--- Make.Rules.in +++ Make.Rules.in 2002/08/24 12:33:46 @@ -20,6 +20,7 @@ libdir = @libdir@ infodir = @infodir@ includedir = @includedir@ +mandir = @mandir@ absolute_srcdir = @LOCALSRCDIR@ absolute_objdir = @LOCALOBJDIR@ @@ -40,6 +41,7 @@ # Mode to install shared libraries with SHLIBMODE=@SHLIBMODE@ +MANMODE=@MANMODE@ NEED_LINK_LIB_C=@PAM_NEEDS_LIBC@ HAVE_LCKPWDF=@HAVE_LCKPWDF@ @@ -67,7 +69,7 @@ HAVE_PS2PDF=@HAVE_PS2PDF@ PSER=@PSER@ DOCDIR=@DOCDIR@ -MANDIR=@MANDIR@ +MANDIR=@mandir@ # configuration settings WITH_DEBUG=@WITH_DEBUG@ @@ -91,7 +93,7 @@ # generic build setup OS=@OS@ CC=@CC@ -CFLAGS=$(WARNINGS) -D$(OS) $(OS_CFLAGS) $(HEADER_DIRS) @CONF_CFLAGS@ +CFLAGS=@CFLAGS@ $(WARNINGS) -D$(OS) $(OS_CFLAGS) $(HEADER_DIRS) @CONF_CFLAGS@ LD=@LD@ LD_D=@LD_D@ LD_L=@LD_L@ --- configure.in +++ configure.in 2002/08/24 12:33:46 @@ -39,10 +39,11 @@ MKDIR="mkdir -p" ; AC_SUBST(MKDIR) SHLIBMODE=755 ; AC_SUBST(SHLIBMODE) +MANMODE=644 ; AC_SUBST(MANMODE) dnl These are most likely platform specific - I think HPUX differs USESONAME=yes ; AC_SUBST(USESONAME) -SOSWITCH=-soname ; AC_SUBST(SOSWITCH) +SOSWITCH="-Wl,-soname -Wl," ; AC_SUBST(SOSWITCH) NEEDSONAME=no ; AC_SUBST(NEEDSONAME) LDCONFIG=/sbin/ldconfig ; AC_SUBST(LDCONFIG) @@ -116,11 +117,6 @@ DOCDIR=$enableval, DOCDIR=/usr/share/doc/pam) AC_SUBST(DOCDIR) -AC_ARG_ENABLE(mandir, -[ --enable-mandir=], - MANDIR=$enableval, MANDIR=/usr/share/man) -AC_SUBST(MANDIR) - AC_ARG_ENABLE(pamlocking, [ --enable-pamlocking configure libpam to observe a global authentication lock], WITH_PAMLOCKING=yes ; AC_DEFINE(PAM_LOCKING) , WITH_PAMLOCKING=no) @@ -310,8 +306,8 @@ PIC="-fPIC" DYNTYPE=so LD=ld - LD_L="$LD -x -shared" - RANLIB=ranlib + LD_L="gcc -shared" + RANLIB=: STRIP=strip CC_STATIC="-Xlinker -export-dynamic" ;; --- doc/Makefile +++ doc/Makefile 2002/08/24 12:39:06 @@ -25,12 +25,11 @@ # can type make pdf in this directory and see what happens in the pdf # subdirectory. -all: htmls texts postscript +all: htmls texts htmls: $(HTMLS) $(HTMLS) : $(FSRCS) -ifeq ($(HAVE_SGML2HTML),yes) @for i in $(FILES) ; do \ if [ ! -f "html/$$i.html" ] || [ "$$i.sgml" -nt "html/$$i.html" ]; \ then \ @@ -39,49 +38,34 @@ cd .. ; \ fi ; \ done -else - @echo XXX - you do not have the sgml2html binary installed -endif texts: $(TEXTS) $(TEXTS) : $(FSRCS) -ifeq ($(HAVE_SGML2TXT),yes) @for i in $(FILES) ; do \ if [ ! -f "txts/$$i.txt" ] \ || [ "$$i.sgml" -nt "txts/$$i.txt" ]; then \ cd txts ; sgml2txt ../$$i ; cd .. ; \ fi ; \ done -else - @echo XXX - you do not have the sgml2txt binary installed -endif postscript: $(PSFILES) $(PSFILES): $(FSRCS) -ifneq ($(PSER),) @for i in $(FILES) ; do \ if [ ! -f "ps/$$i.ps" ] || [ "$$i.sgml" -nt "ps/$$i.ps" ]; then \ cd ps ; $(PSER) ../$$i ; cd .. ; \ fi ; \ done -else - @echo XXX - neither sgml2ps nor sgml2latex binaries are installed -endif pdf: $(PDFFILES) $(PDFFILES) : $(PSFILES) -ifeq ($(HAVE_PS2PDF),yes) @for i in $(FILES) ; do \ if [ ! -f "pdf/$$i.pdf" ] || [ "ps/$$i.ps" -nt "ps/$$i.pdf" ]; then \ ps2pdf ps/$$i.ps pdf/$$i.pdf ; \ fi ; \ done -else - @echo XXX - ps2pdf is not installed -endif pam.sgml: pam_source.sgml MODULES-SGML CREDITS @sed -e '/^/r MODULES-SGML' pam_source.sgml | sed -e '/^/r CREDITS' > pam.sgml @@ -114,30 +98,14 @@ done install: all -ifeq ($(HAVE_SGML2TXT),yes) mkdir -p $(FAKEROOT)$(DOCDIR)/text for file in txts/*.txt; do \ install -m 644 $$file $(FAKEROOT)$(DOCDIR)/text ; \ done -endif -ifneq ($(PSER),) - mkdir -p $(FAKEROOT)$(DOCDIR)/ps - for file in ps/*.ps; do \ - install -m 644 $$file $(FAKEROOT)$(DOCDIR)/ps ; \ - done - ifeq ($(HAVE_PS2PDF),yes) - mkdir -p $(FAKEROOT)$(DOCDIR)/pdf - for file in pdf/*.pdf; do \ - install -m 644 $$file $(FAKEROOT)$(DOCDIR)/pdf ; \ - done - endif -endif -ifeq ($(HAVE_SGML2HTML),yes) mkdir -p $(FAKEROOT)$(DOCDIR)/html for file in html/*.html; do \ install -m 644 $$file $(FAKEROOT)$(DOCDIR)/html ; \ done -endif mkdir -p $(FAKEROOT)$(MANDIR)/man3 mkdir -p $(FAKEROOT)$(MANDIR)/man8 for file in man/*.3 ; do \ @@ -157,7 +125,7 @@ clean: rm -f *~ *.bak rm -f html/pam*.html - rm -f man/*~ + rm -f man/*~ modules/*~ rm -f $(TEXTS) rm -f $(PSFILES) ps/missfont.log rm -f pdf/*.pdf --- doc/man/pam.conf.8 +++ doc/man/pam.conf.8 2002/08/24 12:33:46 @@ -1 +1 @@ -.so pam.8 +.so man8/pam.8 --- doc/man/pam.d.8 +++ doc/man/pam.d.8 2002/08/24 12:33:46 @@ -1 +1 @@ -.so pam.8 +.so man8/pam.8 --- doc/man/pam_close_session.3 +++ doc/man/pam_close_session.3 2002/08/24 12:33:46 @@ -1 +1 @@ -.so pam_open_session.3 +.so man3/pam_open_session.3 --- doc/man/pam_end.3 +++ doc/man/pam_end.3 2002/08/24 12:33:46 @@ -1 +1 @@ -.so pam_start.3 +.so man3/pam_start.3 --- doc/man/pam_get_item.3 +++ doc/man/pam_get_item.3 2002/08/24 12:33:46 @@ -1 +1 @@ -.so pam_set_item.3 +.so man3/pam_set_item.3 --- dynamic/Makefile +++ dynamic/Makefile 2002/08/24 12:33:46 @@ -47,7 +47,7 @@ $(PAMSHOBJ): $(DLIBOBJECTS) ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH) $(PAMSHOBJMAJ) -o $@ $+ $(LINKLIBS) + $(LD_L) $(SOSWITCH)$(PAMSHOBJMAJ) -o $@ $+ $(LINKLIBS) else $(LD_L) -o $@ $(DLIBOBJECTS) $(LINKLIBS) endif --- libpam/Makefile +++ libpam/Makefile 2002/08/24 12:33:46 @@ -92,7 +92,7 @@ $(LIBPAM): $(DLIBOBJECTS) ifeq ($(DYNAMIC_LIBPAM),yes) ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH) $(LIBPAMNAME) -o $@ $(DLIBOBJECTS) \ + $(LD_L) $(SOSWITCH)$(LIBPAMNAME) -o $@ $(DLIBOBJECTS) \ $(MODULES) $(LINKLIBS) else $(LD_L) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) @@ -107,9 +107,11 @@ $(LIBPAMSTATIC): $(SLIBOBJECTS) ifeq ($(STATIC_LIBPAM),yes) - ar cr $@ $(SLIBOBJECTS) $(MODULES) + $(AR) cru $@ $(SLIBOBJECTS) $(MODULES) +ifdef RANLIB $(RANLIB) $@ endif +endif install: all $(MKDIR) $(FAKEROOT)$(INCLUDED) $(FAKEROOT)$(libdir) @@ -123,7 +125,9 @@ endif ifeq ($(DYNAMIC_LIBPAM),yes) $(INSTALL) -m $(SHLIBMODE) $(LIBPAM) $(FAKEROOT)$(libdir)/$(LIBPAMFULL) +ifndef FAKEROOT $(LDCONFIG) +endif ifneq ($(DYNTYPE),"sl") ( cd $(FAKEROOT)$(libdir) ; rm -f $(LIBPAM) ; \ ln -sf $(LIBPAMNAME) $(LIBPAM) ) --- libpam/pam_private.h +++ libpam/pam_private.h 2002/08/24 12:33:46 @@ -21,6 +21,7 @@ /* this is not used at the moment --- AGM */ #define LIBPAM_VERSION (LIBPAM_VERSION_MAJOR*0x100 + LIBPAM_VERSION_MINOR) +#include #include #include @@ -266,7 +267,7 @@ /* Definition for the default username prompt used by pam_get_user() */ -#define PAM_DEFAULT_PROMPT "Please enter username: " +#define PAM_DEFAULT_PROMPT "login: " /* * include some helpful macros --- libpam/pam_start.c +++ libpam/pam_start.c 2002/08/24 12:33:46 @@ -29,6 +29,9 @@ return (PAM_BUF_ERR); } + if (strrchr(service_name, '/') != NULL) + service_name = strrchr(service_name, '/') + 1; + /* Mark the caller as the application - permission to do certain things is limited to a module or an application */ --- libpam_misc/Makefile +++ libpam_misc/Makefile 2002/08/24 12:33:46 @@ -60,7 +60,7 @@ $(LIBNAMED): $(DLIBOBJECTS) ifeq ($(DYNAMIC_LIBPAM),yes) ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH) $(LIBNAMEDNAME) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) + $(LD_L) $(SOSWITCH)$(LIBNAMEDNAME) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) else $(LD_L) -o $@ $(DLIBOBJECTS) $(MODULES) endif @@ -74,9 +74,12 @@ $(LIBNAMEDSTATIC): $(SLIBOBJECTS) ifeq ($(STATIC_LIBPAM),yes) + $(AR) rcu $@ $(SLIBOBJECTS) $(MODULES) +ifdef RANLIB $(AR) rc $@ $(SLIBOBJECTS) $(MODULES) $(RANLIB) $@ endif +endif install: all $(MKDIR) $(FAKEROOT)$(INCLUDED) --- libpam_misc/misc_conv.c +++ libpam_misc/misc_conv.c 2002/08/24 12:33:46 @@ -127,24 +127,23 @@ } /* read a line of input string, giving prompt when appropriate */ -static char *read_string(int echo, const char *prompt) +static int read_string(int echo, const char *prompt, char **retstr) { struct termios term_before, term_tmp; - char line[INPUTSIZE], *input; + char line[INPUTSIZE]; struct sigaction old_sig; - int delay, nc, have_term=0; + int delay, nc = -1, have_term = 0; sigset_t oset, nset; - - D(("called with echo='%s', prompt='%s'.", echo ? "ON":"OFF" , prompt)); - input = line; + D(("called with echo='%s', prompt='%s'.", echo ? "ON":"OFF" , prompt)); if (isatty(STDIN_FILENO)) { /* terminal state */ /* is a terminal so record settings and flush it */ if ( tcgetattr(STDIN_FILENO, &term_before) != 0 ) { D(("")); - return NULL; + *retstr = NULL; + return -1; } memcpy(&term_tmp, &term_before, sizeof(term_tmp)); if (!echo) { @@ -157,9 +156,9 @@ * the conversation without giving PAM a chance to clean up. */ - sigemptyset(&nset); - sigaddset(&nset, SIGINT); - sigaddset(&nset, SIGTSTP); + sigemptyset(&nset); + sigaddset(&nset, SIGINT); + sigaddset(&nset, SIGTSTP); (void) sigprocmask(SIG_BLOCK, &nset, &oset); } else if (!echo) { @@ -195,7 +194,7 @@ } else if (nc > 0) { /* we got some user input */ D(("we got some user input")); - if (nc > 0 && line[nc-1] == '\n') { /* terminate */ + if (line[nc-1] == '\n') { /* terminate */ line[--nc] = '\0'; } else { if (echo) { @@ -203,7 +202,7 @@ } line[nc] = '\0'; } - input = x_strdup(line); + *retstr = x_strdup(line); _pam_overwrite(line); goto cleanexit; /* return malloc()ed string */ @@ -211,7 +210,7 @@ } else if (nc == 0) { /* Ctrl-D */ D(("user did not want to type anything")); - input = x_strdup(""); + *retstr = NULL; if (echo) { fprintf(stderr, "\n"); } @@ -224,7 +223,7 @@ D(("the timer appears to have expired")); - input = NULL; + *retstr = NULL; _pam_overwrite(line); cleanexit: @@ -234,9 +233,7 @@ (void) tcsetattr(STDIN_FILENO, TCSADRAIN, &term_before); } - D(("returning [%s]", input)); - - return input; + return nc; } /* end of read_string functions */ @@ -276,17 +273,18 @@ for (count=0; count < num_msg; ++count) { char *string=NULL; + int nc; switch (msgm[count]->msg_style) { case PAM_PROMPT_ECHO_OFF: - string = read_string(CONV_ECHO_OFF,msgm[count]->msg); - if (string == NULL) { + nc = read_string(CONV_ECHO_OFF,msgm[count]->msg, &string); + if (nc < 0) { goto failed_conversation; } break; case PAM_PROMPT_ECHO_ON: - string = read_string(CONV_ECHO_ON,msgm[count]->msg); - if (string == NULL) { + nc = read_string(CONV_ECHO_ON,msgm[count]->msg, &string); + if (nc < 0) { goto failed_conversation; } break; @@ -367,7 +365,7 @@ case PAM_TEXT_INFO: /* should not actually be able to get here... */ free(reply[count].resp); - } + } reply[count].resp = NULL; } /* forget reply too */ @@ -377,4 +375,3 @@ return PAM_CONV_ERR; } - --- libpamc/Makefile +++ libpamc/Makefile 2002/08/24 12:33:46 @@ -59,7 +59,7 @@ $(LIBNAMED): $(DLIBOBJECTS) ifeq ($(DYNAMIC_LIBPAM),yes) ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH) $(LIBNAMEDNAME) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) + $(LD_L) $(SOSWITCH)$(LIBNAMEDNAME) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) else $(LD_L) -o $@ $(DLIBOBJECTS) $(MODULES) endif @@ -73,9 +73,11 @@ $(LIBNAMEDSTATIC): $(SLIBOBJECTS) ifeq ($(STATIC_LIBPAM),yes) - $(AR) rc $@ $(SLIBOBJECTS) $(MODULES) + $(AR) rcu $@ $(SLIBOBJECTS) $(MODULES) +ifdef RANLIB $(RANLIB) $@ endif +endif install: all $(MKDIR) $(FAKEROOT)$(INCLUDED) --- libpamc/test/modules/pam_secret.c +++ libpamc/test/modules/pam_secret.c 2002/08/24 12:33:46 @@ -206,6 +206,7 @@ pwd = getpwnam(user); if ((pwd == NULL) || (pwd->pw_dir == NULL)) { D(("user [%s] is not known", user)); + return NULL; } length_id = strlen(pwd->pw_dir) + sizeof(SECRET_FILE_FORMAT); --- modules/Makefile +++ modules/Makefile 2002/08/24 12:33:47 @@ -8,7 +8,7 @@ include ../Make.Rules -MODDIRS=$(shell /bin/ls -d pam_*) +MODDIRS=$(shell /bin/ls -d pam_*/Makefile | cut -f1 -d/) all: @echo building the static modutil library --- modules/Simple.Rules +++ modules/Simple.Rules 2002/08/24 12:33:47 @@ -77,6 +77,18 @@ ifdef DYNAMIC $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) endif +ifdef MAN3 + test -d $(FAKEROOT)$(mandir)/man3 || $(MKDIR) $(FAKEROOT)$(mandir)/man3 + $(INSTALL) -m $(MANMODE) $(MAN3) $(FAKEROOT)$(mandir)/man3/ +endif +ifdef MAN5 + test -d $(FAKEROOT)$(mandir)/man5 || $(MKDIR) $(FAKEROOT)$(mandir)/man5 + $(INSTALL) -m $(MANMODE) $(MAN5) $(FAKEROOT)$(mandir)/man5/ +endif +ifdef MAN8 + test -d $(FAKEROOT)$(mandir)/man8 || $(MKDIR) $(FAKEROOT)$(mandir)/man8 + $(INSTALL) -m $(MANMODE) $(MAN8) $(FAKEROOT)$(mandir)/man8/ +endif $(MODULE_SIMPLE_INSTALL) remove: --- modules/pam_access/Makefile +++ modules/pam_access/Makefile 2002/08/24 12:33:47 @@ -17,5 +17,6 @@ MODULE_SIMPLE_INSTALL=bash -f ../install_conf "$(FAKEROOT)" "$(SCONFIGD)" "$(INSTALLED_CONFILE)" "$(TITLE)" "$(LOCAL_CONFILE)" MODULE_SIMPLE_REMOVE=rm -f $(FAKEROOT)$(INSTALLED_CONFILE) MODULE_SIMPLE_CLEAN=rm -f ./.ignore_age +MODULE_SIMPLE_EXTRALIBS=-lnsl include ../Simple.Rules --- modules/pam_access/pam_access.c +++ modules/pam_access/pam_access.c 2002/08/24 12:33:47 @@ -41,6 +41,7 @@ #include #include #include +#include #ifndef BROKEN_NETWORK_MATCH # include @@ -262,16 +263,11 @@ static int netgroup_match(char *group, char *machine, char *user) { -#ifdef NIS static char *mydomain = 0; if (mydomain == 0) yp_get_default_domain(&mydomain); return (innetgr(group, machine, user, mydomain)); -#else - _log_err("NIS netgroup support not configured"); - return (NO); -#endif } /* user_match - match a username against one token */ --- modules/pam_group/pam_group.c +++ modules/pam_group/pam_group.c 2002/08/24 12:33:47 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -153,8 +154,9 @@ } } switch ((*buf)[i]) { - int j,c; + int j, c; case '#': + j = c = 0; for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); if (j >= *to) { (*buf)[*to = ++i] = '\0'; @@ -179,6 +181,7 @@ case '!': case ' ': case '\t': + j = c = 0; if ((*buf)[i] != '!') (*buf)[i] = ','; /* delete any trailing spaces */ --- modules/pam_lastlog/Makefile +++ modules/pam_lastlog/Makefile 2002/08/24 12:33:47 @@ -15,5 +15,6 @@ endif TITLE=pam_lastlog +MODULE_SIMPLE_EXTRALIBS=-lutil include ../Simple.Rules --- modules/pam_lastlog/pam_lastlog.c +++ modules/pam_lastlog/pam_lastlog.c 2002/08/24 12:33:47 @@ -27,10 +27,7 @@ #include #include #include - -#ifdef WANT_PWDB -#include /* use POSIX front end */ -#endif +#include #if defined(hpux) || defined(sunos) || defined(solaris) # ifndef _PATH_LASTLOG @@ -202,12 +199,15 @@ * Values for the announce flags.. */ -static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid) +static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid, + const char *user) { struct flock last_lock; struct lastlog last_login; int retval = PAM_SESSION_ERR; int last_fd; + const char *remote_host = NULL; + const char *terminal_line = DEFAULT_TERM; /* obtain the last login date and all the relevant info */ last_fd = open(_PATH_LASTLOG, O_RDWR); @@ -319,9 +319,6 @@ /* write latest value */ { - const char *remote_host=NULL - , *terminal_line=DEFAULT_TERM; - /* set this login date */ D(("set the most recent login time")); @@ -379,8 +376,13 @@ D(("unlocked")); close(last_fd); /* all done */ + D(("all done with last login")); + + /* write wtmp entry for user */ + logwtmp(last_login.ll_line, user, remote_host); + terminal_line = NULL; + remote_host = NULL; } - D(("all done with last login")); } /* reset the last login structure */ @@ -426,8 +428,7 @@ pwd = NULL; /* tidy up */ /* process the current login attempt (indicate last) */ - - retval = last_login_date(pamh, ctrl, uid); + retval = last_login_date(pamh, ctrl, uid, user); /* indicate success or failure */ @@ -440,7 +441,22 @@ int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc ,const char **argv) { - return PAM_SUCCESS; + const char *terminal_line; + + pam_get_item(pamh, PAM_TTY, (const void **)&terminal_line); + + D(("terminal = %s", terminal_line)); + + if (terminal_line == NULL) { + terminal_line = DEFAULT_TERM; + } else if ( !strncmp("/dev/", terminal_line, 5) ) { + /* strip leading "/dev/" from tty.. */ + terminal_line += 5; + } + /* Wipe out utmp logout entry */ + logwtmp(terminal_line, "", ""); + + return PAM_SUCCESS; } #ifdef PAM_STATIC --- modules/pam_limits/pam_limits.c +++ modules/pam_limits/pam_limits.c 2002/08/24 12:33:47 @@ -22,7 +22,9 @@ #include #include #include +#include #include +#include #include #include #include @@ -295,6 +297,11 @@ } } +#ifdef RLIMIT_LOCKS + pl->limits[RLIMIT_LOCKS].src_soft = LIMITS_DEF_NONE; + pl->limits[RLIMIT_LOCKS].src_hard = LIMITS_DEF_NONE; +#endif + pl->priority = 0; pl->login_limit = -2; pl->login_limit_def = LIMITS_DEF_NONE; @@ -450,7 +457,7 @@ struct pam_limit_s *pl) { FILE *fil; - char buf[LINE_LENGTH]; + char buf[LINE_MAX]; #define CONF_FILE (pl->conf_file[0])?pl->conf_file:LIMITS_FILE /* check for the LIMITS_FILE */ @@ -466,11 +473,11 @@ /* init things */ memset(buf, 0, sizeof(buf)); /* start the show */ - while (fgets(buf, LINE_LENGTH, fil) != NULL) { - char domain[LINE_LENGTH]; - char ltype[LINE_LENGTH]; - char item[LINE_LENGTH]; - char value[LINE_LENGTH]; + while (fgets(buf, LINE_MAX, fil) != NULL) { + char domain[LINE_MAX]; + char ltype[LINE_MAX]; + char item[LINE_MAX]; + char value[LINE_MAX]; int i,j; char *tptr; --- modules/pam_rhosts/pam_rhosts_auth.c +++ modules/pam_rhosts/pam_rhosts_auth.c 2002/08/24 12:33:47 @@ -76,10 +76,7 @@ #include #ifdef linux # include -# ifndef __USE_MISC -# define __USE_MISC -# include -# endif /* __USE_MISC */ +# include #endif #include --- modules/pam_securetty/pam_securetty.c +++ modules/pam_securetty/pam_securetty.c 2002/08/24 12:33:47 @@ -16,14 +16,13 @@ #include #include #include +#include #include #include #include #include #include -#define PAM_SM_AUTH - /* * here, we make a definition for the externally accessible function * in this file (this definition is required for static a module @@ -105,6 +104,11 @@ } return PAM_SERVICE_ERR; } + else + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_WARNING, "user's tty: %s", uttyname); + } + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) --- modules/pam_shells/pam_shells.c +++ modules/pam_shells/pam_shells.c 2002/08/24 12:33:47 @@ -10,10 +10,12 @@ #define _BSD_SOURCE +#include #include #include #include #include +#include #include #include #include @@ -113,6 +115,12 @@ return PAM_SUCCESS; } +PAM_EXTERN +int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return pam_sm_authenticate(pamh, 0, argc, argv); +} #ifdef PAM_STATIC @@ -122,7 +130,7 @@ "pam_shells", pam_sm_authenticate, pam_sm_setcred, - NULL, + pam_sm_acct_mgmt, NULL, NULL, NULL, --- modules/pam_stress/pam_stress.c +++ modules/pam_stress/pam_stress.c 2002/08/24 12:33:47 @@ -10,7 +10,6 @@ #include #include -#define __USE_BSD #include #include --- modules/pam_time/pam_time.c +++ modules/pam_time/pam_time.c 2002/08/24 12:33:47 @@ -156,6 +156,7 @@ switch ((*buf)[i]) { int j,c; case '#': + j = c = 0; for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); if (j >= *to) { (*buf)[*to = ++i] = '\0'; @@ -180,6 +181,7 @@ case '!': case ' ': case '\t': + j = c = 0; if ((*buf)[i] != '!') (*buf)[i] = ','; /* delete any trailing spaces */ @@ -313,6 +315,7 @@ return FALSE; } next = VAL; + not = FALSE; } at += l; } --- modules/pam_unix/Makefile +++ modules/pam_unix/Makefile 2002/08/24 12:33:47 @@ -146,7 +146,8 @@ ifdef DYNAMIC install -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session;\ - do ln -sf $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)/$$x.so ; done + do ln -f $(FAKEROOT)$(SECUREDIR)/$(LIBSHARED) $(FAKEROOT)$(SECUREDIR)/$$x.so ; done + rm $(FAKEROOT)$(SECUREDIR)/pam_unix.so endif $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) install -m 4555 $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) --- modules/pam_unix/unix_chkpwd.c +++ modules/pam_unix/unix_chkpwd.c 2002/08/24 12:33:47 @@ -94,20 +94,17 @@ char *salt = NULL; char *pp = NULL; int retval = UNIX_FAILED; + int passlen = 0; /* UNIX passwords area */ - setpwent(); pwd = getpwnam(name); /* Get password file entry... */ - endpwent(); if (pwd != NULL) { if (strcmp(pwd->pw_passwd, "x") == 0) { /* * ...and shadow password file entry for this user, * if shadowing is enabled */ - setspent(); spwdent = getspnam(name); - endspent(); if (spwdent != NULL) salt = x_strdup(spwdent->sp_pwdp); else --- modules/pam_userdb/README +++ modules/pam_userdb/README 2002/08/24 12:33:47 @@ -1,6 +1,7 @@ pam_userdb: Look up users in a .db database and verify their password against - what is contained in that database. + what is contained in that database. The database will have been + created using db_load. RECOGNIZED ARGUMENTS: debug write a message to syslog indicating success or @@ -8,7 +9,9 @@ db=[path] use the [path] database for performing lookup. There is no default; the module will return PAM_IGNORE if - no database is provided. + no database is provided. Newer versions of DB will + automatically append ".db" to whatever pathname you + supply here, so the path should not include it. icase make the password verification to be case insensitive (ie when working with registration numbers and such) @@ -16,8 +19,26 @@ dump dump all the entries in the database to the log (eek, don't do this by default!) + use_authtok use the authentication token previously obtained by another + that did the conversation with the application. If this + token can not be obtained then the module will try to converse + again. This option can be used for stacking different modules + that need to deal with the authentication tokens. + + unknown_ok do not return error when checking for a user that is not + in the database. This can be used to stack more than one + pam_userdb module that will check a username/password pair + in more than a database. + + key_only the username and password are concatenated together in the + database hash as 'username-password' with a random value. + if the concatenation of the username and password with a + dash in the middle returns any result, the user is valid. + this is useful in cases where the username may not be + unique but the username and password pair are. + MODULE SERVICES PROVIDED: - auth _authetication and _setcred (blank) + auth _authentication and _setcred (blank) EXAMPLE USE: auth sufficient pam_userdb.so icase db=/tmp/dbtest.db --- modules/pam_userdb/conv.c +++ modules/pam_userdb/conv.c 2002/08/24 12:33:47 @@ -5,8 +5,6 @@ /* $Id */ /* Copyright at the end of the file */ -#define _BSD_SOURCE - #include #include @@ -24,7 +22,7 @@ struct pam_response **response) { int retval; - const struct pam_conv *conv; + const struct pam_conv *conv = NULL; retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv ) ; if (retval == PAM_SUCCESS) @@ -50,7 +48,7 @@ struct pam_message msg[2],*pmsg[2]; struct pam_response *resp; int retval; - char * token = NULL; + char *token = NULL; pmsg[0] = &msg[0]; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; @@ -61,7 +59,7 @@ retval = converse(pamh, pmsg, &resp); if (resp != NULL) { - const char * item; + const char *item; /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = x_strdup(resp[0].resp); @@ -74,8 +72,7 @@ retval = pam_set_item(pamh, PAM_AUTHTOK, token); token = _pam_delete(token); /* clean it up */ if ( (retval != PAM_SUCCESS) || - (retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)) - != PAM_SUCCESS ) { + (retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)) != PAM_SUCCESS ) { return retval; } --- modules/pam_userdb/pam_userdb.c +++ modules/pam_userdb/pam_userdb.c 2002/08/24 12:33:47 @@ -72,11 +72,18 @@ ctrl |= PAM_ICASE_ARG; else if (!strcasecmp(*argv, "dump")) ctrl |= PAM_DUMP_ARG; + else if (!strcasecmp(*argv, "use_authtok")) + ctrl |= PAM_USE_AUTHTOK_ARG; + else if (!strcasecmp(*argv, "unknown_ok")) + ctrl |= PAM_UNKNOWN_OK_ARG; else if (!strncasecmp(*argv,"db=", 3)) { database = strdup((*argv) + 3); if (database == NULL) _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"", *argv); + } + else if (!strcasecmp(*argv,"key_only")) { + ctrl |= PAM_KEY_ONLY; } else { _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); } @@ -153,19 +160,69 @@ return -1; /* wrong */ } else { if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "error returned by dbm_fetch: %s", - strerror(errno)); + _pam_log(LOG_INFO, "error returned by dbm_fetch: %s", strerror(errno)); } dbm_close(dbm); - /* probably we should check dbm_error() here */ + /* prolly we should chec dbm_error() here */ return 1; /* not found */ } - - /* NOT REACHED */ + + if (dbm != NULL) + dbm_close(dbm); + /* we don't know what the heck happend */ return -2; } -/* --- authentication management functions (only) --- */ +/* + * Checks if a user has an entry in the database + * + * return values: + * 1 = User not found + * 0 = OK + * -1 = System error + */ +static int valid_user(const char *user) +{ + DBM *dbm; + datum key, data; + + /* Open the DB file. */ + dbm = dbm_open(database, O_RDONLY, 0644); + if (dbm == NULL) { + _pam_log(LOG_ERR, "%s: could not open database `%s'", __FUNCTION__, database); + return -1; + } + + if (ctrl &PAM_DUMP_ARG) { + _pam_log(LOG_INFO, "Database dump:"); + for (key = dbm_firstkey(dbm); key.dptr != NULL; key = dbm_nextkey(dbm)) { + data = dbm_fetch(dbm, key); + _pam_log(LOG_INFO, "key[len=%d] = `%s', data[len=%d] = `%s'", + key.dsize, key.dptr, data.dsize, data.dptr); + } + } + /* do some more init work */ + memset(&key, 0, sizeof(key)); + memset(&data, 0, sizeof(data)); + (const char *) key.dptr = user; + key.dsize = strlen(user); + + data = dbm_fetch(dbm, key); + + if (data.dptr != NULL) { + dbm_close(dbm); + return 0; + } + + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_INFO, "error returned by dbm_fetch: %s", strerror(errno)); + } + if (dbm != NULL) + dbm_close(dbm); + return 1; /* not found */ +} + +/* --- authentication management functions --- */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, @@ -178,6 +235,12 @@ /* parse arguments */ ctrl = _pam_parse(argc, argv); + /* Do we have a database ? */ + if (database == NULL) { + _pam_log(LOG_ERR, "no database supplied; must use db= arg"); + return PAM_SERVICE_ERR; + } + /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { @@ -186,19 +249,21 @@ return PAM_SERVICE_ERR; } - /* Converse just to be sure we have the password */ - retval = conversation(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); - return -2; + if ((ctrl & PAM_USE_AUTHTOK_ARG) == 0) { + /* Converse just to be sure we have the password */ + retval = conversation(pamh); + if (retval != PAM_SUCCESS) { + _pam_log(LOG_ERR, "could not obtain password for `%s'", + username); + return PAM_CONV_ERR; + } } /* Get the password */ - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password); + retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &password); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "Could not retrive user's password"); - return -2; + return PAM_AUTHTOK_ERR; } if (ctrl & PAM_DEBUG_ARG) @@ -213,15 +278,16 @@ return PAM_SERVICE_ERR; case -1: /* incorrect password */ - _pam_log(LOG_WARNING, - "user `%s' denied access (incorrect password)", - username); + _pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", username); return PAM_AUTH_ERR; case 1: /* the user does not exist in the database */ if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "user `%s' not found in the database", - username); + _pam_log(LOG_NOTICE, "user `%s' not found in %s", + username, database); + if (ctrl & PAM_UNKNOWN_OK_ARG) { + return PAM_IGNORE; + } return PAM_USER_UNKNOWN; case 0: /* Otherwise, the authentication looked good */ @@ -229,12 +295,10 @@ return PAM_SUCCESS; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, - "internal module error (retval = %d, user = `%s'", + _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'", retval, username); return PAM_SERVICE_ERR; } - /* should not be reached */ return PAM_IGNORE; } @@ -246,11 +310,61 @@ return PAM_SUCCESS; } +/* + * Account management. We want to verify that the account exists in the given + * database before returning PAM_SUCCESS + */ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { - return PAM_SUCCESS; + const char *username; + int retval = PAM_USER_UNKNOWN; + + /* parse arguments */ + ctrl = _pam_parse(argc, argv); + + /* Do we have a database ? */ + if (database == NULL) { + _pam_log(LOG_ERR, "no database supplied; must use db= arg"); + return PAM_SERVICE_ERR; + } + + /* Get the username */ + retval = pam_get_user(pamh, &username, NULL); + if ((retval != PAM_SUCCESS) || (!username)) { + if (ctrl & PAM_DEBUG_ARG) + _pam_log(LOG_DEBUG,"can not get the username"); + return PAM_SERVICE_ERR; + } + + /* Verify the username */ + retval = valid_user(username); + switch (retval) { + case -1: + /* some sort of system error. The log was already printed */ + return PAM_SERVICE_ERR; + case 1: + /* the user does not exist in the database */ + if (ctrl & PAM_DEBUG_ARG) + _pam_log(LOG_NOTICE, "user `%s' not found in the database", + username); + if (ctrl & PAM_UNKNOWN_OK_ARG) + return PAM_IGNORE; + return PAM_USER_UNKNOWN; + case 0: + /* Otherwise, the authentication looked good */ + _pam_log(LOG_NOTICE, "user '%s' granted acces", username); + return PAM_SUCCESS; + default: + /* we don't know anything about this return value */ + _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'", + retval, username); + return PAM_SERVICE_ERR; + } + + /* should not be reached */ + return PAM_IGNORE; } @@ -259,10 +373,10 @@ /* static module data */ struct pam_module _pam_userdb_modstruct = { - "pam_userdb", + MODULE_NAME, pam_sm_authenticate, pam_sm_setcred, - NULL, + pam_sm_acct_mgmt, NULL, NULL, NULL, --- modules/pam_userdb/pam_userdb.h +++ modules/pam_userdb/pam_userdb.h 2002/08/24 12:33:47 @@ -1,17 +1,20 @@ #ifndef _PAM_USERSDB_H #define _PAM_USERSDB_H -/* $Id: pam_userdb.h,v 1.1.1.1 2000/06/20 22:12:09 agmorgan Exp $ */ +/* $Id: pam_userdb.h,v 1.2 2001/01/04 22:51:31 nalin Exp $ */ /* Header files */ #include /* argument parsing */ -#define PAM_DEBUG_ARG 0x0001 -#define PAM_ICASE_ARG 0x0002 -#define PAM_DUMP_ARG 0x0004 +#define PAM_DEBUG_ARG (1 << 1) +#define PAM_ICASE_ARG (1 << 2) +#define PAM_DUMP_ARG (1 << 3) +#define PAM_USE_AUTHTOK_ARG (1 << 4) +#define PAM_UNKNOWN_OK_ARG (1 << 5) +#define PAM_KEY_ONLY (1 << 6) -/* Useful macros */ +/* Usefull macros */ #define x_strdup(s) ( (s) ? strdup(s):NULL ) /* The name of the module we are compiling */ --- modules/pam_wheel/pam_wheel.c +++ modules/pam_wheel/pam_wheel.c 2002/08/24 12:33:47 @@ -21,13 +21,12 @@ * a wheel member. */ -#define _BSD_SOURCE - #include #include #include #include #include +#include #include #include #include @@ -121,7 +120,7 @@ char use_group[BUFSIZ]; /* Init the optional group */ - bzero(use_group,BUFSIZ); + memset(use_group,'\0',BUFSIZ); ctrl = _pam_parse(argc, argv, use_group, sizeof(use_group)); retval = pam_get_user(pamh, &username, NULL);