March 2015 - Pam-developers - Fedora Mailing-Lists

[linux-pam] #9: Allow pam_lastlog to write to utmp as an option

by fedora-badges

#9: Allow pam_lastlog to write to utmp as an option -------------------------+------------------------------------------------- Reporter: | Owner: pam-developers@… shadowkyogre | Status: new Type: | Component: modules enhancement | Keywords: pam_lastlog utmp update patch Priority: major | prototype Version: 1.1.x | Blocking: Blocked By: | -------------------------+------------------------------------------------- The following patch for pam_lastlog allows it to write to utmp as well as wtmp. Part of the code is from xorg-sessreg to help make a utmp entry. I only tested this on my desktop, which is running Arch Linux, so some modifications may need to be made in order to make it more portable. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/9> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

1
4
0 / 0

[linux-pam] #11: sign the released tarballs

by fedora-badges

#11: sign the released tarballs ---------------------+------------------------------ Reporter: vbatts | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: library Version: | Keywords: Blocked By: | Blocking: ---------------------+------------------------------ Previously the tarballs that landed on kernel.org were signed by the trusted key 0x517D0F0E, but now the tarballs on https://fedorahosted.org/releases/l/i/linux-pam/ have no signature at all. We not be using Linux-PAM source that does not have a trusted signature. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/11> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

3
4
0 / 0

[linux-pam] #32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp directory

by fedora-badges

#32: pam_timestamp: default TIMESTAMPDIR no longer matches sudo time stamp directory ---------------------+------------------------------ Reporter: thoger | Owner: pam-developers@… Type: defect | Status: new Priority: minor | Component: modules Version: | Keywords: Blocked By: | Blocking: ---------------------+------------------------------ pam_timestamp defaults to using `/var/run/sudo` as its default time stamp directory. This seems to be for compatibility with sudo. However, that directory is no longer used by sudo as of version 1.7.4: http://www.sudo.ws/repos/sudo/rev/8c9440423d98 Starting with sudo 1.7.4, the time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. In Fedora, sudo now uses `/var/db/sudo` directory: http://pkgs.fedoraproject.org/cgit/sudo.git/commit/?id=e273750 On a quick look, it seems sudo and pam_timestamp now use different time stamp file content and mode. It seems pam_timestamp assumes sudo times tamp files are empty, but current sudo versions no longer create empty files: https://git.fedorahosted.org/cgit/linux- pam.git/tree/modules/pam_timestamp/pam_timestamp.c?id=9dcead8#n451 pam_timestamp writes full time stamp file path to the time stamp file, which does not seem to be done by sudo. I haven't investigated what data is written by sudo. Also ownership of sudo time stamp file is root:user, and pam_timestamp expects root:root. These incompatibility exists with sudo 1.7.2, which still uses `/var/run/sudo`. It seems this requires more changes and not only change of `TIMESTAMPDIR` to `/var/db/sudo`. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/32> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

1
2
0 / 0

pam_timestamp/Ticket#32

by Thorsten Kukuk

Hi, About Ticket#32: we should not use the sudo directory, if the timestamp format is not identical. My proposal would be, that pam_timestamp manages his own directory. Ok to commit? diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index 07a5cf1..e781812 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -152,7 +152,7 @@ session optional pam_timestamp.so <title>FILES</title> <variablelist> <varlistentry> - <term><filename>/var/run/sudo/...</filename></term> + <term><filename>/var/run/pam_timestamp/...</filename></term> <listitem> <para>timestamp files and directories</para> </listitem> diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index b3f08b1..1bf0e84 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -58,6 +58,7 @@ #include <unistd.h> #include <utmp.h> #include <syslog.h> +#include <paths.h> #include "hmacsha1.h" #include <security/pam_modules.h> @@ -69,7 +70,7 @@ * for the timestamp_timeout parameter. */ #define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60) #define MODULE "pam_timestamp" -#define TIMESTAMPDIR "/var/run/sudo" +#define TIMESTAMPDIR _PATH_VARRUN "/" MODULE #define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key" /* Various buffers we use need to be at least as large as either PATH_MAX or -- Thorsten Kukuk, Senior Architect SLES & Common Code Base SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

9 years

3
2
0 / 0

[linux-pam] #35: 'logic list' format unexplained in group.conf manpage

by fedora-badges

#35: 'logic list' format unexplained in group.conf manpage --------------------------+----------------------------------- Reporter: robinmiller | Owner: pam-developers@… Type: defect | Status: new Priority: minor | Component: documentation Version: | Keywords: group.conf logic list Blocked By: | Blocking: --------------------------+----------------------------------- The group.conf manpage refers to a 'logic list' several times as the way to specify multiple ttys, users, etc, but does not give a clear example or describe the syntax required. After some fruitless searching and then trial and error, I discovered that the format is: {{{ item1 | item2 | item3 }}} I think it would be a big help to users to make this clear in the man page, either by describing the syntax or by giving a clear example in the examples section (there is a convoluted example using &, but I don't think this is obvious at first). For example, the example: {{{ Running 'xsh' on tty* (any ttyXXX device), the user 'sword' is given access to games (through membership of the floppy group) after work hours. xsh; tty* ;sword;!Wk0900-1800;games, sound }}} Could be made into: {{{ Running 'xsh' on tty* (any ttyXXX device), the users 'sword' and 'pike' are given access to games (through membership of the floppy group) after work hours. xsh; tty* ; sword | pike ;!Wk0900-1800;games, sound }}} That small change alone would have saved me an hour. Perhaps the term 'logic list' is a well known format to some, but I don't think to many. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/35> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

1
1
0 / 0

[linux-pam] #33: pam_timestamp: timestampdir option not documented properly

by fedora-badges

#33: pam_timestamp: timestampdir option not documented properly ---------------------+------------------------------ Reporter: thoger | Owner: pam-developers@… Type: defect | Status: new Priority: minor | Component: modules Version: | Keywords: Blocked By: | Blocking: ---------------------+------------------------------ pam_timestamp module supports `timestampdir` option, which is not properly mentioned in the documentation / man page for the module. The only mention is: When an application opens a session using <emphasis>pam_timestamp</emphasis>, a timestamp file is created in the <emphasis>timestampdir</emphasis> directory for the user. but it is not listed in SYNOPSIS or OPTIONS sections. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/33> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

1
2
0 / 0

[linux-pam] #36: pam_fail_delay() inconsistent delay distribution

by fedora-badges

#36: pam_fail_delay() inconsistent delay distribution ---------------------+------------------------------ Reporter: szidek | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: library Version: 1.1.x | Keywords: Blocked By: | Blocking: ---------------------+------------------------------ Man page says: Should pam_authenticate(3) fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 25%) about this longest value. However, code uses distribution 50%. (Comments also say 25%.) I think these values should be consistent. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/36> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project

9 years

1
1
0 / 0

Translation server

by Tomas Mraz

Hi fellow Linux-PAM developers, to obtain the translations I maintain the Linux-PAM project on the Transifex server. It is currently kept in the group with Fedora projects so I do not have to maintain a list of translators myself. Recently the Fedora translators are being moved to use the Zanata, namely the fedora.zanata.org instance. Do we want to establish Linux-PAM as one of the projects on the fedora.zanata.org server? I can do the migration. Or do we want to stay on Transifex? Regards, Tomas Mraz

9 years, 1 month

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Pam-developers March 2015