[linux-pam] #9: Allow pam_lastlog to write to utmp as an option
by fedora-badges
#9: Allow pam_lastlog to write to utmp as an option
-------------------------+-------------------------------------------------
Reporter: | Owner: pam-developers@…
shadowkyogre | Status: new
Type: | Component: modules
enhancement | Keywords: pam_lastlog utmp update patch
Priority: major | prototype
Version: 1.1.x | Blocking:
Blocked By: |
-------------------------+-------------------------------------------------
The following patch for pam_lastlog allows it to write to utmp as well as
wtmp. Part of the code is from xorg-sessreg to help make a utmp entry. I
only tested this on my desktop, which is running Arch Linux, so some
modifications may need to be made in order to make it more portable.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/9>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[linux-pam] #32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp directory
by fedora-badges
#32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp
directory
---------------------+------------------------------
Reporter: thoger | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
pam_timestamp defaults to using `/var/run/sudo` as its default time stamp
directory. This seems to be for compatibility with sudo. However, that
directory is no longer used by sudo as of version 1.7.4:
http://www.sudo.ws/repos/sudo/rev/8c9440423d98
Starting with sudo 1.7.4, the time stamp files have moved from
/var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
The directories are checked for existence in that order. This
prevents users from receiving the sudo lecture every time the
system reboots. Time stamp files older than the boot time are
ignored on systems where it is possible to determine this.
In Fedora, sudo now uses `/var/db/sudo` directory:
http://pkgs.fedoraproject.org/cgit/sudo.git/commit/?id=e273750
On a quick look, it seems sudo and pam_timestamp now use different time
stamp file content and mode. It seems pam_timestamp assumes sudo times
tamp files are empty, but current sudo versions no longer create empty
files:
https://git.fedorahosted.org/cgit/linux-
pam.git/tree/modules/pam_timestamp/pam_timestamp.c?id=9dcead8#n451
pam_timestamp writes full time stamp file path to the time stamp file,
which does not seem to be done by sudo. I haven't investigated what data
is written by sudo. Also ownership of sudo time stamp file is root:user,
and pam_timestamp expects root:root.
These incompatibility exists with sudo 1.7.2, which still uses
`/var/run/sudo`. It seems this requires more changes and not only change
of `TIMESTAMPDIR` to `/var/db/sudo`.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/32>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
pam_timestamp/Ticket#32
by Thorsten Kukuk
Hi,
About Ticket#32: we should not use the sudo directory, if the
timestamp format is not identical.
My proposal would be, that pam_timestamp manages his own directory.
Ok to commit?
diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml
index 07a5cf1..e781812 100644
--- a/modules/pam_timestamp/pam_timestamp.8.xml
+++ b/modules/pam_timestamp/pam_timestamp.8.xml
@@ -152,7 +152,7 @@ session optional pam_timestamp.so
<title>FILES</title>
<variablelist>
<varlistentry>
- <term><filename>/var/run/sudo/...</filename></term>
+ <term><filename>/var/run/pam_timestamp/...</filename></term>
<listitem>
<para>timestamp files and directories</para>
</listitem>
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index b3f08b1..1bf0e84 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -58,6 +58,7 @@
#include <unistd.h>
#include <utmp.h>
#include <syslog.h>
+#include <paths.h>
#include "hmacsha1.h"
#include <security/pam_modules.h>
@@ -69,7 +70,7 @@
* for the timestamp_timeout parameter. */
#define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60)
#define MODULE "pam_timestamp"
-#define TIMESTAMPDIR "/var/run/sudo"
+#define TIMESTAMPDIR _PATH_VARRUN "/" MODULE
#define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key"
/* Various buffers we use need to be at least as large as either PATH_MAX or
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
9 years
[linux-pam] #35: 'logic list' format unexplained in group.conf manpage
by fedora-badges
#35: 'logic list' format unexplained in group.conf manpage
--------------------------+-----------------------------------
Reporter: robinmiller | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: documentation
Version: | Keywords: group.conf logic list
Blocked By: | Blocking:
--------------------------+-----------------------------------
The group.conf manpage refers to a 'logic list' several times as the way
to specify multiple ttys, users, etc, but does not give a clear example or
describe the syntax required.
After some fruitless searching and then trial and error, I discovered that
the format is:
{{{
item1 | item2 | item3
}}}
I think it would be a big help to users to make this clear in the man
page, either by describing the syntax or by giving a clear example in the
examples section (there is a convoluted example using &, but I don't think
this is obvious at first). For example, the example:
{{{
Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given
access to games (through membership of the floppy group) after work hours.
xsh; tty* ;sword;!Wk0900-1800;games, sound
}}}
Could be made into:
{{{
Running 'xsh' on tty* (any ttyXXX device), the users 'sword' and 'pike'
are given access to games (through membership of the floppy group) after
work hours.
xsh; tty* ; sword | pike ;!Wk0900-1800;games, sound
}}}
That small change alone would have saved me an hour. Perhaps the term
'logic list' is a well known format to some, but I don't think to many.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/35>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[linux-pam] #33: pam_timestamp: timestampdir option not documented properly
by fedora-badges
#33: pam_timestamp: timestampdir option not documented properly
---------------------+------------------------------
Reporter: thoger | Owner: pam-developers@…
Type: defect | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
pam_timestamp module supports `timestampdir` option, which is not properly
mentioned in the documentation / man page for the module. The only
mention is:
When an application opens a session using
<emphasis>pam_timestamp</emphasis>,
a timestamp file is created in the <emphasis>timestampdir</emphasis>
directory
for the user.
but it is not listed in SYNOPSIS or OPTIONS sections.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/33>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
[linux-pam] #36: pam_fail_delay() inconsistent delay distribution
by fedora-badges
#36: pam_fail_delay() inconsistent delay distribution
---------------------+------------------------------
Reporter: szidek | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
Man page says: Should pam_authenticate(3) fail, the failing return to the
application is delayed by an amount of time randomly distributed (by up to
25%) about this longest value.
However, code uses distribution 50%.
(Comments also say 25%.)
I think these values should be consistent.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/36>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years
Translation server
by Tomas Mraz
Hi fellow Linux-PAM developers,
to obtain the translations I maintain the Linux-PAM project on the
Transifex server. It is currently kept in the group with Fedora projects
so I do not have to maintain a list of translators myself. Recently the
Fedora translators are being moved to use the Zanata, namely the
fedora.zanata.org instance.
Do we want to establish Linux-PAM as one of the projects on the
fedora.zanata.org server? I can do the migration. Or do we want to stay
on Transifex?
Regards,
Tomas Mraz
9 years, 1 month