configure.in | 2 ++
libpam/include/security/_pam_types.h | 6 +++---
libpam/include/security/pam_ext.h | 4 ++--
libpam/pam_env.c | 8 ++++----
libpam/pam_strerror.c | 2 +-
libpam/pam_vprompt.c | 4 ++--
modules/Makefile.am | 1 +
modules/pam_limits/pam_limits.c | 14 ++++++++++++--
modules/pam_mkhomedir/pam_mkhomedir.c | 14 +++++++++++++-
modules/pam_namespace/namespace.init | 5 +++--
modules/pam_tally/pam_tally.c | 3 +++
modules/pam_wheel/pam_wheel.8.xml | 6 +++---
modules/pam_wheel/pam_wheel.c | 8 ++++++--
modules/pam_xauth/pam_xauth.c | 17 ++++++++++++++---
14 files changed, 69 insertions(+), 25 deletions(-)
diff --git a/configure.in b/configure.in
index 60b7532..cbbb198 100644
--- a/configure.in
+++ b/configure.in
@@ -550,6 +550,8 @@ AC_OUTPUT(Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
modules/pam_umask/Makefile \
modules/pam_unix/Makefile modules/pam_userdb/Makefile \
modules/pam_warn/Makefile modules/pam_wheel/Makefile \
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
+ modules/pam_sameuid/Makefile modules/pam_timestamp/Makefile \
modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
doc/mwg/Makefile examples/Makefile tests/Makefile \
diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h
index 2f7e807..faaf084 100644
--- a/libpam/include/security/_pam_types.h
+++ b/libpam/include/security/_pam_types.h
@@ -174,16 +174,16 @@ extern int PAM_NONNULL((1))
pam_get_item(const pam_handle_t *pamh, int item_type, const void **item);
extern const char *
-pam_strerror(pam_handle_t *pamh, int errnum);
+pam_strerror(const pam_handle_t *pamh, int errnum);
extern int PAM_NONNULL((1,2))
pam_putenv(pam_handle_t *pamh, const char *name_value);
extern const char * PAM_NONNULL((1,2))
-pam_getenv(pam_handle_t *pamh, const char *name);
+pam_getenv(const pam_handle_t *pamh, const char *name);
extern char ** PAM_NONNULL((1))
-pam_getenvlist(pam_handle_t *pamh);
+pam_getenvlist(const pam_handle_t *pamh);
/* ---------- Common Linux-PAM application/module PI ----------- */
diff --git a/libpam/include/security/pam_ext.h b/libpam/include/security/pam_ext.h
index 111dd63..7f3b615 100644
--- a/libpam/include/security/pam_ext.h
+++ b/libpam/include/security/pam_ext.h
@@ -59,11 +59,11 @@ extern void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
pam_syslog (const pam_handle_t *pamh, int priority, const char *fmt, ...);
extern int PAM_FORMAT((printf, 4, 0)) PAM_NONNULL((1,4))
-pam_vprompt (pam_handle_t *pamh, int style, char **response,
+pam_vprompt (const pam_handle_t *pamh, int style, char **response,
const char *fmt, va_list args);
extern int PAM_FORMAT((printf, 4, 5)) PAM_NONNULL((1,4))
-pam_prompt (pam_handle_t *pamh, int style, char **response,
+pam_prompt (const pam_handle_t *pamh, int style, char **response,
const char *fmt, ...);
#define pam_error(pamh, fmt...) \
diff --git a/libpam/pam_env.c b/libpam/pam_env.c
index dcdac7a..fb3b0f5 100644
--- a/libpam/pam_env.c
+++ b/libpam/pam_env.c
@@ -22,7 +22,7 @@
/* helper functions */
#ifdef DEBUG
-static void _pam_dump_env(pam_handle_t *pamh)
+static void _pam_dump_env(const pam_handle_t *pamh)
{
int i;
@@ -282,7 +282,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value)
* Return the value of the requested environment variable
*/
-const char *pam_getenv(pam_handle_t *pamh, const char *name)
+const char *pam_getenv(const pam_handle_t *pamh, const char *name)
{
int item;
@@ -316,7 +316,7 @@ const char *pam_getenv(pam_handle_t *pamh, const char *name)
}
}
-static char **_copy_env(pam_handle_t *pamh)
+static char **_copy_env(const pam_handle_t *pamh)
{
char **dump;
int i = pamh->env->requested; /* reckon size of environment */
@@ -355,7 +355,7 @@ static char **_copy_env(pam_handle_t *pamh)
return dump;
}
-char **pam_getenvlist(pam_handle_t *pamh)
+char **pam_getenvlist(const pam_handle_t *pamh)
{
int i;
diff --git a/libpam/pam_strerror.c b/libpam/pam_strerror.c
index 17c8194..f296d55 100644
--- a/libpam/pam_strerror.c
+++ b/libpam/pam_strerror.c
@@ -33,7 +33,7 @@
#include "pam_private.h"
-const char *pam_strerror(pam_handle_t *pamh UNUSED, int errnum)
+const char *pam_strerror(const pam_handle_t *pamh UNUSED, int errnum)
{
switch (errnum) {
case PAM_SUCCESS:
diff --git a/libpam/pam_vprompt.c b/libpam/pam_vprompt.c
index c53079b..8e852fe 100644
--- a/libpam/pam_vprompt.c
+++ b/libpam/pam_vprompt.c
@@ -46,7 +46,7 @@
#include "pam_private.h"
int
-pam_vprompt (pam_handle_t *pamh, int style, char **response,
+pam_vprompt (const pam_handle_t *pamh, int style, char **response,
const char *fmt, va_list args)
{
struct pam_message msg;
@@ -101,7 +101,7 @@ pam_vprompt (pam_handle_t *pamh, int style, char **response,
}
int
-pam_prompt (pam_handle_t *pamh, int style, char **response,
+pam_prompt (const pam_handle_t *pamh, int style, char **response,
const char *fmt, ...)
{
va_list args;
diff --git a/modules/Makefile.am b/modules/Makefile.am
index c79f595..46f17f1 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -9,6 +9,7 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_securetty pam_selinux pam_sepermit pam_shells pam_stress \
pam_succeed_if pam_tally pam_time pam_tty_audit pam_umask \
pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_exec \
+ pam_chroot pam_console pam_sameuid pam_timestamp \
pam_namespace pam_loginuid pam_faildelay
CLEANFILES = *~
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index f1e29b8..4174cb2 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -726,14 +726,24 @@ pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
}
#ifdef PAM_STATIC
+#define pam_sm_acct_mgmt pam_sm_open_session
+#elif defined(__linux__) && defined(__ELF__)
+__asm__(".globl pam_sm_acct_mgmt; pam_sm_acct_mgmt = pam_sm_open_session");
+#else
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ return pam_sm_open_session(pamh, flags, argc, argv);
+}
+#endif
+#ifdef PAM_STATIC
/* static module data */
-
struct pam_module _pam_limits_modstruct = {
"pam_limits",
NULL,
NULL,
- NULL,
+ pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
NULL
diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c
index 44b092c..595fe84 100644
--- a/modules/pam_mkhomedir/pam_mkhomedir.c
+++ b/modules/pam_mkhomedir/pam_mkhomedir.c
@@ -495,6 +495,18 @@ int pam_sm_close_session (pam_handle_t * pamh UNUSED, int flags UNUSED,
}
#ifdef PAM_STATIC
+#define pam_sm_acct_mgmt pam_sm_open_session
+#elif defined(__linux__) && defined(__ELF__)
+__asm__(".globl pam_sm_acct_mgmt; pam_sm_acct_mgmt = pam_sm_open_session");
+#else
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ return pam_sm_open_session(pamh, flags, argc, argv);
+}
+#endif
+
+#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_mkhomedir_modstruct =
@@ -502,7 +514,7 @@ struct pam_module _pam_mkhomedir_modstruct =
"pam_mkhomedir",
NULL,
NULL,
- NULL,
+ pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
NULL,
diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
index 424c6d0..07ba984 100755
--- a/modules/pam_namespace/namespace.init
+++ b/modules/pam_namespace/namespace.init
@@ -7,7 +7,8 @@
# newly created home directory.
if [ "$3" = 1 ]; then
# This line will fix the labeling on all newly created directories
- [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
+ restorecon=/sbin/restorecon
+ [ -x "$restorecon" ] && "$restorecon" "$1"
user="$4"
passwd=$(getent passwd "$user")
homedir=$(echo "$passwd" | cut -f6 -d":")
@@ -17,7 +18,7 @@ if [ "$3" = 1 ]; then
chown -R "$user":"$gid" "$homedir"
mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
chmod ${mode:-700} "$homedir"
- [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+ [ -x "$restorecon" ] && "$restorecon" -R "$homedir"
fi
fi
diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c
index 8814659..bc601ae 100644
--- a/modules/pam_tally/pam_tally.c
+++ b/modules/pam_tally/pam_tally.c
@@ -325,6 +325,7 @@ get_tally(pam_handle_t *pamh, tally_t *tally, uid_t uid,
}
lstat_ret = fstat(fileno(*TALLY),&fileinfo);
fclose(*TALLY);
+ *TALLY = NULL;
}
if ( lstat_ret ) {
@@ -355,6 +356,7 @@ get_tally(pam_handle_t *pamh, tally_t *tally, uid_t uid,
if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) {
pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename);
fclose(*TALLY);
+ *TALLY = NULL;
return PAM_AUTH_ERR;
}
@@ -403,6 +405,7 @@ set_tally(pam_handle_t *pamh, tally_t tally, uid_t uid,
}
if ( fclose(*TALLY) ) {
+ *TALLY = NULL;
pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename);
return PAM_AUTH_ERR;
}
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
index bf8b734..a60de20 100644
--- a/modules/pam_wheel/pam_wheel.8.xml
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -121,9 +121,9 @@
- The check for wheel membership will be done against
- the current uid instead of the original one (useful when
- jumping with su from one account to another for example).
+ The check for wheel membership will be done against the
+ current uid; this version of pam_wheel can only work in this
+ way and ignores the argument.
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index d7d8096..fa4c92c 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -110,7 +110,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG, "can not get the username");
+ pam_syslog(pamh, LOG_DEBUG, "cannot get the username");
}
return PAM_SERVICE_ERR;
}
@@ -118,7 +118,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
pwd = pam_modutil_getpwnam (pamh, username);
if (!pwd) {
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_NOTICE, "unknown user %s", username);
+ pam_syslog(pamh, LOG_NOTICE, "unknown username");
}
return PAM_USER_UNKNOWN;
}
@@ -129,7 +129,9 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
}
}
+#if 0
if (ctrl & PAM_USE_UID_ARG) {
+#endif
tpwd = pam_modutil_getpwuid (pamh, getuid());
if (!tpwd) {
if (ctrl & PAM_DEBUG_ARG) {
@@ -138,6 +140,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
return PAM_SERVICE_ERR;
}
fromsu = tpwd->pw_name;
+#if 0
} else {
fromsu = pam_modutil_getlogin(pamh);
if (fromsu) {
@@ -150,6 +153,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
return PAM_SERVICE_ERR;
}
}
+#endif
/*
* At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index 1135d4b..4e28c87 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -37,6 +37,9 @@
#include
#include
#include
+#include
+#include
+#include
#include
#include
#include
@@ -207,8 +210,8 @@ check_acl(pam_handle_t *pamh,
{
char path[PATH_MAX];
struct passwd *pwd;
- FILE *fp;
- int i;
+ FILE *fp = 0;
+ int fd, i;
uid_t euid;
/* Check this user's file. */
pwd = pam_modutil_getpwnam(pamh, this_user);
@@ -227,8 +230,16 @@ check_acl(pam_handle_t *pamh,
}
euid = geteuid();
setfsuid(pwd->pw_uid);
- fp = fopen(path, "r");
+ fd = open(path, O_RDONLY | O_NOCTTY);
setfsuid(euid);
+ if (fd >= 0) {
+ struct stat st;
+
+ if (fstat(fd, &st) ||
+ !S_ISREG(st.st_mode) ||
+ !(fp = fdopen(fd, "r")))
+ close(fd);
+ }
if (fp != NULL) {
char buf[LINE_MAX], *tmp;
/* Scan the file for a list of specs of users to "trust". */