diff options
Diffstat (limited to 'extra/source/pam/patches')
11 files changed, 0 insertions, 2655 deletions
diff --git a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch b/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch deleted file mode 100644 index 3ad41ccc6..000000000 --- a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am ---- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 -+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 -@@ -3,6 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -+ pam_chroot pam_console pam_postgresok \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in ---- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 -+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 -@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ - po/Makefile.in \ - modules/Makefile \ -+ modules/pam_chroot/Makefile modules/pam_console/Makefile \ -+ modules/pam_postgresok/Makefile \ - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch b/extra/source/pam/patches/pam-1.0.91-std-noclose.patch deleted file mode 100644 index 735948490..000000000 --- a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 -@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int - if (child == 0) { - int i; - struct rlimit rlim; -+ int dummyfds[2]; - static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL }; - -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe(dummyfds) == 0) { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ - if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); - } - } -diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c ---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 -@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 -@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 -@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t - - /* reopen stdout as pipe */ - dup2(fds[1], STDOUT_FILENO); -+ /* and replace also the stdin, stderr so we do not exec the helper with -+ tty as stdin, it will not read anything from there anyway */ -+ dup2(fds[0], STDIN_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - /* XXX - should really tidy up PAM here too */ - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDOUT_FILENO) { -- close(i); -- } -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - diff --git a/extra/source/pam/patches/pam-1.1.0-notally.patch b/extra/source/pam/patches/pam-1.1.0-notally.patch deleted file mode 100644 index 9327eecba..000000000 --- a/extra/source/pam/patches/pam-1.1.0-notally.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am ---- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 -+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 -@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ -+ pam_succeed_if pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - diff --git a/extra/source/pam/patches/pam-1.1.1-faillock.patch b/extra/source/pam/patches/pam-1.1.1-faillock.patch deleted file mode 100644 index 46f303741..000000000 --- a/extra/source/pam/patches/pam-1.1.1-faillock.patch +++ /dev/null @@ -1,1712 +0,0 @@ -diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in ---- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 -@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -- modules/pam_faildelay/Makefile \ -+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ - modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ - modules/pam_ftp/Makefile modules/pam_group/Makefile \ - modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ -diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 -+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 -@@ -0,0 +1,38 @@ -+<?xml version='1.0' encoding='UTF-8'?> -+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" -+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -+<section id='sag-pam_faillock'> -+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title> -+ <cmdsynopsis> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/> -+ </cmdsynopsis> -+ <cmdsynopsis> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/> -+ </cmdsynopsis> -+ <section id='sag-pam_faillock-description'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-options'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-types'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-return_values'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-examples'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-author'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> -+ </section> -+</section> -diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am ---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 -@@ -3,7 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -- pam_chroot pam_console pam_postgresok \ -+ pam_chroot pam_console pam_postgresok pam_faillock \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,147 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include <string.h> -+#include <stdlib.h> -+#include <unistd.h> -+#include <errno.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <sys/file.h> -+#include <fcntl.h> -+#include <security/pam_modutil.h> -+ -+#include "faillock.h" -+ -+int -+open_tally (const char *dir, const char *user, int create) -+{ -+ char *path; -+ int flags = O_RDWR; -+ int fd; -+ -+ if (strstr(user, "../") != NULL) -+ /* just a defensive programming as the user must be a -+ * valid user on the system anyway -+ */ -+ return -1; -+ path = malloc(strlen(dir) + strlen(user) + 2); -+ if (path == NULL) -+ return -1; -+ -+ strcpy(path, dir); -+ if (*dir && dir[strlen(dir) - 1] != '/') { -+ strcat(path, "/"); -+ } -+ strcat(path, user); -+ -+ if (create) { -+ flags |= O_CREAT; -+ } -+ -+ fd = open(path, flags, 0600); -+ -+ if (fd != -1) -+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ -+ return fd; -+} -+ -+#define CHUNK_SIZE (64 * sizeof(struct tally)) -+#define MAX_RECORDS 1024 -+ -+int -+read_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = NULL, *newdata; -+ unsigned int count = 0; -+ ssize_t chunk = 0; -+ -+ do { -+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); -+ if (newdata == NULL) { -+ free(data); -+ return -1; -+ } -+ -+ data = newdata; -+ -+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); -+ if (chunk < 0) { -+ free(data); -+ return -1; -+ } -+ -+ count += chunk/sizeof(struct tally); -+ -+ if (count >= MAX_RECORDS) -+ break; -+ } -+ while (chunk == CHUNK_SIZE); -+ -+ tallies->records = data; -+ tallies->count = count; -+ -+ return 0; -+} -+ -+int -+update_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = tallies->records; -+ unsigned int count = tallies->count; -+ ssize_t chunk; -+ -+ if (tallies->count > MAX_RECORDS) { -+ data = tallies->records + (count - MAX_RECORDS); -+ count = MAX_RECORDS; -+ } -+ -+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { -+ return -1; -+ } -+ -+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); -+ -+ if (chunk != (ssize_t)(count * sizeof(struct tally))) { -+ return -1; -+ } -+ -+ if (ftruncate(fd, count * sizeof(struct tally)) == -1) -+ return -1; -+ -+ return 0; -+} -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,72 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * faillock.h - authentication failure data file record structure -+ * -+ * Each record in the file represents an instance of login failure of -+ * the user at the recorded time -+ */ -+ -+ -+#ifndef _FAILLOCK_H -+#define _FAILLOCK_H -+ -+#include <stdint.h> -+ -+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ -+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ -+ -+struct tally { -+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ -+ uint16_t reserved; /* reserved for future use */ -+ uint16_t status; /* record status */ -+ uint64_t time; /* time of the login failure */ -+}; -+/* 64 bytes per entry */ -+ -+struct tally_data { -+ struct tally *records; /* array of tallies */ -+ unsigned int count; /* number of records */ -+}; -+ -+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" -+ -+int open_tally(const char *dir, const char *user, int create); -+int read_tally(int fd, struct tally_data *tallies); -+int update_tally(int fd, struct tally_data *tallies); -+#endif -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,123 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> -+ -+<refentry id="faillock"> -+ -+ <refmeta> -+ <refentrytitle>faillock</refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> -+ </refmeta> -+ -+ <refnamediv id="pam_faillock-name"> -+ <refname>faillock</refname> -+ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose> -+ </refnamediv> -+ -+ <refsynopsisdiv> -+ <cmdsynopsis id="faillock-cmdsynopsis"> -+ <command>faillock</command> -+ <arg choice="opt"> -+ --dir <replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ --user <replaceable>username</replaceable> -+ </arg> -+ <arg choice="opt"> -+ --reset -+ </arg> -+ </cmdsynopsis> -+ </refsynopsisdiv> -+ -+ <refsect1 id="faillock-description"> -+ -+ <title>DESCRIPTION</title> -+ -+ <para> -+ The <emphasis>pam_faillock.so</emphasis> module maintains a list of -+ failed authentication attempts per user during a specified interval -+ and locks the account in case there were more than -+ <replaceable>deny</replaceable> consecutive failed authentications. -+ It stores the failure records into per-user files in the tally -+ directory. -+ </para> -+ <para> -+ The <command>faillock</command> command is an application which -+ can be used to examine and modify the contents of the -+ the tally files. It can display the recent failed authentication -+ attempts of the <replaceable>username</replaceable> or clear the tally -+ files of all or individual <replaceable>usernames</replaceable>. -+ </para> -+ </refsect1> -+ -+ <refsect1 id="faillock-options"> -+ -+ <title>OPTIONS</title> -+ <variablelist> -+ <varlistentry> -+ <term> -+ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The directory where the user files with the failure records are kept. The -+ default is <filename>/var/run/faillock</filename>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>--user <replaceable>username</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The user whose failure records should be displayed or cleared. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>--reset</option> -+ </term> -+ <listitem> -+ <para> -+ Instead of displaying the user's failure records, clear them. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id="faillock-files"> -+ <title>FILES</title> -+ <variablelist> -+ <varlistentry> -+ <term><filename>/var/run/faillock/*</filename></term> -+ <listitem> -+ <para>the files logging the authentication failures for users</para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='faillock-see_also'> -+ <title>SEE ALSO</title> -+ <para> -+ <citerefentry> -+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry> -+ </para> -+ </refsect1> -+ -+ <refsect1 id='faillock-author'> -+ <title>AUTHOR</title> -+ <para> -+ faillock was written by Tomas Mraz. -+ </para> -+ </refsect1> -+ -+</refentry> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c ---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,231 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+#include <dirent.h> -+#include <errno.h> -+#include <pwd.h> -+#include <time.h> -+#ifdef HAVE_LIBAUDIT -+#include <libaudit.h> -+#endif -+ -+#include "faillock.h" -+ -+struct options { -+ unsigned int reset; -+ const char *dir; -+ const char *user; -+ const char *progname; -+}; -+ -+static int -+args_parse(int argc, char **argv, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->progname = argv[0]; -+ -+ for (i = 1; i < argc; ++i) { -+ -+ if (strcmp(argv[i], "--dir") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->dir = argv[i]; -+ } -+ else if (strcmp(argv[i], "--user") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->user = argv[i]; -+ } -+ else if (strcmp(argv[i], "--reset") == 0) { -+ opts->reset = 1; -+ } -+ else { -+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); -+ return -1; -+ } -+ } -+ return 0; -+} -+ -+static void -+usage(const char *progname) -+{ -+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), -+ progname); -+} -+ -+static int -+do_user(struct options *opts, const char *user) -+{ -+ int fd; -+ int rv; -+ struct tally_data tallies; -+ -+ fd = open_tally(opts->dir, user, 0); -+ -+ if (fd == -1) { -+ if (errno == ENOENT) { -+ return 0; -+ } -+ else { -+ fprintf(stderr, "%s: Error opening the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ return 3; -+ } -+ } -+ if (opts->reset) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+#endif -+ -+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ fprintf(stderr, "%s: Error clearing the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+#ifdef HAVE_LIBAUDIT -+ } -+ if ((audit_fd=audit_open()) >= 0) { -+ struct passwd *pwd; -+ -+ if ((pwd=getpwnam(user)) != NULL) { -+ snprintf(buf, sizeof(buf), "faillock reset uid=%u", -+ pwd->pw_uid); -+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -+ buf, NULL, NULL, NULL, rv == 0); -+ } -+ close(audit_fd); -+ } -+ if (rv == -1) { -+#endif -+ close(fd); -+ return 4; -+ } -+ } -+ else { -+ unsigned int i; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ if ((rv=read_tally(fd, &tallies)) == -1) { -+ fprintf(stderr, "%s: Error reading the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ close(fd); -+ return 5; -+ } -+ -+ printf("%s:\n", user); -+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); -+ -+ for (i = 0; i < tallies.count; i++) { -+ struct tm *tm; -+ char timebuf[80]; -+ uint16_t status = tallies.records[i].status; -+ time_t when = tallies.records[i].time; -+ -+ tm = localtime(&when); -+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); -+ printf("%-19s %-5s %-52.52s %s\n", timebuf, -+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), -+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); -+ } -+ free(tallies.records); -+ } -+ close(fd); -+ return 0; -+} -+ -+static int -+do_allusers(struct options *opts) -+{ -+ struct dirent **userlist; -+ int rv, i; -+ -+ rv = scandir(opts->dir, &userlist, NULL, alphasort); -+ if (rv < 0) { -+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); -+ perror(NULL); -+ return 2; -+ } -+ -+ for (i = 0; i < rv; i++) { -+ if (userlist[i]->d_name[0] == '.') { -+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || -+ userlist[i]->d_name[1] == '\0') -+ continue; -+ } -+ do_user(opts, userlist[i]->d_name); -+ free(userlist[i]); -+ } -+ free(userlist); -+ -+ return 0; -+} -+ -+ -+/*-----------------------------------------------------------------------*/ -+int -+main (int argc, char *argv[]) -+{ -+ struct options opts; -+ -+ if (args_parse(argc, argv, &opts)) { -+ usage(argv[0]); -+ return 1; -+ } -+ -+ if (opts.user == NULL) { -+ return do_allusers(&opts); -+ } -+ -+ return do_user(&opts, opts.user); -+} -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,43 @@ -+# -+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> -+# Copyright (c) 2008 Red Hat, Inc. -+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+# -+ -+CLEANFILES = *~ -+MAINTAINERCLEANFILES = $(MANS) README -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock -+ -+man_MANS = pam_faillock.8 faillock.8 -+XMLS = README.xml pam_faillock.8.xml faillock.8.xml -+ -+TESTS = tst-pam_faillock -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+noinst_HEADERS = faillock.h -+ -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+ -+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module -+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+if HAVE_VERSIONING -+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+ -+securelib_LTLIBRARIES = pam_faillock.la -+sbin_PROGRAMS = faillock -+ -+pam_faillock_la_SOURCES = pam_faillock.c faillock.c -+faillock_SOURCES = main.c faillock.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_faillock.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,550 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include <stdio.h> -+#include <string.h> -+#include <unistd.h> -+#include <stdint.h> -+#include <stdlib.h> -+#include <errno.h> -+#include <time.h> -+#include <pwd.h> -+#include <syslog.h> -+ -+#ifdef HAVE_LIBAUDIT -+#include <libaudit.h> -+#endif -+ -+#include <security/pam_modules.h> -+#include <security/pam_modutil.h> -+#include <security/pam_ext.h> -+ -+#include "faillock.h" -+ -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT -+ -+#define FAILLOCK_ACTION_PREAUTH 0 -+#define FAILLOCK_ACTION_AUTHSUCC 1 -+#define FAILLOCK_ACTION_AUTHFAIL 2 -+ -+#define FAILLOCK_FLAG_DENY_ROOT 0x1 -+#define FAILLOCK_FLAG_AUDIT 0x2 -+#define FAILLOCK_FLAG_SILENT 0x4 -+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 -+#define FAILLOCK_FLAG_UNLOCKED 0x10 -+ -+#define MAX_TIME_INTERVAL 604800 /* 7 days */ -+ -+struct options { -+ unsigned int action; -+ unsigned int flags; -+ unsigned short deny; -+ unsigned int fail_interval; -+ unsigned int unlock_time; -+ unsigned int root_unlock_time; -+ const char *dir; -+ const char *user; -+ int failures; -+ uint64_t latest_time; -+ uid_t uid; -+ uint64_t now; -+}; -+ -+static void -+args_parse(pam_handle_t *pamh, int argc, const char **argv, -+ int flags, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->deny = 3; -+ opts->fail_interval = 900; -+ opts->unlock_time = 600; -+ opts->root_unlock_time = MAX_TIME_INTERVAL+1; -+ -+ for (i = 0; i < argc; ++i) { -+ -+ if (strncmp(argv[i], "dir=", 4) == 0) { -+ if (argv[i][4] != '/') { -+ pam_syslog(pamh, LOG_ERR, -+ "Tally directory is not absolute path (%s); keeping default", argv[i]); -+ } else { -+ opts->dir = argv[i]+4; -+ } -+ } -+ else if (strncmp(argv[i], "deny=", 5) == 0) { -+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for deny argument"); -+ } -+ } -+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+14, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for fail_interval argument"); -+ } else { -+ opts->fail_interval = temp; -+ } -+ } -+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+12, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for unlock_time argument"); -+ } else { -+ opts->unlock_time = temp; -+ } -+ } -+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+17, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for root_unlock_time argument"); -+ } else { -+ opts->root_unlock_time = temp; -+ } -+ } -+ else if (strcmp(argv[i], "preauth") == 0) { -+ opts->action = FAILLOCK_ACTION_PREAUTH; -+ } -+ else if (strcmp(argv[i], "authfail") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHFAIL; -+ } -+ else if (strcmp(argv[i], "authsucc") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHSUCC; -+ } -+ else if (strcmp(argv[i], "even_deny_root") == 0) { -+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; -+ } -+ else if (strcmp(argv[i], "audit") == 0) { -+ opts->flags |= FAILLOCK_FLAG_AUDIT; -+ } -+ else if (strcmp(argv[i], "silent") == 0) { -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+ } -+ else if (strcmp(argv[i], "no_log_info") == 0) { -+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); -+ } -+ } -+ -+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) -+ opts->root_unlock_time = opts->unlock_time; -+ if (flags & PAM_SILENT) -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+} -+ -+static int get_pam_user(pam_handle_t *pamh, struct options *opts) -+{ -+ const char *user; -+ int rv; -+ struct passwd *pwd; -+ -+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ if (*user == '\0') { -+ return PAM_IGNORE; -+ } -+ -+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { -+ if (opts->flags & FAILLOCK_FLAG_AUDIT) { -+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "User unknown"); -+ } -+ return PAM_IGNORE; -+ } -+ opts->user = user; -+ opts->uid = pwd->pw_uid; -+ return PAM_SUCCESS; -+} -+ -+static int -+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ int tfd; -+ unsigned int i; -+ uint64_t latest_time; -+ int failures; -+ -+ opts->now = time(NULL); -+ -+ tfd = open_tally(opts->dir, opts->user, 0); -+ -+ *fd = tfd; -+ -+ if (tfd == -1) { -+ if (errno == EACCES || errno == ENOENT) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (read_tally(tfd, tallies) != 0) { -+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ latest_time = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ tallies->records[i].time > latest_time) -+ latest_time = tallies->records[i].time; -+ } -+ -+ opts->latest_time = latest_time; -+ -+ failures = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ latest_time - tallies->records[i].time < opts->fail_interval) { -+ ++failures; -+ } -+ } -+ -+ opts->failures = failures; -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ if (opts->deny && failures >= opts->deny) { -+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || -+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { -+#ifdef HAVE_LIBAUDIT -+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ NULL, NULL, NULL, 1); -+ } -+#endif -+ opts->flags |= FAILLOCK_FLAG_UNLOCKED; -+ return PAM_SUCCESS; -+ } -+ return PAM_AUTH_ERR; -+ } -+ return PAM_SUCCESS; -+} -+ -+static void -+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) -+{ -+ int rv; -+ -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } -+} -+ -+static int -+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ struct tally *records; -+ unsigned int i; -+ int failures; -+ unsigned int oldest; -+ uint64_t oldtime; -+ const void *source = NULL; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, 1); -+ } -+ if (*fd == -1) { -+ if (errno == EACCES) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ oldtime = 0; -+ oldest = 0; -+ failures = 0; -+ -+ for (i = 0; i < tallies->count; ++i) { -+ if (tallies->records[i].time < oldtime) { -+ oldtime = tallies->records[i].time; -+ oldest = i; -+ } -+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || -+ opts->now - tallies->records[i].time >= opts->fail_interval ) { -+ tallies->records[i].status &= ~TALLY_STATUS_VALID; -+ } else { -+ ++failures; -+ } -+ } -+ -+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { -+ oldest = tallies->count; -+ -+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { -+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); -+ return PAM_BUF_ERR; -+ } -+ -+ ++tallies->count; -+ tallies->records = records; -+ } -+ -+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); -+ -+ tallies->records[oldest].status = TALLY_STATUS_VALID; -+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { -+ source = ""; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_TTY; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_RHOST; -+ } -+ -+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); -+ /* source does not have to be null terminated */ -+ -+ tallies->records[oldest].time = opts->now; -+ -+ ++failures; -+ -+ if (opts->deny && failures == opts->deny) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -+ NULL, NULL, NULL, 1); -+ -+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -+ NULL, NULL, NULL, 1); -+ } -+ close(audit_fd); -+#endif -+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { -+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", -+ opts->user); -+ } -+ } -+ -+ if (update_tally(*fd, tallies) == 0) -+ return PAM_SUCCESS; -+ -+ return PAM_SYSTEM_ERR; -+} -+ -+static void -+faillock_message(pam_handle_t *pamh, struct options *opts) -+{ -+ int64_t left; -+ -+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { -+ if (opts->uid) { -+ left = opts->latest_time + opts->unlock_time - opts->now; -+ } -+ else { -+ left = opts->latest_time + opts->root_unlock_time - opts->now; -+ } -+ -+ left /= 60; /* minutes */ -+ -+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), -+ opts->failures); -+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); -+ } -+} -+ -+static void -+tally_cleanup(struct tally_data *tallies, int fd) -+{ -+ if (fd != -1) { -+ close(fd); -+ } -+ -+ free(tallies->records); -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ switch (opts.action) { -+ case FAILLOCK_ACTION_PREAUTH: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { -+ faillock_message(pamh, &opts); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHSUCC: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS && fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHFAIL: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ rv = PAM_IGNORE; /* this return value should be ignored */ -+ write_tally(pamh, &opts, &tallies, &fd); -+ } -+ break; -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return rv; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, -+ int argc UNUSED, const char **argv UNUSED) -+{ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ opts.action = FAILLOCK_ACTION_AUTHSUCC; -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ check_tally(pamh, &opts, &tallies, &fd); -+ if (fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return PAM_SUCCESS; -+} -+ -+/*-----------------------------------------------------------------------*/ -+ -+#ifdef PAM_STATIC -+ -+/* static module data */ -+ -+struct pam_module _pam_faillock_modstruct = { -+ MODULE_NAME, -+#ifdef PAM_SM_AUTH -+ pam_sm_authenticate, -+ pam_sm_setcred, -+#else -+ NULL, -+ NULL, -+#endif -+#ifdef PAM_SM_ACCOUNT -+ pam_sm_acct_mgmt, -+#else -+ NULL, -+#endif -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+#endif /* #ifdef PAM_STATIC */ -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,396 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> -+ -+<refentry id="pam_faillock"> -+ -+ <refmeta> -+ <refentrytitle>pam_faillock</refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> -+ </refmeta> -+ -+ <refnamediv id="pam_faillock-name"> -+ <refname>pam_faillock</refname> -+ <refpurpose>Module counting authentication failures during a specified interval</refpurpose> -+ </refnamediv> -+ -+ <refsynopsisdiv> -+ <cmdsynopsis id="pam_faillock-cmdsynopsisauth"> -+ <command>auth ... pam_faillock.so</command> -+ <arg choice="req"> -+ preauth|authfail|authsucc -+ </arg> -+ <arg choice="opt"> -+ dir=<replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ even_deny_root -+ </arg> -+ <arg choice="opt"> -+ deny=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ fail_interval=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ unlock_time=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ root_unlock_time=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ audit -+ </arg> -+ <arg choice="opt"> -+ silent -+ </arg> -+ <arg choice="opt"> -+ no_log_info -+ </arg> -+ </cmdsynopsis> -+ <cmdsynopsis id="pam_faillock-cmdsynopsisacct"> -+ <command>account ... pam_faillock.so</command> -+ <arg choice="opt"> -+ dir=<replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ no_log_info -+ </arg> -+ </cmdsynopsis> -+ </refsynopsisdiv> -+ -+ <refsect1 id="pam_faillock-description"> -+ -+ <title>DESCRIPTION</title> -+ -+ <para> -+ This module maintains a list of failed authentication attempts per -+ user during a specified interval and locks the account in case -+ there were more than <replaceable>deny</replaceable> consecutive -+ failed authentications. -+ </para> -+ <para> -+ Normally, failed attempts to authenticate <emphasis>root</emphasis> will -+ <emphasis remap='B'>not</emphasis> cause the root account to become -+ blocked, to prevent denial-of-service: if your users aren't given -+ shell accounts and root may only login via <command>su</command> or -+ at the machine console (not telnet/rsh, etc), this is safe. -+ </para> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-options"> -+ -+ <title>OPTIONS</title> -+ <variablelist> -+ <varlistentry> -+ <term> -+ <option>{preauth|authfail|authsucc}</option> -+ </term> -+ <listitem> -+ <para> -+ This argument must be set accordingly to the position of this module -+ instance in the PAM stack. -+ </para> -+ <para> -+ The <emphasis>preauth</emphasis> argument must be used when the module -+ is called before the modules which ask for the user credentials such -+ as the password. The module just examines whether the user should -+ be blocked from accessing the service in case there were anomalous -+ number of failed consecutive authentication attempts recently. This -+ call is optional if <emphasis>authsucc</emphasis> is used. -+ </para> -+ <para> -+ The <emphasis>authfail</emphasis> argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ failed. Unless the user is already blocked due to previous authentication -+ failures, the module will record the failure into the appropriate user -+ tally file. -+ </para> -+ <para> -+ The <emphasis>authsucc</emphasis> argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ succeded. Unless the user is already blocked due to previous authentication -+ failures, the module will then clear the record of the failures in the -+ respective user tally file. Otherwise it will return authentication error. -+ If this call is not done, the pam_faillock will not distinguish between -+ consecutive and non-consecutive failed authentication attempts. The -+ <emphasis>preauth</emphasis> call must be used in such case. Due to -+ complications in the way the PAM stack can be configured it is also -+ possible to call <emphasis>pam_faillock</emphasis> as an account module. -+ In such configuration the module must be also called in the -+ <emphasis>preauth</emphasis> stage. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The directory where the user files with the failure records are kept. The -+ default is <filename>/var/run/faillock</filename>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>audit</option> -+ </term> -+ <listitem> -+ <para> -+ Will log the user name into the system log if the user is not found. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>silent</option> -+ </term> -+ <listitem> -+ <para> -+ Don't print informative messages. This option is implicite -+ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis> -+ functions. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>no_log_info</option> -+ </term> -+ <listitem> -+ <para> -+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>deny=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ Deny access if the number of consecutive authentication failures -+ for this user during the recent interval exceeds -+ <replaceable>n</replaceable>. The default is 3. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>fail_interval=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The length of the interval during which the consecutive -+ authentication failures must happen for the user account -+ lock out is <replaceable>n</replaceable> seconds. -+ The default is 900 (15 minutes). -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>unlock_time=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The access will be reenabled after -+ <replaceable>n</replaceable> seconds after the lock out. -+ The default is 600 (10 minutes). -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>even_deny_root</option> -+ </term> -+ <listitem> -+ <para> -+ Root account can become locked as well as regular accounts. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>root_unlock_time=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ This option implies <option>even_deny_root</option> option. -+ Allow access after <replaceable>n</replaceable> seconds -+ to root account after the account is locked. In case the -+ option is not specified the value is the same as of the -+ <option>unlock_time</option> option. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-types"> -+ <title>MODULE TYPES PROVIDED</title> -+ <para> -+ The <option>auth</option> and <option>account</option> module types are -+ provided. -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-return_values'> -+ <title>RETURN VALUES</title> -+ <variablelist> -+ <varlistentry> -+ <term>PAM_AUTH_ERR</term> -+ <listitem> -+ <para> -+ A invalid option was given, the module was not able -+ to retrieve the user name, no valid counter file -+ was found, or too many failed logins. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term>PAM_SUCCESS</term> -+ <listitem> -+ <para> -+ Everything was successful. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term>PAM_IGNORE</term> -+ <listitem> -+ <para> -+ User not present in passwd database. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-notes'> -+ <title>NOTES</title> -+ <para> -+ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different -+ from the <emphasis>pam_tally2</emphasis> module setup. -+ </para> -+ <para> -+ There is no setuid wrapper for access to the data file such as when the -+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from -+ a screensaver. As this would make it impossible to share PAM configuration -+ with such services the following workaround is used: If the data file -+ cannot be opened because of insufficient permissions -+ (<errorcode>EACCES</errorcode>) the module returns -+ <errorcode>PAM_SUCCESS</errorcode>. -+ </para> -+ <para> -+ Note that using the module in <option>preauth</option> without the -+ <option>silent</option> option or with <emphasis>requisite</emphasis> -+ control field leaks an information about existence or -+ non-existence of an user account in the system because -+ the failures are not recorded for the unknown users. The message -+ about the user account being locked is never displayed for nonexisting -+ user accounts allowing the adversary to infer that a particular account -+ is not existing on a system. -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-examples'> -+ <title>EXAMPLES</title> -+ <para> -+ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>. -+ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive -+ failed logins during the default interval of 15 minutes. Root account will be locked -+ as well. The accounts will be automatically unlocked after 20 minutes. -+ </para> -+ <para> -+ In the first example the module is called only in the <emphasis>auth</emphasis> -+ phase and the module does not print any information about the account blocking -+ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can -+ be added to tell the user that his login is blocked by the module and also to abort -+ the authentication without even asking for password in such case. -+ </para> -+ <programlisting> -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 -+# to display the message about account being locked -+auth [success=1 default=bad] pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ </programlisting> -+ <para> -+ In the second example the module is called both in the <emphasis>auth</emphasis> -+ and <emphasis>account</emphasis> phases and the module gives the authenticating -+ user message when the account is locked -+ </para> -+ <programlisting> -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 -+# optionally use requisite above if you do not want to prompt for the password -+# on locked accounts, possibly with removing the silent option as well -+auth sufficient pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_faillock.so -+# if you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ </programlisting> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-files"> -+ <title>FILES</title> -+ <variablelist> -+ <varlistentry> -+ <term><filename>/var/run/faillock/*</filename></term> -+ <listitem> -+ <para>the files logging the authentication failures for users</para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-see_also'> -+ <title>SEE ALSO</title> -+ <para> -+ <citerefentry> -+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry> -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-author'> -+ <title>AUTHOR</title> -+ <para> -+ pam_faillock was written by Tomas Mraz. -+ </para> -+ </refsect1> -+ -+</refentry> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,46 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+"http://www.docbook.org/xml/4.3/docbookx.dtd" -+[ -+<!-- -+<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml"> -+--> -+]> -+ -+<article> -+ -+ <articleinfo> -+ -+ <title> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> -+ </title> -+ -+ </articleinfo> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> -+ </section> -+ -+</article> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/extra/source/pam/patches/pam-1.1.2-noflex.patch b/extra/source/pam/patches/pam-1.1.2-noflex.patch deleted file mode 100644 index fc965559b..000000000 --- a/extra/source/pam/patches/pam-1.1.2-noflex.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am ---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 -+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am ---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 -+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 -@@ -5,9 +5,9 @@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - - if STATIC_MODULES --SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests -+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests - else --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - endif - - CLEANFILES = *~ diff --git a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch b/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch deleted file mode 100644 index 249d2850c..000000000 --- a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch +++ /dev/null @@ -1,167 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -41,13 +41,14 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/file.h> -+#include <sys/stat.h> - #include <fcntl.h> - #include <security/pam_modutil.h> - - #include "faillock.h" - - int --open_tally (const char *dir, const char *user, int create) -+open_tally (const char *dir, const char *user, uid_t uid, int create) - { - char *path; - int flags = O_RDWR; -@@ -69,8 +70,18 @@ open_tally (const char *dir, const char - - fd = open(path, flags, 0600); - -- if (fd != -1) -+ free(path); -+ -+ if (fd != -1) { -+ struct stat st; -+ - while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ if (fstat(fd, &st) == 0) { -+ if (st.st_uid != uid) { -+ fchown(fd, uid, -1); -+ } -+ } -+ } - - return fd; - } -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 -@@ -45,6 +45,7 @@ - #define _FAILLOCK_H - - #include <stdint.h> -+#include <sys/types.h> - - #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ - #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -@@ -65,7 +66,7 @@ struct tally_data { - - #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" - --int open_tally(const char *dir, const char *user, int create); -+int open_tally(const char *dir, const char *user, uid_t uid, int create); - int read_tally(int fd, struct tally_data *tallies); - int update_tally(int fd, struct tally_data *tallies); - #endif -diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c ---- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 -@@ -106,8 +106,11 @@ do_user(struct options *opts, const char - int fd; - int rv; - struct tally_data tallies; -+ struct passwd *pwd; - -- fd = open_tally(opts->dir, user, 0); -+ pwd = getpwnam(user); -+ -+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); - - if (fd == -1) { - if (errno == ENOENT) { -@@ -134,9 +137,8 @@ do_user(struct options *opts, const char - #ifdef HAVE_LIBAUDIT - } - if ((audit_fd=audit_open()) >= 0) { -- struct passwd *pwd; - -- if ((pwd=getpwnam(user)) != NULL) { -+ if (pwd != NULL) { - snprintf(buf, sizeof(buf), "faillock reset uid=%u", - pwd->pw_uid); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o - - opts->now = time(NULL); - -- tfd = open_tally(opts->dir, opts->user, 0); -+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); - - *fd = tfd; - -@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o - { - int rv; - -- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -- if (rv == -1) { -- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ else { -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } - } - } - -@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o - const void *source = NULL; - - if (*fd == -1) { -- *fd = open_tally(opts->dir, opts->user, 1); -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); - } - if (*fd == -1) { - if (errno == EACCES) { -@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, - - case FAILLOCK_ACTION_AUTHSUCC: - rv = check_tally(pamh, &opts, &tallies, &fd); -- if (rv == PAM_SUCCESS && fd != -1) { -+ if (rv == PAM_SUCCESS) { - reset_tally(pamh, &opts, &fd); - } - break; -@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int - return rv; - } - -- check_tally(pamh, &opts, &tallies, &fd); -- if (fd != -1) { -- reset_tally(pamh, &opts, &fd); -- } -+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ -+ reset_tally(pamh, &opts, &fd); - - tally_cleanup(&tallies, fd); - -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 -@@ -277,13 +277,9 @@ - from the <emphasis>pam_tally2</emphasis> module setup. - </para> - <para> -- There is no setuid wrapper for access to the data file such as when the -- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from -- a screensaver. As this would make it impossible to share PAM configuration -- with such services the following workaround is used: If the data file -- cannot be opened because of insufficient permissions -- (<errorcode>EACCES</errorcode>) the module returns -- <errorcode>PAM_SUCCESS</errorcode>. -+ The individual files with the failure records are created as owned by -+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module -+ to work correctly when it is called from a screensaver. - </para> - <para> - Note that using the module in <option>preauth</option> without the diff --git a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch b/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch deleted file mode 100644 index 885690d09..000000000 --- a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c ---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid 2009-02-20 14:27:14.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c 2010-11-11 12:31:04.000000000 +0100 -@@ -103,7 +103,6 @@ struct pam_limit_s { - /* argument parsing */ - - #define PAM_DEBUG_ARG 0x0001 --#define PAM_DO_SETREUID 0x0002 - #define PAM_UTMP_EARLY 0x0004 - #define PAM_NO_AUDIT 0x0008 - -@@ -127,8 +126,6 @@ _pam_parse (const pam_handle_t *pamh, in - ctrl |= PAM_DEBUG_ARG; - } else if (!strncmp(*argv,"conf=",5)) { - pl->conf_file = *argv+5; -- } else if (!strncmp(*argv,"change_uid",10)) { -- ctrl |= PAM_DO_SETREUID; - } else if (!strcmp(*argv,"utmp_early")) { - ctrl |= PAM_UTMP_EARLY; - } else if (!strcmp(*argv,"noaudit")) { -@@ -777,10 +774,6 @@ out: - return retval; - } - -- if (ctrl & PAM_DO_SETREUID) { -- setreuid(pwd->pw_uid, -1); -- } -- - retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); - if (retval & LOGIN_ERR) - pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); -diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml ---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid 2009-06-01 09:03:20.000000000 +0200 -+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml 2010-11-11 12:32:35.000000000 +0100 -@@ -23,9 +23,6 @@ - <cmdsynopsis id="pam_limits-cmdsynopsis"> - <command>pam_limits.so</command> - <arg choice="opt"> -- change_uid -- </arg> -- <arg choice="opt"> - conf=<replaceable>/path/to/limits.conf</replaceable> - </arg> - <arg choice="opt"> -@@ -72,19 +69,6 @@ - <variablelist> - <varlistentry> - <term> -- <option>change_uid</option> -- </term> -- <listitem> -- <para> -- Change real uid to the user for who the limits are set up. Use this -- option if you have problems like login not forking a shell for user -- who has no processes. Be warned that something else may break when -- you do this. -- </para> -- </listitem> -- </varlistentry> -- <varlistentry> -- <term> - <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> - </term> - <listitem> diff --git a/extra/source/pam/patches/pam-1.1.3-limits-range.patch b/extra/source/pam/patches/pam-1.1.3-limits-range.patch deleted file mode 100644 index c357eb282..000000000 --- a/extra/source/pam/patches/pam-1.1.3-limits-range.patch +++ /dev/null @@ -1,351 +0,0 @@ -Index: modules/pam_limits/limits.conf.5.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/limits.conf.5.xml,v -retrieving revision 1.9 -retrieving revision 1.11 -diff -u -p -r1.9 -r1.11 ---- modules/pam_limits/limits.conf.5.xml 20 Feb 2009 13:27:14 -0000 1.9 -+++ modules/pam_limits/limits.conf.5.xml 14 Dec 2010 08:40:40 -0000 1.11 -@@ -53,7 +53,38 @@ - <listitem> - <para> - the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, -- can also be used with <emphasis remap='b'>%group</emphasis> syntax. -+ can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the -+ <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical -+ to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With -+ a group specified after <emphasis remap='B'>%</emphasis> it limits the total -+ number of logins of all users that are member of the group. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ an uid range specified as <replaceable><min_uid></replaceable><emphasis -+ remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid -+ is omitted, the match is exact for the max_uid. If max_uid is omitted, all -+ uids greater than or equal min_uid match. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ a gid range specified as <emphasis -+ remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis -+ remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid -+ is omitted, the match is exact for the max_gid. If max_gid is omitted, all -+ gids greater than or equal min_gid match. For the exact match all groups including -+ the user's supplementary groups are examined. For the range matches only -+ the user's primary group is examined. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ a gid specified as <emphasis -+ remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable -+ to maxlogins limit only. It limits the total number of logins of all users -+ that are member of the group with the specified gid. - </para> - </listitem> - </itemizedlist> -@@ -182,7 +213,7 @@ - <varlistentry> - <term><option>maxsyslogins</option></term> - <listitem> -- <para>maximum number of logins on system</para> -+ <para>maximum number of all logins on system</para> - </listitem> - </varlistentry> - <varlistentry> -@@ -272,12 +303,15 @@ - </para> - <programlisting> - * soft core 0 --* hard rss 10000 -+* hard nofile 512 - @student hard nproc 20 - @faculty soft nproc 20 - @faculty hard nproc 50 - ftp hard nproc 0 - @student - maxlogins 4 -+:123 hard cpu 5000 -+@500: soft cpu 10000 -+600:700 hard locks 10 - </programlisting> - </refsect1> - -Index: modules/pam_limits/pam_limits.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v -retrieving revision 1.48 -retrieving revision 1.49 -diff -u -p -r1.48 -r1.49 ---- modules/pam_limits/pam_limits.c 18 Nov 2010 09:37:32 -0000 1.48 -+++ modules/pam_limits/pam_limits.c 14 Dec 2010 08:40:40 -0000 1.49 -@@ -55,6 +55,12 @@ - #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */ - #define LIMITS_DEF_NONE 5 /* this limit was not set yet */ - -+#define LIMIT_RANGE_ERR -1 /* error in specified uid/gid range */ -+#define LIMIT_RANGE_NONE 0 /* no range specified */ -+#define LIMIT_RANGE_ONE 1 /* exact uid/gid specified (:max_uid)*/ -+#define LIMIT_RANGE_MIN 2 /* only minimum uid/gid specified (min_uid:) */ -+#define LIMIT_RANGE_MM 3 /* both min and max uid/gid specified (min_uid:max_uid) */ -+ - static const char *limits_def_names[] = { - "USER", - "GROUP", -@@ -520,8 +526,57 @@ process_limit (const pam_handle_t *pamh, - return; - } - --static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, -- struct pam_limit_s *pl) -+static int -+parse_uid_range(pam_handle_t *pamh, const char *domain, -+ uid_t *min_uid, uid_t *max_uid) -+{ -+ const char *range = domain; -+ char *pmax; -+ char *endptr; -+ int rv = LIMIT_RANGE_MM; -+ -+ if ((pmax=strchr(range, ':')) == NULL) -+ return LIMIT_RANGE_NONE; -+ ++pmax; -+ -+ if (range[0] == '@' || range[0] == '%') -+ ++range; -+ -+ if (range[0] == ':') -+ rv = LIMIT_RANGE_ONE; -+ else { -+ errno = 0; -+ *min_uid = strtoul (range, &endptr, 10); -+ if (errno != 0 || (range == endptr) || *endptr != ':') { -+ pam_syslog(pamh, LOG_DEBUG, -+ "wrong min_uid/gid value in '%s'", domain); -+ return LIMIT_RANGE_ERR; -+ } -+ } -+ -+ if (*pmax == '\0') { -+ if (rv == LIMIT_RANGE_ONE) -+ return LIMIT_RANGE_ERR; -+ else -+ return LIMIT_RANGE_MIN; -+ } -+ -+ errno = 0; -+ *max_uid = strtoul (pmax, &endptr, 10); -+ if (errno != 0 || (pmax == endptr) || *endptr != '\0') { -+ pam_syslog(pamh, LOG_DEBUG, -+ "wrong max_uid/gid value in '%s'", domain); -+ return LIMIT_RANGE_ERR; -+ } -+ -+ if (rv == LIMIT_RANGE_ONE) -+ *min_uid = *max_uid; -+ return rv; -+} -+ -+static int -+parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, -+ int ctrl, struct pam_limit_s *pl) - { - FILE *fil; - char buf[LINE_LENGTH]; -@@ -543,8 +598,10 @@ static int parse_config_file(pam_handle_ - char item[LINE_LENGTH]; - char value[LINE_LENGTH]; - int i; -+ int rngtype; - size_t j; - char *tptr,*line; -+ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1; - - line = buf; - /* skip the leading white space */ -@@ -572,6 +629,11 @@ static int parse_config_file(pam_handle_ - for(j=0; j < strlen(ltype); j++) - ltype[j]=tolower(ltype[j]); - -+ if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) { -+ pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain); -+ continue; -+ } -+ - if (i == 4) { /* a complete line */ - for(j=0; j < strlen(item); j++) - item[j]=tolower(item[j]); -@@ -581,47 +643,133 @@ static int parse_config_file(pam_handle_ - if (strcmp(uname, domain) == 0) /* this user have a limit */ - process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); - else if (domain[0]=='@') { -- if (ctrl & PAM_DEBUG_ARG) { -+ if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", - uname, domain + 1); -- } -- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ } -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ pl); -+ break; -+ case LIMIT_RANGE_ONE: -+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, - pl); -+ break; -+ case LIMIT_RANGE_MM: -+ if (gid > (gid_t)max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (gid >= (gid_t)min_uid) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ pl); -+ } - } else if (domain[0]=='%') { -- if (ctrl & PAM_DEBUG_ARG) { -+ if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", - uname, domain + 1); -- } -- if (strcmp(domain,"%") == 0) -- process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, -- pl); -- else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -- strcpy(pl->login_group, domain+1); -- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -- pl); - } -- } else if (strcmp(domain, "*") == 0) -- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, -- pl); -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (strcmp(domain,"%") == 0) -+ process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, -+ pl); -+ else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -+ strcpy(pl->login_group, domain+1); -+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -+ pl); -+ } -+ break; -+ case LIMIT_RANGE_ONE: -+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) { -+ struct group *grp; -+ grp = pam_modutil_getgrgid(pamh, (gid_t)max_uid); -+ strncpy(pl->login_group, grp->gr_name, sizeof(pl->login_group)); -+ pl->login_group[sizeof(pl->login_group)-1] = '\0'; -+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -+ pl); -+ } -+ break; -+ case LIMIT_RANGE_MIN: -+ case LIMIT_RANGE_MM: -+ pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored"); -+ } -+ } else { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (strcmp(domain, "*") == 0) -+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, -+ pl); -+ break; -+ case LIMIT_RANGE_ONE: -+ if (uid != max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MM: -+ if (uid > max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (uid >= min_uid) -+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); -+ } -+ } - } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ - if (strcmp(uname, domain) == 0) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); - } -- fclose(fil); -- return PAM_IGNORE; -- } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -+ } else if (domain[0] == '@') { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (!pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_ONE: -+ if (!pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_MM: -+ if (gid > (gid_t)max_uid) -+ continue; /* next line */ -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (gid < (gid_t)min_uid) -+ continue; /* next line */ -+ } - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "no limits for '%s' in group '%s'", - uname, domain+1); - } -- fclose(fil); -- return PAM_IGNORE; -+ } else { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ continue; /* next line */ -+ case LIMIT_RANGE_ONE: -+ if (uid != max_uid) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_MM: -+ if (uid > max_uid) -+ continue; /* next line */ -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (uid >= min_uid) -+ break; -+ continue; /* next line */ -+ } -+ if (ctrl & PAM_DEBUG_ARG) { -+ pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); -+ } - } -+ fclose(fil); -+ return PAM_IGNORE; - } else { - pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); - } -@@ -731,7 +879,7 @@ pam_sm_open_session (pam_handle_t *pamh, - return PAM_ABORT; - } - -- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); -+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); - return PAM_SUCCESS; -@@ -755,7 +903,7 @@ pam_sm_open_session (pam_handle_t *pamh, - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - pl->conf_file = globbuf.gl_pathv[i]; -- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); -+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); - globfree(&globbuf); diff --git a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch b/extra/source/pam/patches/pam-1.1.3-nouserenv.patch deleted file mode 100644 index f3a742c8d..000000000 --- a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c ---- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 -@@ -10,7 +10,7 @@ - #define DEFAULT_READ_ENVFILE 1 - - #define DEFAULT_USER_ENVFILE ".pam_environment" --#define DEFAULT_USER_READ_ENVFILE 1 -+#define DEFAULT_USER_READ_ENVFILE 0 - - #include "config.h" - -diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml ---- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 -@@ -147,7 +147,10 @@ - <listitem> - <para> - Turns on or off the reading of the user specific environment -- file. 0 is off, 1 is on. By default this option is on. -+ file. 0 is off, 1 is on. By default this option is off as user -+ supplied environment variables in the PAM environment could affect -+ behavior of subsequent modules in the stack without the consent -+ of the system administrator. - </para> - </listitem> - </varlistentry> diff --git a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch b/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch deleted file mode 100644 index 6117b26ea..000000000 --- a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c ---- Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete 2008-12-18 14:09:36.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c 2010-11-11 14:45:02.000000000 +0100 -@@ -187,12 +187,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - { - retval = pam_get_authtok (pamh, PAM_AUTHTOK, &newpass, NULL); - if (retval != PAM_SUCCESS && retval != PAM_TRY_AGAIN) -- return retval; -+ { -+ if (retval == PAM_CONV_AGAIN) -+ retval = PAM_INCOMPLETE; -+ return retval; -+ } - tries++; - -- if (newpass == NULL || retval == PAM_TRY_AGAIN) -- continue; -- - if (options.debug) - { - if (newpass) -@@ -201,12 +202,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - pam_syslog (pamh, LOG_DEBUG, "got no auth token"); - } - -- if (retval != PAM_SUCCESS || newpass == NULL) -- { -- if (retval == PAM_CONV_AGAIN) -- retval = PAM_INCOMPLETE; -- return retval; -- } -+ if (newpass == NULL || retval == PAM_TRY_AGAIN) -+ continue; - - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, "check against old password file"); -@@ -219,7 +216,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); -- continue; - } - } - -@@ -230,8 +226,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - return PAM_MAXTRIES; - } - -- /* Remember new password */ -- return pam_set_item (pamh, PAM_AUTHTOK, newpass); -+ return PAM_SUCCESS; - } - - diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch deleted file mode 100644 index 94fa6ecf0..000000000 --- a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch +++ /dev/null @@ -1,120 +0,0 @@ -Index: modules/pam_securetty/pam_securetty.8.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v -retrieving revision 1.4 -retrieving revision 1.6 -diff -u -p -r1.4 -r1.6 ---- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4 -+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6 -@@ -33,7 +33,9 @@ - user is logging in on a "secure" tty, as defined by the listing - in <filename>/etc/securetty</filename>. pam_securetty also checks - to make sure that <filename>/etc/securetty</filename> is a plain -- file and not world writable. -+ file and not world writable. It will also allow root logins on -+ the tty specified with <option>console=</option> switch on the -+ kernel command line. - </para> - <para> - This module has no effect on non-root users and requires that the -@@ -61,6 +63,18 @@ - </para> - </listitem> - </varlistentry> -+ <varlistentry> -+ <term> -+ <option>noconsole</option> -+ </term> -+ <listitem> -+ <para> -+ Do not automatically allow root logins on the kernel console -+ device, as specified on the kernel command line, if it is -+ not also specified in the <filename>/etc/securetty</filename> file. -+ </para> -+ </listitem> -+ </varlistentry> - </variablelist> - </refsect1> - -Index: modules/pam_securetty/pam_securetty.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v -retrieving revision 1.14 -retrieving revision 1.15 -diff -u -p -r1.14 -r1.15 ---- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14 -+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15 -@@ -2,6 +2,7 @@ - - #define SECURETTY_FILE "/etc/securetty" - #define TTY_PREFIX "/dev/" -+#define CMDLINE_FILE "/proc/cmdline" - - /* - * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. -@@ -22,6 +23,7 @@ - #include <pwd.h> - #include <string.h> - #include <ctype.h> -+#include <limits.h> - - /* - * here, we make a definition for the externally accessible function -@@ -38,6 +40,7 @@ - #include <security/pam_ext.h> - - #define PAM_DEBUG_ARG 0x0001 -+#define PAM_NOCONSOLE_ARG 0x0002 - - static int - _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) -@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; -+ else if (!strcmp(*argv, "noconsole")) -+ ctrl |= PAM_NOCONSOLE_ARG; - else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } -@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p - } - fclose(ttyfile); - -+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { -+ FILE *cmdlinefile; -+ -+ /* Allow access from the kernel console, if enabled */ -+ cmdlinefile = fopen(CMDLINE_FILE, "r"); -+ -+ if (cmdlinefile != NULL) { -+ char line[LINE_MAX], *p; -+ -+ line[0] = 0; -+ fgets(line, sizeof(line), cmdlinefile); -+ fclose(cmdlinefile); -+ -+ for (p = line; p; p = strstr(p+1, "console=")) { -+ char *e; -+ -+ /* Test whether this is a beginning of a word? */ -+ if (p > line && p[-1] != ' ') -+ continue; -+ -+ /* Ist this our console? */ -+ if (strncmp(p + 8, uttyname, strlen(uttyname))) -+ continue; -+ -+ /* Is there any garbage after the TTY name? */ -+ e = p + 8 + strlen(uttyname); -+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { -+ retval = 0; -+ break; -+ } -+ } -+ } -+ } -+ - if (retval) { - pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); |