ -Wall \
+ -Wmissing-prototypes \
+ -Wpointer-arith \
+ -Wreturn-type \
+ -Wstrict-prototypes \
+ -Wwrite-strings \
+ -Wshadow \
+ -Wp64 \
+ -Wdeprecated \
+ -Wuninitialized \
+ -Wmain
+ do
+ JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
+ done
+fi
+
+if test "x${CC_FOR_BUILD+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ AC_CHECK_PROGS(CC_FOR_BUILD, gcc cc)
+ else
+ CC_FOR_BUILD=${CC}
+ fi
+fi
+AC_MSG_CHECKING([for CC_FOR_BUILD])
+AC_MSG_RESULT([$CC_FOR_BUILD])
+AC_SUBST(CC_FOR_BUILD)
+
+if test "x${BUILD_CFLAGS+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ BUILD_CFLAGS=
+ else
+ BUILD_CFLAGS=${CFLAGS}
+ fi
+fi
+AC_SUBST(BUILD_CFLAGS)
+
+if test "x${BUILD_LDFLAGS+set}" != "xset" ; then
+ if test "x$cross_compiling" = "xyes" ; then
+ BUILD_LDFLAGS=
+ else
+ BUILD_LDFLAGS=${LDFLAGS}
+ fi
+fi
+AC_SUBST(BUILD_LDFLAGS)
+
+AC_C___ATTRIBUTE__
+
+dnl
+dnl Check if --version-script is supported by ld
+dnl
+AC_CACHE_CHECK(for .symver assembler directive, libc_cv_asm_symver_directive,
+[cat > conftest.s <<EOF
+${libc_cv_dot_text}
+_sym:
+.symver _sym,sym@VERS
+EOF
+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
+ libc_cv_asm_symver_directive=yes
+else
+ libc_cv_asm_symver_directive=no
+fi
+rm -f conftest*])
+AC_CACHE_CHECK(for ld --version-script, libc_cv_ld_version_script_option, [dnl
+if test $libc_cv_asm_symver_directive = yes; then
+ cat > conftest.s <<EOF
+${libc_cv_dot_text}
+_sym:
+.symver _sym,sym@VERS
+EOF
+ cat > conftest.map <<EOF
+VERS_1 {
+ global: sym;
+};
+
+VERS_2 {
+ global: sym;
+} VERS_1;
+EOF
+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD;
+then
+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
+ -o conftest.so conftest.o
+ -nostartfiles -nostdlib
+ -Wl,--version-script,conftest.map
+ 1>&AS_MESSAGE_LOG_FD]);
+ then
+ libc_cv_ld_version_script_option=yes
+ else
+ libc_cv_ld_version_script_option=no
+ fi
+ else
+ libc_cv_ld_version_script_option=no
+ fi
+else
+ libc_cv_ld_version_script_option=no
+fi
+rm -f conftest*])
+AM_CONDITIONAL([HAVE_VERSIONING],
+ [test "$libc_cv_ld_version_script_option" = "yes"])
+
+dnl
+dnl check for -fPIE/-pie support
+dnl
+dnl icc handles -fpie as -fp without error, so blacklist icc
+dnl
+AC_ARG_ENABLE(pie,AS_HELP_STRING([--disable-pie],
+ [disable position-independent executeables (PIE)]),
+ USE_PIE=$enableval, USE_PIE=yes)
+
+AC_CACHE_CHECK(for -fpie, libc_cv_fpie, [dnl
+ cat > conftest.c <<EOF
+int foo;
+main () { return 0;}
+EOF
+ if test "$USE_PIE" = "yes" -a "$CC" != "icc" &&
+ AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -pie -fpie
+ -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
+ then
+ libc_cv_fpie=yes
+ PIE_CFLAGS="-fpie"
+ PIE_LDFLAGS="-pie"
+ else
+ libc_cv_fpie=no
+ PIE_CFLAGS=""
+ PIE_LDFLAGS=""
+ fi
+ rm -f conftest*])
+AC_SUBST(libc_cv_fpie)
+AC_SUBST(PIE_CFLAGS)
+AC_SUBST(PIE_LDFLAGS)
+
+
+dnl
+dnl options and defaults
+dnl
+
+AC_ARG_ENABLE([prelude],
+ AS_HELP_STRING([--disable-prelude],[do not use prelude]),
+ WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)
+if test "$WITH_PRELUDE" == "yes" ; then
+ AM_PATH_LIBPRELUDE([0.9.0])
+ if test "$LIBPRELUDE_CONFIG" != "no" ; then
+ LIBPRELUDE_CFLAGS="$LIBPRELUDE_CFLAGS -DPRELUDE=1"
+ fi
+fi
+
+dnl lots of debugging information goes to /var/run/pam-debug.log
+AC_ARG_ENABLE([debug],
+ AS_HELP_STRING([--enable-debug],[specify you are building with debugging on]))
+
+if test x"$enable_debug" = x"yes" ; then
+ AC_DEFINE([PAM_DEBUG],,
+ [lots of stuff gets written to /var/run/pam-debug.log])
+fi
+
+AC_ARG_ENABLE(securedir,
+ AS_HELP_STRING([--enable-securedir=DIR],[path to location of PAMs @<:@default=$libdir/security@:>@]),
+ SECUREDIR=$enableval, SECUREDIR=$libdir/security)
+AC_SUBST(SECUREDIR)
+
+AC_ARG_ENABLE([isadir],
+ AS_HELP_STRING([--enable-isadir=DIR],[path to arch-specific module files @<:@default=../../(basename of $libdir)/security@:>@]),
+ISA=$enableval,
+ISA=../../`basename $libdir`/security)
+unset mylibdirbase
+AC_DEFINE_UNQUOTED(_PAM_ISA,"$ISA",[Define to the path, relative to SECUREDIR, where PAMs specific to this architecture can be found.])
+AC_MSG_RESULT([Defining \$ISA to "$ISA"])
+
+AC_ARG_ENABLE(sconfigdir,
+ AS_HELP_STRING([--enable-sconfigdir=DIR],[path to module conf files @<:@default=$sysconfdir/security@:>@]),
+ SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security)
+AC_SUBST(SCONFIGDIR)
+
+AC_ARG_ENABLE(pamlocking,
+ AS_HELP_STRING([--enable-pamlocking],[configure libpam to observe a global authentication lock]))
+
+if test x"$enable_pamlocking" = "xyes"; then
+ AC_DEFINE([PAM_LOCKING],,
+ [libpam should observe a global authentication lock])
+fi
+
+AC_ARG_ENABLE(read-both-confs,
+ AS_HELP_STRING([--enable-read-both-confs],[read both /etc/pam.d and /etc/pam.conf files]))
+
+if test x"$enable_read_both_confs" = "xyes"; then
+ AC_DEFINE([PAM_READ_BOTH_CONFS],,
+ [read both /etc/pam.d and /etc/pam.conf files])
+fi
+
+AC_ARG_ENABLE([lckpwdf],
+ AS_HELP_STRING([--disable-lckpwdf],[do not use the lckpwdf function]),
+ WITH_LCKPWDF=$enableval, WITH_LCKPWDF=yes)
+if test "$WITH_LCKPWDF" == "yes" ; then
+ AC_DEFINE([USE_LCKPWDF], 1,
+ [Define to 1 if the lckpwdf function should be used])
+fi
+
+AC_CHECK_HEADERS(paths.h)
+AC_ARG_WITH(mailspool,
+[ --with-mailspool path to mail spool directory
+ [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]],
+with_mailspool=${withval})
+if test x$with_mailspool != x ; then
+ pam_mail_spool="\"$with_mailspool\""
+else
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#include <paths.h>
+int main() {
+#ifdef _PATH_MAILDIR
+exit(0);
+#else
+exit(1);
+#endif
+}]])],[pam_mail_spool="_PATH_MAILDIR"],[pam_mail_spool="\"/var/spool/mail\""],[pam_mail_spool="\"/var/spool/mail\""])
+fi
+AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool,
+ [Path where mails are stored])
+
+AC_ARG_WITH(xauth,
+[ --with-xauth additional path to check for xauth when it is called from pam_xauth
+ [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]],
+pam_xauth_path=${withval})
+if test x$with_xauth == x ; then
+ AC_PATH_PROG(pam_xauth_path, xauth)
+dnl There is no sense in adding the first default path
+ if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then
+ unset pam_xauth_path
+ fi
+fi
+
+if test x$pam_xauth_path != x ; then
+ AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path",
+ [Additional path of xauth executable])
+fi
+
+dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
+AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="")
+AC_SUBST(LIBDL)
+
+# Check for cracklib
+AC_ARG_ENABLE([cracklib],
+ AS_HELP_STRING([--disable-cracklib],[do not use cracklib]),
+ WITH_CRACKLIB=$enableval, WITH_CRACKLIB=yes)
+if test x"$WITH_CRACKLIB" != xno ; then
+ AC_CHECK_HEADERS([crack.h],
+ AC_CHECK_LIB([crack], [FascistCheck], LIBCRACK="-lcrack", LIBCRACK=""))
+else
+ LIBCRACK=""
+fi
+if test -n "$LIBCRACK"; then
+ AC_DEFINE([HAVE_LIBCRACK], [1], [Define to 1 if you have cracklib.])
+fi
+AC_SUBST(LIBCRACK)
+AM_CONDITIONAL([HAVE_LIBCRACK], [test -n "$LIBCRACK"])
+
+dnl Look for Linux Auditing library - see documentation
+AC_ARG_ENABLE([audit],
+ AS_HELP_STRING([--disable-audit],[do not enable audit support]),
+ WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes)
+if test x"$WITH_LIBAUDIT" != xno ; then
+ AC_CHECK_HEADER([libaudit.h],
+ [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")
+ AC_CHECK_TYPE([struct audit_tty_status],
+ [HAVE_AUDIT_TTY_STATUS=yes],
+ [HAVE_AUDIT_TTY_STATUS=""],
+ [#include <libaudit.h>])]
+ )
+ if test ! -z "$LIBAUDIT" -a "$ac_cv_header_libaudit_h" != "no" ; then
+ AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.])
+ fi
+ if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
+ AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
+ fi
+else
+ LIBAUDIT=""
+fi
+AC_SUBST(LIBAUDIT)
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
+ [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+
+AC_CHECK_HEADERS(xcrypt.h crypt.h)
+AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
+ [crypt_libs="xcrypt crypt"],
+ [crypt_libs="crypt"])
+
+BACKUP_LIBS=$LIBS
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
+LIBS=$BACKUP_LIBS
+AC_SUBST(LIBCRYPT)
+if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
+ AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
+fi
+
+AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
+if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
+ opt_randomdev="/dev/urandom"
+elif test "$opt_randomdev" = no; then
+ opt_randomdev=
+fi
+if test -n "$opt_randomdev"; then
+ AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
+fi
+
+dnl check for libdb or libndbm as fallback. Some libndbm compat
+dnl libraries are unuseable, so try libdb first.
+AC_ARG_ENABLE([db],
+ AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]),
+ WITH_DB=$enableval, WITH_DB=yes)
+AC_ARG_WITH([db-uniquename],
+ AS_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
+if test x"$WITH_DB" != xno ; then
+ if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
+ old_libs=$LIBS
+ LIBS="$LIBS -ldb$with_db_uniquename"
+ AC_CHECK_FUNCS([db_create$with_db_uniquename db_create dbm_store$with_db_uniquename dbm_store],
+ [LIBDB="-ldb$with_db_uniquename"; break])
+ LIBS=$old_libs
+ fi
+ if test -z "$LIBDB" ; then
+ AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
+ if test ! -z "$LIBDB" ; then
+ AC_CHECK_HEADERS(ndbm.h)
+ fi
+ else
+ AC_CHECK_HEADERS(db.h)
+ fi
+fi
+AC_SUBST(LIBDB)
+AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
+
+AC_ARG_ENABLE([nis],
+ AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
+
+AS_IF([test "x$enable_nis" != "xno"], [
+ CFLAGS=$old_CFLAGS
+ LIBS=$old_LIBS
+
+ dnl if there's libtirpc available, prefer that over the system
+ dnl implementation.
+ PKG_CHECK_MODULES([libtirpc], [libtirpc], [
+ CFLAGS="$CFLAGS $libtirpc_CFLAGS"
+ LIBS="$LIBS $libtirpc_LIBS"
+ ], [:;])
+
+ AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
+
+ AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
+ AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
+ AC_CHECK_DECLS([getrpcport], , , [
+ #if HAVE_RPC_RPC_H
+ # include <rpc/rpc.h>
+ #endif
+ ])
+
+ NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
+ NIS_LIBS="${LIBS%${old_LIBS}}"
+
+ CFLAGS="$old_CFLAGS"
+ LIBS="$old_LIBS"
+])
+
+AC_SUBST([NIS_CFLAGS])
+AC_SUBST([NIS_LIBS])
+
+AC_ARG_ENABLE([selinux],
+ AS_HELP_STRING([--disable-selinux],[do not use SELinux]),
+ WITH_SELINUX=$enableval, WITH_SELINUX=yes)
+if test "$WITH_SELINUX" == "yes" ; then
+ AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
+else
+ LIBSELINUX=""
+fi
+AC_SUBST(LIBSELINUX)
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+if test ! -z "$LIBSELINUX" ; then
+ AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+ BACKUP_LIBS=$LIBS
+ LIBS="$LIBS $LIBSELINUX"
+ AC_CHECK_FUNCS(setkeycreatecon)
+ AC_CHECK_FUNCS(getseuser)
+ LIBS=$BACKUP_LIBS
+fi
+
+dnl Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
+
+dnl For module/pam_lastlog
+AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_BIGENDIAN
+AC_C_CONST
+AC_TYPE_UID_T
+AC_TYPE_OFF_T
+AC_TYPE_PID_T
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+dnl Checks for library functions.
+AC_TYPE_GETGROUPS
+AC_PROG_GCC_TRADITIONAL
+AC_FUNC_MEMCMP
+AC_FUNC_VPRINTF
+AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir select)
+AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+AC_CHECK_FUNCS(getgrouplist getline getdelim)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+
+AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+
+AC_ARG_ENABLE([regenerate-docu],
+ AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
+ [enable_docu=$enableval], [enable_docu=yes])
+dnl
+dnl Check for xsltproc
+dnl
+AC_PATH_PROG([XSLTPROC], [xsltproc])
+if test -z "$XSLTPROC"; then
+ enable_docu=no
+fi
+AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
+dnl check for DocBook DTD and stylesheets in the local catalog.
+JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.4//EN],
+ [DocBook XML DTD V4.4], [], enable_docu=no)
+JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
+ [DocBook XSL Stylesheets], [], enable_docu=no)
+
+AC_PATH_PROG([BROWSER], [w3m])
+if test ! -z "$BROWSER"; then
+ BROWSER="$BROWSER -T text/html -dump"
+else
+ enable_docu=no
+fi
+
+AC_PATH_PROG([FO2PDF], [fop])
+
+AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test x$enable_docu != xno)
+AM_CONDITIONAL(ENABLE_GENERATE_PDF, test ! -z "$FO2PDF")
+
+
+AM_GNU_GETTEXT_VERSION([0.15])
+AM_GNU_GETTEXT([external])
+AC_CHECK_FUNCS(dngettext)
+
+AH_BOTTOM([#ifdef ENABLE_NLS
+#include <libintl.h>
+#define _(msgid) dgettext(PACKAGE, msgid)
+#define N_(msgid) msgid
+#else
+#define _(msgid) (msgid)
+#define N_(msgid) msgid
+#endif /* ENABLE_NLS */])
+
+dnl
+dnl Check for the availability of the kernel key management facility
+dnl - The pam_keyinit module only requires the syscalls, not the error codes
+dnl
+AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>])
+AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>])
+
+HAVE_KEY_MANAGEMENT=0
+if test $have_key_syscalls$have_key_errors = 11
+then
+ HAVE_KEY_MANAGEMENT=1
+fi
+
+if test $HAVE_KEY_MANAGEMENT = 1; then
+ AC_DEFINE([HAVE_KEY_MANAGEMENT], 1,
+ [Defined if the kernel key management facility is available])
+fi
+AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KEY_MANAGEMENT)
+
+AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
+
+dnl Files to be created from when we run configure
+AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
+ libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
+ po/Makefile.in \
+ modules/Makefile \
+ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ modules/pam_echo/Makefile modules/pam_env/Makefile \
+ modules/pam_faildelay/Makefile \
+ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
+ modules/pam_ftp/Makefile modules/pam_group/Makefile \
+ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
+ modules/pam_lastlog/Makefile modules/pam_limits/Makefile \
+ modules/pam_listfile/Makefile modules/pam_localuser/Makefile \
+ modules/pam_loginuid/Makefile modules/pam_mail/Makefile \
+ modules/pam_mkhomedir/Makefile modules/pam_motd/Makefile \
+ modules/pam_namespace/Makefile \
+ modules/pam_nologin/Makefile modules/pam_permit/Makefile \
+ modules/pam_pwhistory/Makefile modules/pam_rhosts/Makefile \
+ modules/pam_rootok/Makefile modules/pam_exec/Makefile \
+ modules/pam_securetty/Makefile modules/pam_selinux/Makefile \
+ modules/pam_sepermit/Makefile \
+ modules/pam_shells/Makefile modules/pam_stress/Makefile \
+ modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \
+ modules/pam_tally2/Makefile modules/pam_time/Makefile \
+ modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
+ modules/pam_umask/Makefile \
+ modules/pam_unix/Makefile modules/pam_userdb/Makefile \
+ modules/pam_warn/Makefile modules/pam_wheel/Makefile \
+ modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
+ doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
+ doc/mwg/Makefile examples/Makefile tests/Makefile \
+ xtests/Makefile])
+AC_OUTPUT
diff --git a/configure.in b/configure.in
deleted file mode 100644
index 2597802..0000000
--- a/configure.in
+++ /dev/null
@@ -1,638 +0,0 @@
-dnl Process this file with autoconf to produce a configure script.
-AC_INIT([Linux-PAM], [1.1.8], , [Linux-PAM])
-AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
-AC_CONFIG_AUX_DIR([build-aux])
-AM_INIT_AUTOMAKE
-AC_PREREQ([2.61])
-AC_CONFIG_HEADERS([config.h])
-AC_CONFIG_MACRO_DIR([m4])
-AC_CANONICAL_HOST
-
-AC_SUBST(PACKAGE)
-AC_SUBST(VERSION)
-
-dnl
-dnl By default, everything under PAM is installed below /usr.
-dnl
-AC_PREFIX_DEFAULT(/usr)
-
-dnl and some hacks to use /etc and /lib
-test "${prefix}" = "NONE" && prefix="/usr"
-if test ${prefix} = '/usr'
-then
-dnl If we use /usr as prefix, use /etc for config files
- if test ${sysconfdir} = '${prefix}/etc'
- then
- sysconfdir="/etc"
- fi
- if test ${libdir} = '${exec_prefix}/lib'
- then
- case "`uname -m`" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)
- libdir="/lib" ;;
- esac
- fi
- if test ${sbindir} = '${exec_prefix}/sbin'
- then
- sbindir="/sbin"
- fi
-dnl If we use /usr as prefix, use /usr/share/man for manual pages
- if test ${mandir} = '${prefix}/man'
- then
- mandir='${prefix}/share/man'
- fi
-dnl Add security to include directory
- if test ${includedir} = '${prefix}/include'
- then
- includedir="${prefix}/include/security"
- fi
-
-dnl Add /var directory
- if test ${localstatedir} = '${prefix}/var'
- then
- localstatedir="/var"
- fi
-
-fi
-
-dnl This should be called before any macros that run the C compiler.
-AC_USE_SYSTEM_EXTENSIONS
-
-LT_INIT([disable-static])
-
-dnl
-dnl check if we should link everything static into libpam
-dnl
-AC_ARG_ENABLE(static-modules,AS_HELP_STRING([--enable-static-modules],
- [do not make the modules dynamically loadable]),
- STATIC_MODULES=$enableval,STATIC_MODULES=no)
-if test "$STATIC_MODULES" != "no" ; then
- CFLAGS="$CFLAGS -DPAM_STATIC"
- AC_ENABLE_STATIC([yes])
- AC_ENABLE_SHARED([no])
-else
-# per default don't build static libraries
- AC_ENABLE_STATIC([no])
- AC_ENABLE_SHARED([yes])
-fi
-AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
-
-dnl Checks for programs.
-AC_PROG_CC
-AC_PROG_YACC
-AM_PROG_LEX
-AC_PROG_INSTALL
-AC_PROG_LN_S
-AC_PROG_MAKE_SET
-AM_PROG_CC_C_O
-PAM_LD_AS_NEEDED
-PAM_LD_NO_UNDEFINED
-PAM_LD_O1
-
-dnl Largefile support
-AC_SYS_LARGEFILE
-
-dnl icc claims to be GCC compatible, but use other flags for warnings
-if eval "test x$GCC = xyes -a $CC != icc"; then
- for flag in \
- -W \
- -Wall \
- -Wbad-function-cast \
- -Wcast-align \
- -Wcast-qual \
- -Wmissing-declarations \
- -Wmissing-prototypes \
- -Wpointer-arith \
- -Wreturn-type \
- -Wstrict-prototypes \
- -Wwrite-strings \
- -Winline \
- -Wshadow
- do
- JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
- done
-fi
-dnl icc has special warning flags
-if eval "test x$CC = xicc"; then
- for flag in \
- -Wall \
- -Wmissing-prototypes \
- -Wpointer-arith \
- -Wreturn-type \
- -Wstrict-prototypes \
- -Wwrite-strings \
- -Wshadow \
- -Wp64 \
- -Wdeprecated \
- -Wuninitialized \
- -Wmain
- do
- JAPHAR_GREP_CFLAGS($flag, [ CFLAGS="$CFLAGS $flag" ])
- done
-fi
-
-if test "x${CC_FOR_BUILD+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- AC_CHECK_PROGS(CC_FOR_BUILD, gcc cc)
- else
- CC_FOR_BUILD=${CC}
- fi
-fi
-AC_MSG_CHECKING([for CC_FOR_BUILD])
-AC_MSG_RESULT([$CC_FOR_BUILD])
-AC_SUBST(CC_FOR_BUILD)
-
-if test "x${BUILD_CFLAGS+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- BUILD_CFLAGS=
- else
- BUILD_CFLAGS=${CFLAGS}
- fi
-fi
-AC_SUBST(BUILD_CFLAGS)
-
-if test "x${BUILD_LDFLAGS+set}" != "xset" ; then
- if test "x$cross_compiling" = "xyes" ; then
- BUILD_LDFLAGS=
- else
- BUILD_LDFLAGS=${LDFLAGS}
- fi
-fi
-AC_SUBST(BUILD_LDFLAGS)
-
-AC_C___ATTRIBUTE__
-
-dnl
-dnl Check if --version-script is supported by ld
-dnl
-AC_CACHE_CHECK(for .symver assembler directive, libc_cv_asm_symver_directive,
-[cat > conftest.s <<EOF
-${libc_cv_dot_text}
-_sym:
-.symver _sym,sym@VERS
-EOF
-if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
- libc_cv_asm_symver_directive=yes
-else
- libc_cv_asm_symver_directive=no
-fi
-rm -f conftest*])
-AC_CACHE_CHECK(for ld --version-script, libc_cv_ld_version_script_option, [dnl
-if test $libc_cv_asm_symver_directive = yes; then
- cat > conftest.s <<EOF
-${libc_cv_dot_text}
-_sym:
-.symver _sym,sym@VERS
-EOF
- cat > conftest.map <<EOF
-VERS_1 {
- global: sym;
-};
-
-VERS_2 {
- global: sym;
-} VERS_1;
-EOF
- if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD;
-then
- if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
- -o conftest.so conftest.o
- -nostartfiles -nostdlib
- -Wl,--version-script,conftest.map
- 1>&AS_MESSAGE_LOG_FD]);
- then
- libc_cv_ld_version_script_option=yes
- else
- libc_cv_ld_version_script_option=no
- fi
- else
- libc_cv_ld_version_script_option=no
- fi
-else
- libc_cv_ld_version_script_option=no
-fi
-rm -f conftest*])
-AM_CONDITIONAL([HAVE_VERSIONING],
- [test "$libc_cv_ld_version_script_option" = "yes"])
-
-dnl
-dnl check for -fPIE/-pie support
-dnl
-dnl icc handles -fpie as -fp without error, so blacklist icc
-dnl
-AC_ARG_ENABLE(pie,AS_HELP_STRING([--disable-pie],
- [disable position-independent executeables (PIE)]),
- USE_PIE=$enableval, USE_PIE=yes)
-
-AC_CACHE_CHECK(for -fpie, libc_cv_fpie, [dnl
- cat > conftest.c <<EOF
-int foo;
-main () { return 0;}
-EOF
- if test "$USE_PIE" = "yes" -a "$CC" != "icc" &&
- AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -pie -fpie
- -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
- then
- libc_cv_fpie=yes
- PIE_CFLAGS="-fpie"
- PIE_LDFLAGS="-pie"
- else
- libc_cv_fpie=no
- PIE_CFLAGS=""
- PIE_LDFLAGS=""
- fi
- rm -f conftest*])
-AC_SUBST(libc_cv_fpie)
-AC_SUBST(PIE_CFLAGS)
-AC_SUBST(PIE_LDFLAGS)
-
-
-dnl
-dnl options and defaults
-dnl
-
-AC_ARG_ENABLE([prelude],
- AS_HELP_STRING([--disable-prelude],[do not use prelude]),
- WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)
-if test "$WITH_PRELUDE" == "yes" ; then
- AM_PATH_LIBPRELUDE([0.9.0])
- if test "$LIBPRELUDE_CONFIG" != "no" ; then
- LIBPRELUDE_CFLAGS="$LIBPRELUDE_CFLAGS -DPRELUDE=1"
- fi
-fi
-
-dnl lots of debugging information goes to /var/run/pam-debug.log
-AC_ARG_ENABLE([debug],
- AS_HELP_STRING([--enable-debug],[specify you are building with debugging on]))
-
-if test x"$enable_debug" = x"yes" ; then
- AC_DEFINE([PAM_DEBUG],,
- [lots of stuff gets written to /var/run/pam-debug.log])
-fi
-
-AC_ARG_ENABLE(securedir,
- AS_HELP_STRING([--enable-securedir=DIR],[path to location of PAMs @<:@default=$libdir/security@:>@]),
- SECUREDIR=$enableval, SECUREDIR=$libdir/security)
-AC_SUBST(SECUREDIR)
-
-AC_ARG_ENABLE([isadir],
- AS_HELP_STRING([--enable-isadir=DIR],[path to arch-specific module files @<:@default=../../(basename of $libdir)/security@:>@]),
-ISA=$enableval,
-ISA=../../`basename $libdir`/security)
-unset mylibdirbase
-AC_DEFINE_UNQUOTED(_PAM_ISA,"$ISA",[Define to the path, relative to SECUREDIR, where PAMs specific to this architecture can be found.])
-AC_MSG_RESULT([Defining \$ISA to "$ISA"])
-
-AC_ARG_ENABLE(sconfigdir,
- AS_HELP_STRING([--enable-sconfigdir=DIR],[path to module conf files @<:@default=$sysconfdir/security@:>@]),
- SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security)
-AC_SUBST(SCONFIGDIR)
-
-AC_ARG_ENABLE(pamlocking,
- AS_HELP_STRING([--enable-pamlocking],[configure libpam to observe a global authentication lock]))
-
-if test x"$enable_pamlocking" = "xyes"; then
- AC_DEFINE([PAM_LOCKING],,
- [libpam should observe a global authentication lock])
-fi
-
-AC_ARG_ENABLE(read-both-confs,
- AS_HELP_STRING([--enable-read-both-confs],[read both /etc/pam.d and /etc/pam.conf files]))
-
-if test x"$enable_read_both_confs" = "xyes"; then
- AC_DEFINE([PAM_READ_BOTH_CONFS],,
- [read both /etc/pam.d and /etc/pam.conf files])
-fi
-
-AC_ARG_ENABLE([lckpwdf],
- AS_HELP_STRING([--disable-lckpwdf],[do not use the lckpwdf function]),
- WITH_LCKPWDF=$enableval, WITH_LCKPWDF=yes)
-if test "$WITH_LCKPWDF" == "yes" ; then
- AC_DEFINE([USE_LCKPWDF], 1,
- [Define to 1 if the lckpwdf function should be used])
-fi
-
-AC_CHECK_HEADERS(paths.h)
-AC_ARG_WITH(mailspool,
-[ --with-mailspool path to mail spool directory
- [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]],
-with_mailspool=${withval})
-if test x$with_mailspool != x ; then
- pam_mail_spool="\"$with_mailspool\""
-else
- AC_RUN_IFELSE([AC_LANG_SOURCE([[
-#include <paths.h>
-int main() {
-#ifdef _PATH_MAILDIR
-exit(0);
-#else
-exit(1);
-#endif
-}]])],[pam_mail_spool="_PATH_MAILDIR"],[pam_mail_spool="\"/var/spool/mail\""],[pam_mail_spool="\"/var/spool/mail\""])
-fi
-AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool,
- [Path where mails are stored])
-
-AC_ARG_WITH(xauth,
-[ --with-xauth additional path to check for xauth when it is called from pam_xauth
- [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]],
-pam_xauth_path=${withval})
-if test x$with_xauth == x ; then
- AC_PATH_PROG(pam_xauth_path, xauth)
-dnl There is no sense in adding the first default path
- if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then
- unset pam_xauth_path
- fi
-fi
-
-if test x$pam_xauth_path != x ; then
- AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path",
- [Additional path of xauth executable])
-fi
-
-dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
-AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="")
-AC_SUBST(LIBDL)
-
-# Check for cracklib
-AC_ARG_ENABLE([cracklib],
- AS_HELP_STRING([--disable-cracklib],[do not use cracklib]),
- WITH_CRACKLIB=$enableval, WITH_CRACKLIB=yes)
-if test x"$WITH_CRACKLIB" != xno ; then
- AC_CHECK_HEADERS([crack.h],
- AC_CHECK_LIB([crack], [FascistCheck], LIBCRACK="-lcrack", LIBCRACK=""))
-else
- LIBCRACK=""
-fi
-if test -n "$LIBCRACK"; then
- AC_DEFINE([HAVE_LIBCRACK], [1], [Define to 1 if you have cracklib.])
-fi
-AC_SUBST(LIBCRACK)
-AM_CONDITIONAL([HAVE_LIBCRACK], [test -n "$LIBCRACK"])
-
-dnl Look for Linux Auditing library - see documentation
-AC_ARG_ENABLE([audit],
- AS_HELP_STRING([--disable-audit],[do not enable audit support]),
- WITH_LIBAUDIT=$enableval, WITH_LIBAUDIT=yes)
-if test x"$WITH_LIBAUDIT" != xno ; then
- AC_CHECK_HEADER([libaudit.h],
- [AC_CHECK_LIB(audit, audit_log_acct_message, LIBAUDIT=-laudit, LIBAUDIT="")
- AC_CHECK_TYPE([struct audit_tty_status],
- [HAVE_AUDIT_TTY_STATUS=yes],
- [HAVE_AUDIT_TTY_STATUS=""],
- [#include <libaudit.h>])]
- )
- if test ! -z "$LIBAUDIT" -a "$ac_cv_header_libaudit_h" != "no" ; then
- AC_DEFINE([HAVE_LIBAUDIT], 1, [Define to 1 if audit support should be compiled in.])
- fi
- if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
- AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
-
- AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
- AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
- [[#include <libaudit.h>]])
- fi
-else
- LIBAUDIT=""
-fi
-AC_SUBST(LIBAUDIT)
-AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
- [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
-
-AC_CHECK_HEADERS(xcrypt.h crypt.h)
-AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
- [crypt_libs="xcrypt crypt"],
- [crypt_libs="crypt"])
-
-BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
-AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
-LIBS=$BACKUP_LIBS
-AC_SUBST(LIBCRYPT)
-if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
- AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
-fi
-
-AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
-if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
- opt_randomdev="/dev/urandom"
-elif test "$opt_randomdev" = no; then
- opt_randomdev=
-fi
-if test -n "$opt_randomdev"; then
- AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
-fi
-
-dnl check for libdb or libndbm as fallback. Some libndbm compat
-dnl libraries are unuseable, so try libdb first.
-AC_ARG_ENABLE([db],
- AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]),
- WITH_DB=$enableval, WITH_DB=yes)
-AC_ARG_WITH([db-uniquename],
- AS_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
-if test x"$WITH_DB" != xno ; then
- if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
- old_libs=$LIBS
- LIBS="$LIBS -ldb$with_db_uniquename"
- AC_CHECK_FUNCS([db_create$with_db_uniquename db_create dbm_store$with_db_uniquename dbm_store],
- [LIBDB="-ldb$with_db_uniquename"; break])
- LIBS=$old_libs
- fi
- if test -z "$LIBDB" ; then
- AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
- if test ! -z "$LIBDB" ; then
- AC_CHECK_HEADERS(ndbm.h)
- fi
- else
- AC_CHECK_HEADERS(db.h)
- fi
-fi
-AC_SUBST(LIBDB)
-AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
-
-AC_ARG_ENABLE([nis],
- AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
-
-AS_IF([test "x$enable_nis" != "xno"], [
- CFLAGS=$old_CFLAGS
- LIBS=$old_LIBS
-
- dnl if there's libtirpc available, prefer that over the system
- dnl implementation.
- PKG_CHECK_MODULES([libtirpc], [libtirpc], [
- CFLAGS="$CFLAGS $libtirpc_CFLAGS"
- LIBS="$LIBS $libtirpc_LIBS"
- ], [:;])
-
- AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
-
- AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
- AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
- AC_CHECK_DECLS([getrpcport], , , [
- #if HAVE_RPC_RPC_H
- # include <rpc/rpc.h>
- #endif
- ])
-
- NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
- NIS_LIBS="${LIBS%${old_LIBS}}"
-
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-])
-
-AC_SUBST([NIS_CFLAGS])
-AC_SUBST([NIS_LIBS])
-
-AC_ARG_ENABLE([selinux],
- AS_HELP_STRING([--disable-selinux],[do not use SELinux]),
- WITH_SELINUX=$enableval, WITH_SELINUX=yes)
-if test "$WITH_SELINUX" == "yes" ; then
- AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
-else
- LIBSELINUX=""
-fi
-AC_SUBST(LIBSELINUX)
-AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
-if test ! -z "$LIBSELINUX" ; then
- AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
- BACKUP_LIBS=$LIBS
- LIBS="$LIBS $LIBSELINUX"
- AC_CHECK_FUNCS(setkeycreatecon)
- AC_CHECK_FUNCS(getseuser)
- LIBS=$BACKUP_LIBS
-fi
-
-dnl Checks for header files.
-AC_HEADER_DIRENT
-AC_HEADER_STDC
-AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
-
-dnl For module/pam_lastlog
-AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
-
-dnl Checks for typedefs, structures, and compiler characteristics.
-AC_C_BIGENDIAN
-AC_C_CONST
-AC_TYPE_UID_T
-AC_TYPE_OFF_T
-AC_TYPE_PID_T
-AC_TYPE_SIZE_T
-AC_HEADER_TIME
-AC_STRUCT_TM
-
-dnl Checks for library functions.
-AC_TYPE_GETGROUPS
-AC_PROG_GCC_TRADITIONAL
-AC_FUNC_MEMCMP
-AC_FUNC_VPRINTF
-AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir select)
-AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
-AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
-AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
-
-AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
-AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
-
-AC_ARG_ENABLE([regenerate-docu],
- AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
- [enable_docu=$enableval], [enable_docu=yes])
-dnl
-dnl Check for xsltproc
-dnl
-AC_PATH_PROG([XSLTPROC], [xsltproc])
-if test -z "$XSLTPROC"; then
- enable_docu=no
-fi
-AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
-dnl check for DocBook DTD and stylesheets in the local catalog.
-JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.4//EN],
- [DocBook XML DTD V4.4], [], enable_docu=no)
-JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
- [DocBook XSL Stylesheets], [], enable_docu=no)
-
-AC_PATH_PROG([BROWSER], [w3m])
-if test ! -z "$BROWSER"; then
- BROWSER="$BROWSER -T text/html -dump"
-else
- enable_docu=no
-fi
-
-AC_PATH_PROG([FO2PDF], [fop])
-
-AM_CONDITIONAL(ENABLE_REGENERATE_MAN, test x$enable_docu != xno)
-AM_CONDITIONAL(ENABLE_GENERATE_PDF, test ! -z "$FO2PDF")
-
-
-AM_GNU_GETTEXT_VERSION([0.15])
-AM_GNU_GETTEXT([external])
-AC_CHECK_FUNCS(dngettext)
-
-AH_BOTTOM([#ifdef ENABLE_NLS
-#include <libintl.h>
-#define _(msgid) dgettext(PACKAGE, msgid)
-#define N_(msgid) msgid
-#else
-#define _(msgid) (msgid)
-#define N_(msgid) msgid
-#endif /* ENABLE_NLS */])
-
-dnl
-dnl Check for the availability of the kernel key management facility
-dnl - The pam_keyinit module only requires the syscalls, not the error codes
-dnl
-AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>])
-AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>])
-
-HAVE_KEY_MANAGEMENT=0
-if test $have_key_syscalls$have_key_errors = 11
-then
- HAVE_KEY_MANAGEMENT=1
-fi
-
-if test $HAVE_KEY_MANAGEMENT = 1; then
- AC_DEFINE([HAVE_KEY_MANAGEMENT], 1,
- [Defined if the kernel key management facility is available])
-fi
-AC_SUBST([HAVE_KEY_MANAGEMENT], $HAVE_KEY_MANAGEMENT)
-
-AM_CONDITIONAL([HAVE_KEY_MANAGEMENT], [test "$have_key_syscalls" = 1])
-
-dnl Files to be created from when we run configure
-AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
- libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
- po/Makefile.in \
- modules/Makefile \
- modules/pam_access/Makefile modules/pam_cracklib/Makefile \
- modules/pam_debug/Makefile modules/pam_deny/Makefile \
- modules/pam_echo/Makefile modules/pam_env/Makefile \
- modules/pam_faildelay/Makefile \
- modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
- modules/pam_ftp/Makefile modules/pam_group/Makefile \
- modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
- modules/pam_lastlog/Makefile modules/pam_limits/Makefile \
- modules/pam_listfile/Makefile modules/pam_localuser/Makefile \
- modules/pam_loginuid/Makefile modules/pam_mail/Makefile \
- modules/pam_mkhomedir/Makefile modules/pam_motd/Makefile \
- modules/pam_namespace/Makefile \
- modules/pam_nologin/Makefile modules/pam_permit/Makefile \
- modules/pam_pwhistory/Makefile modules/pam_rhosts/Makefile \
- modules/pam_rootok/Makefile modules/pam_exec/Makefile \
- modules/pam_securetty/Makefile modules/pam_selinux/Makefile \
- modules/pam_sepermit/Makefile \
- modules/pam_shells/Makefile modules/pam_stress/Makefile \
- modules/pam_succeed_if/Makefile modules/pam_tally/Makefile \
- modules/pam_tally2/Makefile modules/pam_time/Makefile \
- modules/pam_timestamp/Makefile modules/pam_tty_audit/Makefile \
- modules/pam_umask/Makefile \
- modules/pam_unix/Makefile modules/pam_userdb/Makefile \
- modules/pam_warn/Makefile modules/pam_wheel/Makefile \
- modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
- doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
- doc/mwg/Makefile examples/Makefile tests/Makefile \
- xtests/Makefile])
-AC_OUTPUT
--
2.0.4
9 years, 3 months
[linux-pam] #27: pam_timestamp path traversal issue
by fedora-badges
#27: pam_timestamp path traversal issue
-----------------------+------------------------------
Reporter: tmraz | Owner: pam-developers@…
Type: security | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
-----------------------+------------------------------
pam_timestamp uses PAM_RUSER and PAM_TTY directly without any checks. If
the user can mainpulate PAM_RUSER and PAM_TTY contents (which is mostly
not possible, but there might be scenarios where it is) he would be able
to get access to a service without proper checking.
See http://seclists.org/oss-sec/2014/q1/645 for the original report by
Sebastian Krahmer.
I suppose sufficient mitigation would be to look for ".." in both
PAM_RUSER and PAM_TTY and reject authentication attempt if they contain
this string.
I would also document that the module should never be used with services
where the authenticating user can manipulate the PAM_RUSER variable
contents.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/27>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 3 months
[linux-pam] #31: typos in doc install rules
by fedora-badges
#31: typos in doc install rules
---------------------+------------------------------
Reporter: vapier | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: documentation
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
the current Makefile.am doc install-data-local & releasedocs rules try to
test for files existing in the builddir to see whether it should install
from there or the srcdir. it used to largely work before this commit:
https://git.fedorahosted.org/cgit/linux-
pam.git/commit/doc/adg/Makefile.am?id=65b0aeaecd75e081993c48db2837958073185165
but now when you do out of tree builds, it ends up never installing any of
the doc files even though they exist in $srcdir.
there's also a typo in the adg and mwg files where they try to install
"sag" files.
reported here:
[https://bugs.gentoo.org/473650]
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/31>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 3 months
[PATCH] doc: fix typo in pam_authenticate.3.xml
by Ronny Chevalier
* doc/man/pam_authenticate.3.xml: fix typo
---
doc/man/pam_authenticate.3.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man/pam_authenticate.3.xml b/doc/man/pam_authenticate.3.xml
index 8ddc38c..8549ccd 100644
--- a/doc/man/pam_authenticate.3.xml
+++ b/doc/man/pam_authenticate.3.xml
@@ -37,7 +37,7 @@
</para>
<para>
The PAM service module may request that the user enter their
- username vio the the conversation mechanism (see
+ username via the conversation mechanism (see
<citerefentry>
<refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
</citerefentry> and
--
2.0.4
9 years, 3 months
Add grantor field to audit records
by Tomas Mraz
Hi,
this patch modifies the audit records of libpam to add a grantor field.
This field records in case of the successful authentication (or any
other successful pam module call) that the module granted the access.
The PAM_SUCCESS return is recorded only for cases where the module
really contributed to the access being granted. That means that if the
action for success is different from ok and done, the module is not
recorded.
Please review, thanks,
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
9 years, 6 months
[PATCH 2/2] pam_exec: Make coverity happy by closing descriptors.
by Robin Hack
Hi all.
I know that kernel will close opened file handlers on the end of process
life... This will make coverity more happy and also it's good habit to
cleanup your mess :).
---
modules/pam_exec/pam_exec.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 12c4444..87b542d 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -371,13 +371,17 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
dup2 (STDOUT_FILENO, STDERR_FILENO) == -1)
{
int err = errno;
+ if (logfile) close(i);
pam_syslog (pamh, LOG_ERR, "dup2 failed: %m");
_exit (err);
}
if (pam_modutil_sanitize_helper_fds(pamh, redirect_stdin,
redirect_stdout, redirect_stdout) < 0)
+ {
+ if (logfile) close(i);
_exit(1);
+ }
if (call_setuid)
if (setuid (geteuid ()) == -1)
@@ -385,6 +389,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
int err = errno;
pam_syslog (pamh, LOG_ERR, "setuid(%lu) failed: %m",
(unsigned long) geteuid ());
+ if (logfile) close(i);
_exit (err);
}
@@ -392,12 +397,15 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
int err = errno;
pam_syslog (pamh, LOG_ERR, "setsid failed: %m");
+ if (logfile) close(i);
_exit (err);
}
arggv = calloc (argc + 4, sizeof (char *));
- if (arggv == NULL)
+ if (arggv == NULL) {
+ if (logfile) close(i);
_exit (ENOMEM);
+ }
for (i = 0; i < (argc - optargc); i++)
arggv[i] = strdup(argv[i+optargc]);
@@ -417,6 +425,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
free(envlist);
pam_syslog (pamh, LOG_ERR, "realloc environment failed: %m");
+ if (logfile) close(i);
_exit (ENOMEM);
}
envlist = tmp;
@@ -430,6 +439,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
free(envlist);
pam_syslog (pamh, LOG_ERR, "prepare environment failed: %m");
+ if (logfile) close(i);
_exit (ENOMEM);
}
envlist[envlen++] = envstr;
@@ -440,6 +450,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
{
free(envlist);
pam_syslog (pamh, LOG_ERR, "prepare environment failed: %m");
+ if (logfile) close(i);
_exit (ENOMEM);
}
envlist[envlen++] = envstr;
@@ -452,6 +463,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
i = errno;
pam_syslog (pamh, LOG_ERR, "execve(%s,...) failed: %m", arggv[0]);
free(envlist);
+ if (logfile) close(i);
_exit (i);
}
return PAM_SYSTEM_ERR; /* will never be reached. */
--
1.9.3
9 years, 7 months
(no subject)
by Robin Hack
>From 675435f5786538db99de4facca3987a2e60ae7b7 Mon Sep 17 00:00:00 2001
From: Robin Hack <rhack(a)redhat.com>
Date: Fri, 15 Aug 2014 17:47:37 +0200
Subject: [PATCH 2/3] pam_keyinit: Check return value of setregid.
Add check for return value in error branch. Just log if setregid fails.
---
modules/pam_keyinit/pam_keyinit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
index 8d0501e..f82eead 100644
--- a/modules/pam_keyinit/pam_keyinit.c
+++ b/modules/pam_keyinit/pam_keyinit.c
@@ -218,7 +218,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
if (uid != old_uid && setreuid(uid, -1) < 0) {
error(pamh, "Unable to change UID to %d temporarily\n", uid);
- setregid(old_gid, -1);
+ if (setregid(old_gid, -1) < 0)
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
return PAM_SESSION_ERR;
}
--
1.9.3
9 years, 7 months
(no subject)
by Robin Hack
>From 4c4d71073a8db35f7ea3762e508f6376c77596f5 Mon Sep 17 00:00:00 2001
From: Robin Hack <rhack(a)redhat.com>
Date: Fri, 15 Aug 2014 15:16:21 +0200
Subject: [PATCH 1/3] pam_filter: Avoid leaking descriptors when fork() call
fails.
---
modules/pam_filter/pam_filter.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c
index da98148..9935d99 100644
--- a/modules/pam_filter/pam_filter.c
+++ b/modules/pam_filter/pam_filter.c
@@ -341,6 +341,11 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl,
pam_syslog(pamh, LOG_WARNING, "first fork failed: %m");
if (aterminal) {
(void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode);
+ close(fd[0]);
+ } else {
+ /* Socket pair */
+ close(fd[0]);
+ close(fd[1]);
}
return PAM_AUTH_ERR;
--
1.9.3
9 years, 7 months