Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2016-05-14 12:23:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2015-08-21 07:35:16.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2016-05-14 12:23:09.000000000 +0200 @@ -1,0 +2,52 @@ +Mon May 2 10:44:38 CEST 2016 - [email protected] + +- Remove obsolete README.pam_tally [bsc#977973] + +------------------------------------------------------------------- +Thu Apr 28 13:51:59 CEST 2016 - [email protected] + +- Update Linux-PAM to version 1.3.0 +- Rediff encryption_method_nis.diff +- Link pam_unix against libtirpc and external libnsl to enable + IPv6 support. + +------------------------------------------------------------------- +Thu Apr 14 14:06:18 CEST 2016 - [email protected] + +- Add /sbin/unix2_chkpwd (moved from pam-modules) + +------------------------------------------------------------------- +Mon Apr 11 15:09:04 CEST 2016 - [email protected] + +- Remove (since accepted upstream): + - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch + - 0002-Remove-enable-static-modules-option-and-support-from.patch + - 0003-fix-nis-checks.patch + - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + +------------------------------------------------------------------- +Fri Apr 1 15:32:37 CEST 2016 - [email protected] + +- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + - Replace IPv4 only functions + +------------------------------------------------------------------- +Fri Apr 1 10:37:58 CEST 2016 - [email protected] + +- Fix typo in common-account.pamd [bnc#959439] + +------------------------------------------------------------------- +Tue Mar 29 14:25:02 CEST 2016 - [email protected] + +- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - readd PAM_EXTERN for external PAM modules + +------------------------------------------------------------------- +Wed Mar 23 11:21:16 CET 2016 - [email protected] + +- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch +- Add 0002-Remove-enable-static-modules-option-and-support-from.patch +- Add 0003-fix-nis-checks.patch + +------------------------------------------------------------------- Old: ---- Linux-PAM-1.2.1-docs.tar.bz2 Linux-PAM-1.2.1.tar.bz2 New: ---- Linux-PAM-1.3.0-docs.tar.bz2 Linux-PAM-1.3.0.tar.bz2 unix2_chkpwd.8 unix2_chkpwd.c ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.N6l9NH/_old 2016-05-14 12:23:10.000000000 +0200 +++ /var/tmp/diff_new_pack.N6l9NH/_new 2016-05-14 12:23:10.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,15 +25,18 @@ BuildRequires: bison BuildRequires: cracklib-devel BuildRequires: flex -#BuildRequires: pkgconfig(libtirpc) +%if 0%{?suse_version} > 1320 +BuildRequires: pkgconfig(libnsl) +BuildRequires: pkgconfig(libtirpc) +%endif %if %{enable_selinux} BuildRequires: libselinux-devel %endif -%define libpam_so_version 0.84.1 +%define libpam_so_version 0.84.2 %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 # -Version: 1.2.1 +Version: 1.3.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0+ or BSD-3-Clause @@ -51,6 +54,8 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf +Source10: unix2_chkpwd.c +Source11: unix2_chkpwd.8 Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch3: encryption_method_nis.diff @@ -103,7 +108,7 @@ %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p1 %patch2 -p1 -%patch3 -p1 +%patch3 -p0 %build autoreconf -fiv @@ -117,7 +122,8 @@ --libdir=/%{_lib} \ --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security -make %{?_smp_mflags}; +make %{?_smp_mflags} +%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam %check make %{?_smp_mflags} check @@ -170,12 +176,6 @@ ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so done # -# pam_tally is deprecated since ages -# -rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so -rm -f $RPM_BUILD_ROOT/sbin/pam_tally -rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8* -# # Install READMEs of PAM modules # DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam @@ -187,18 +187,30 @@ done ) # -# Install misc docu and md5.config +# pam_tally is deprecated since ages +# +rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so +rm -f $RPM_BUILD_ROOT/sbin/pam_tally +rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8* +rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally +# +# Install misc docu # install -m 644 NEWS COPYING $DOC +# Install unix2_chkpwd +install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/ +install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ # Create filelist with translatins %{find_lang} Linux-PAM %verifyscript %verify_permissions -e /sbin/unix_chkpwd +%verify_permissions -e /sbin/unix2_chkpwd %post /sbin/ldconfig %set_permissions /sbin/unix_chkpwd +%set_permissions /sbin/unix2_chkpwd %postun -p /sbin/ldconfig @@ -223,6 +235,7 @@ %config(noreplace) %{_sysconfdir}/security/namespace.init %doc %{_defaultdocdir}/pam/NEWS %doc %{_defaultdocdir}/pam/COPYING +%doc %{_mandir}/man5/environment.5* %doc %{_mandir}/man5/*.conf.5* %doc %{_mandir}/man5/pam.d.5* %doc %{_mandir}/man8/* @@ -288,6 +301,7 @@ /sbin/pam_tally2 /sbin/pam_timestamp_check %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd +%verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd %attr(0700,root,root) /sbin/unix_update %files doc ++++++ Linux-PAM-1.2.1-docs.tar.bz2 -> Linux-PAM-1.3.0-docs.tar.bz2 ++++++ Files old/Linux-PAM-1.2.1/doc/adg/Linux-PAM_ADG.pdf and new/Linux-PAM-1.3.0/doc/adg/Linux-PAM_ADG.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/adg/Linux-PAM_ADG.txt new/Linux-PAM-1.3.0/doc/adg/Linux-PAM_ADG.txt --- old/Linux-PAM-1.2.1/doc/adg/Linux-PAM_ADG.txt 2015-06-22 14:32:48.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/adg/Linux-PAM_ADG.txt 2016-04-01 15:24:30.000000000 +0200 @@ -1556,7 +1556,7 @@ pam_handle_t *pamh; const char *name; const char *value; -intreadonly; +int readonly; 5.1.4.1. DESCRIPTION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/adg/html/adg-libpam-functions.html new/Linux-PAM-1.3.0/doc/adg/html/adg-libpam-functions.html --- old/Linux-PAM-1.2.1/doc/adg/html/adg-libpam-functions.html 2015-06-22 14:32:50.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/adg/html/adg-libpam-functions.html 2016-04-01 15:24:32.000000000 +0200 @@ -78,7 +78,7 @@ with <em class="parameter"><code>env</code></em>, <span class="emphasis"><em>overwriting</em></span> with <span class="emphasis"><em>0</em></span> all memory before <code class="function">free()</code>ing it. - </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="adg-pam_misc_setenv"></a>5.1.4. BSD like PAM environment variable setting</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#include <security/pam_misc.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_misc_setenv</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">name</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">value</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">readonly</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>const char *<var class="pdparam">name</var></code>;<br><code>const char *<var class="pdparam">value</var></code>;<br><code>int<var class="pdparam">readonly</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="adg-pam_misc_setenv-description"></a>5.1.4.1. DESCRIPTION</h4></div></div></div><p> + </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="adg-pam_misc_setenv"></a>5.1.4. BSD like PAM environment variable setting</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#include <security/pam_misc.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_misc_setenv</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">name</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">value</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">readonly</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>const char *<var class="pdparam">name</var></code>;<br><code>const char *<var class="pdparam">value</var></code>;<br><code>int <var class="pdparam">readonly</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="adg-pam_misc_setenv-description"></a>5.1.4.1. DESCRIPTION</h4></div></div></div><p> This function performs a task equivalent to <span class="citerefentry"><span class="refentrytitle">pam_putenv</span>(3)</span>, its syntax is, however, more like the BSD style function; <code class="function">setenv()</code>. The <em class="parameter"><code>name</code></em> and <em class="parameter"><code>value</code></em> are concatenated with an '=' to Files old/Linux-PAM-1.2.1/doc/mwg/Linux-PAM_MWG.pdf and new/Linux-PAM-1.3.0/doc/mwg/Linux-PAM_MWG.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/mwg/Linux-PAM_MWG.txt new/Linux-PAM-1.3.0/doc/mwg/Linux-PAM_MWG.txt --- old/Linux-PAM-1.2.1/doc/mwg/Linux-PAM_MWG.txt 2015-06-22 14:32:57.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/mwg/Linux-PAM_MWG.txt 2016-04-01 15:24:40.000000000 +0200 @@ -952,10 +952,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_authenticate( pamh, - flags, - argc, - argv); +int pam_sm_authenticate( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; @@ -1017,10 +1017,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_setcred( pamh, - flags, - argc, - argv); +int pam_sm_setcred( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; @@ -1108,10 +1108,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_acct_mgmt( pamh, - flags, - argc, - argv); +int pam_sm_acct_mgmt( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; @@ -1182,10 +1182,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_open_session( pamh, - flags, - argc, - argv); +int pam_sm_open_session( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; @@ -1221,10 +1221,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_close_session( pamh, - flags, - argc, - argv); +int pam_sm_close_session( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; @@ -1266,10 +1266,10 @@ #include <security/pam_modules.h> -PAM_EXTERN int pam_sm_chauthtok( pamh, - flags, - argc, - argv); +int pam_sm_chauthtok( pamh, + flags, + argc, + argv); pam_handle_t *pamh; int flags; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-acct.html new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-acct.html --- old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-acct.html 2015-06-22 14:32:59.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-acct.html 2016-04-01 15:24:42.000000000 +0200 @@ -3,7 +3,7 @@ must be <span class="command"><strong>#define</strong></span>'d prior to including <code class="function"><security/pam_modules.h></code>. This will ensure that the prototypes for static modules are properly declared. - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_acct_mgmt"></a>3.3.1. Service function for account management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_ACCOUNT</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_acct_mgmt</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_acct_mgmt-description"></a>3.3.1.1. DESCRIPTION</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_acct_mgmt"></a>3.3.1. Service function for account management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_ACCOUNT</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_acct_mgmt</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_acct_mgmt-description"></a>3.3.1.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_acct_mgmt</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_acct_mgmt</span>(3)</span> interface. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-auth.html new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-auth.html --- old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-auth.html 2015-06-22 14:32:59.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-auth.html 2016-04-01 15:24:42.000000000 +0200 @@ -3,7 +3,7 @@ must be <span class="command"><strong>#define</strong></span>'d prior to including <code class="function"><security/pam_modules.h></code>. This will ensure that the prototypes for static modules are properly declared. - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_authenticate"></a>3.2.1. Service function for user authentication</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_AUTH</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_authenticate</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_authenticate-description"></a>3.2.1.1. DESCRIPTION</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_authenticate"></a>3.2.1. Service function for user authentication</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_AUTH</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_authenticate</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_authenticate-description"></a>3.2.1.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_authenticate</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_authenticate</span>(3)</span> interface. @@ -37,7 +37,7 @@ </p></dd><dt><span class="term">PAM_MAXTRIES</span></dt><dd><p> One or more of the authentication modules has reached its limit of tries authenticating the user. Do not try again. - </p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_setcred"></a>3.2.2. Service function to alter credentials</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_AUTH</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_setcred</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_setcred-description"></a>3.2.2.1. DESCRIPTION</h4></div></div></div><p> + </p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_setcred"></a>3.2.2. Service function to alter credentials</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_AUTH</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_setcred</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_setcred-description"></a>3.2.2.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_setcred</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_setcred</span>(3)</span> interface. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-chauthtok.html new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-chauthtok.html --- old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-chauthtok.html 2015-06-22 14:32:59.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-chauthtok.html 2016-04-01 15:24:42.000000000 +0200 @@ -3,7 +3,7 @@ must be <span class="command"><strong>#define</strong></span>'d prior to including <code class="function"><security/pam_modules.h></code>. This will ensure that the prototypes for static modules are properly declared. - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_chauthtok"></a>3.5.1. Service function to alter authentication token</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_PASSWORD</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_chauthtok</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_chauthtok-description"></a>3.5.1.1. DESCRIPTION</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_chauthtok"></a>3.5.1. Service function to alter authentication token</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_PASSWORD</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_chauthtok</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_chauthtok-description"></a>3.5.1.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_chauthtok</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_chauthtok</span>(3)</span> interface. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-session.html new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-session.html --- old/Linux-PAM-1.2.1/doc/mwg/html/mwg-expected-of-module-session.html 2015-06-22 14:32:59.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/mwg/html/mwg-expected-of-module-session.html 2016-04-01 15:24:42.000000000 +0200 @@ -3,7 +3,7 @@ must be <span class="command"><strong>#define</strong></span>'d prior to including <code class="function"><security/pam_modules.h></code>. This will ensure that the prototypes for static modules are properly declared. - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_open_session"></a>3.4.1. Service function to start session management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_SESSION</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_open_session</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_open_session-description"></a>3.4.1.1. DESCRIPTION</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_open_session"></a>3.4.1. Service function to start session management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_SESSION</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_open_session</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_open_session-description"></a>3.4.1.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_open_session</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_open_session</span>(3)</span> interface. @@ -16,7 +16,7 @@ Cannot make/remove an entry for the specified session. </p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p> The session was successfully started. - </p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_close_session"></a>3.4.2. Service function to terminate session management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_SESSION</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">PAM_EXTERN int <b class="fsfunc">pam_sm_close_session</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_close_session-description"></a>3.4.2.1. DESCRIPTION</h4></div></div></div><p> + </p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="mwg-pam_sm_close_session"></a>3.4.2. Service function to terminate session management</h3></div></div></div><div class="funcsynopsis"><pre class="funcsynopsisinfo">#define PAM_SM_SESSION</pre><pre class="funcsynopsisinfo">#include <security/pam_modules.h></pre><table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr><td><code class="funcdef">int <b class="fsfunc">pam_sm_close_session</b>(</code></td><td><var class="pdparam">pamh</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">flags</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argc</var>, </td><td> </td></tr><tr><td> </td><td><var class="pdparam">argv</var><code>)</code>;</td><td> </td></tr></table><div class="paramdef-list"><code>pam_handle_t *<var class="pdparam">pamh</var></code>;<br><code>int <var class="pdparam">flags</var></code>;<br><code>int <var class="pdparam">argc</var></code>;<br><code>const char **<var class="pdparam">argv</var></code>;</div><div class="funcprototype-spacer"> </div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="mwg-pam_sm_close_session-description"></a>3.4.2.1. DESCRIPTION</h4></div></div></div><p> The <code class="function">pam_sm_close_session</code> function is the service module's implementation of the <span class="citerefentry"><span class="refentrytitle">pam_close_session</span>(3)</span> interface. Files old/Linux-PAM-1.2.1/doc/sag/Linux-PAM_SAG.pdf and new/Linux-PAM-1.3.0/doc/sag/Linux-PAM_SAG.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/sag/Linux-PAM_SAG.txt new/Linux-PAM-1.3.0/doc/sag/Linux-PAM_SAG.txt --- old/Linux-PAM-1.2.1/doc/sag/Linux-PAM_SAG.txt 2015-06-22 14:32:30.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/sag/Linux-PAM_SAG.txt 2016-04-19 15:28:35.000000000 +0200 @@ -1351,6 +1351,10 @@ The "#" character at start of line (no space at front) can be used to mark this line as a comment line. +The /etc/environment file specifies the environment variables to be set. The +file must consist of simple NAME=VALUE pairs on separate lines. The pam_env(8) +module will read the file after the pam_env.conf file. + 6.6.3. OPTIONS conffile=/path/to/pam_env.conf @@ -4082,7 +4086,8 @@ pam_tally2.so [ file=/path/to/counter ] [ onerr=[fail|succeed] ] [ magic_root ] [ even_deny_root ] [ deny=n ] [ lock_time=n ] [ unlock_time=n ] [ -root_unlock_time=n ] [ serialize ] [ audit ] [ silent ] [ no_log_info ] +root_unlock_time=n ] [ serialize ] [ audit ] [ silent ] [ no_log_info ] [ debug +] pam_tally2 [ --file /path/to/counter ] [ --user username ] [ --reset[=n] ] [ --quiet ] @@ -4133,6 +4138,11 @@ Don't log informative messages via syslog(3). + debug + + Always log tally count when it is incremented as a debug level message + to the system log. + AUTH OPTIONS Authentication phase first increments attempted login counter and checks if @@ -4646,11 +4656,10 @@ one provided by a previously stacked password module (this is used in the example of the stacking of the pam_cracklib module documented below). -not_set_pass +authtok_type=type - This argument is used to inform the module that it is not to pay attention - to/make available the old or new passwords from/to other (stacked) password - modules. + This argument can be used to modify the password prompt when changing + passwords to include the type of the password. Empty by default. nis @@ -4660,7 +4669,8 @@ The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating - between the same password too frequently. Instead of this option the + between the same password too frequently. The MD5 password hash algorithm + is used for storing the old passwords. Instead of this option the pam_pwhistory module should be used. shadow @@ -4709,6 +4719,15 @@ Set a minimum password length of n characters. The max. for DES crypt based passwords are 8 characters. +no_pass_expiry + + When set ignore password expiration as defined by the shadow entry of the + user. The option has an effect only in case pam_unix was not used for the + authentication or it returned authentication failure meaning that other + authentication source or method succeeded. The example can be public key + authentication in sshd. The module will return PAM_SUCCESS instead of + eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED. + Invalid arguments are logged with syslog(3). 6.37.3. MODULE TYPES PROVIDED @@ -4929,7 +4948,7 @@ root_only - The check for wheel membership is done only. + The check for wheel membership is done only when the target user UID is 0. trust diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_env.html new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_env.html --- old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_env.html 2015-06-22 14:32:35.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_env.html 2016-04-19 15:28:40.000000000 +0200 @@ -67,6 +67,13 @@ </p><p> The "<span class="emphasis"><em>#</em></span>" character at start of line (no space at front) can be used to mark this line as a comment line. + </p><p> + The <code class="filename">/etc/environment</code> file specifies + the environment variables to be set. The file must consist of simple + <span class="emphasis"><em>NAME=VALUE</em></span> pairs on separate lines. + The <span class="citerefentry"><span class="refentrytitle">pam_env</span>(8)</span> + module will read the file after the <code class="filename">pam_env.conf</code> + file. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-options"></a>6.6.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"> <code class="option">conffile=<em class="replaceable"><code>/path/to/pam_env.conf</code></em></code> </span></dt><dd><p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_tally2.html new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_tally2.html --- old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_tally2.html 2015-06-22 14:32:35.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_tally2.html 2016-04-19 15:28:41.000000000 +0200 @@ -22,6 +22,8 @@ silent ] [ no_log_info + ] [ + debug ]</p></div><div class="cmdsynopsis"><p><code class="command">pam_tally2</code> [ --file <em class="replaceable"><code>/path/to/counter</code></em> ] [ @@ -79,6 +81,10 @@ <code class="option">no_log_info</code> </span></dt><dd><p> Don't log informative messages via <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>. + </p></dd><dt><span class="term"> + <code class="option">debug</code> + </span></dt><dd><p> + Always log tally count when it is incremented as a debug level message to the system log. </p></dd></dl></div></dd><dt><span class="term"> AUTH OPTIONS </span></dt><dd><p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_unix.html new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_unix.html --- old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_unix.html 2015-06-22 14:32:35.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_unix.html 2016-04-19 15:28:41.000000000 +0200 @@ -104,11 +104,11 @@ example of the stacking of the <span class="command"><strong>pam_cracklib</strong></span> module documented below). </p></dd><dt><span class="term"> - <code class="option">not_set_pass</code> + <code class="option">authtok_type=<em class="replaceable"><code>type</code></em></code> </span></dt><dd><p> - This argument is used to inform the module that it is not to - pay attention to/make available the old or new passwords from/to - other (stacked) password modules. + This argument can be used to modify the password prompt + when changing passwords to include the type of the password. + Empty by default. </p></dd><dt><span class="term"> <code class="option">nis</code> </span></dt><dd><p> @@ -120,6 +120,8 @@ user are saved in <code class="filename">/etc/security/opasswd</code> in order to force password change history and keep the user from alternating between the same password too frequently. + The MD5 password hash algorithm is used for storing the + old passwords. Instead of this option the <span class="command"><strong>pam_pwhistory</strong></span> module should be used. </p></dd><dt><span class="term"> @@ -174,6 +176,19 @@ Set a minimum password length of <em class="replaceable"><code>n</code></em> characters. The max. for DES crypt based passwords are 8 characters. + </p></dd><dt><span class="term"> + <code class="option">no_pass_expiry</code> + </span></dt><dd><p> + When set ignore password expiration as defined by the + <span class="emphasis"><em>shadow</em></span> entry of the user. The option has an + effect only in case <span class="emphasis"><em>pam_unix</em></span> was not used + for the authentication or it returned authentication failure + meaning that other authentication source or method succeeded. + The example can be public key authentication in + <span class="emphasis"><em>sshd</em></span>. The module will return + <span class="emphasis"><em>PAM_SUCCESS</em></span> instead of eventual + <span class="emphasis"><em>PAM_NEW_AUTHTOK_REQD</em></span> or + <span class="emphasis"><em>PAM_AUTHTOK_EXPIRED</em></span>. </p></dd></dl></div><p> Invalid arguments are logged with <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-types"></a>6.37.3. MODULE TYPES PROVIDED</h3></div></div></div><p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_wheel.html new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_wheel.html --- old/Linux-PAM-1.2.1/doc/sag/html/sag-pam_wheel.html 2015-06-22 14:32:35.000000000 +0200 +++ new/Linux-PAM-1.3.0/doc/sag/html/sag-pam_wheel.html 2016-04-19 15:28:41.000000000 +0200 @@ -39,7 +39,8 @@ </p></dd><dt><span class="term"> <code class="option">root_only</code> </span></dt><dd><p> - The check for wheel membership is done only. + The check for wheel membership is done only when the target user + UID is 0. </p></dd><dt><span class="term"> <code class="option">trust</code> </span></dt><dd><p> ++++++ Linux-PAM-1.2.1-docs.tar.bz2 -> Linux-PAM-1.3.0.tar.bz2 ++++++ ++++ 301608 lines of diff (skipped) ++++++ common-account.pamd ++++++ --- /var/tmp/diff_new_pack.N6l9NH/_old 2016-05-14 12:23:12.000000000 +0200 +++ /var/tmp/diff_new_pack.N6l9NH/_new 2016-05-14 12:23:12.000000000 +0200 @@ -1,8 +1,8 @@ # -# /etc/pam.d/common-account - authorization settings common to all services +# /etc/pam.d/common-account - account settings common to all services # # This file is included from other service-specific PAM config files, -# and should contain a list of the authorization modules that define +# and should contain a list of the account modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # ++++++ encryption_method_nis.diff ++++++ --- /var/tmp/diff_new_pack.N6l9NH/_old 2016-05-14 12:23:12.000000000 +0200 +++ /var/tmp/diff_new_pack.N6l9NH/_new 2016-05-14 12:23:12.000000000 +0200 @@ -1,8 +1,6 @@ -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 0cfc0f4..2239206 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +--- modules/pam_unix/pam_unix_passwd.c ++++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32 +@@ -840,6 +840,29 @@ * rebuild the password database file. */ @@ -32,13 +30,11 @@ /* * First we encrypt the new password. */ -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index 19d72e6..dafa9f0 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -37,8 +37,8 @@ - #define SELINUX_ENABLED 0 - #endif +--- modules/pam_unix/support.c ++++ modules/pam_unix/support.c 2016/04/11 13:49:32 +@@ -31,8 +31,8 @@ + #include "support.h" + #include "passverify.h" -static char * -search_key (const char *key, const char *filename) @@ -47,7 +43,7 @@ { FILE *fp; char *buf = NULL; -@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, +@@ -153,7 +153,7 @@ } /* preset encryption method with value from /etc/login.defs */ @@ -56,7 +52,7 @@ if (val) { for (j = 0; j < UNIX_CTRLS_; ++j) { if (unix_args[j].token && unix_args[j].is_hash_algo -@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, +@@ -171,7 +171,7 @@ /* read number of rounds for crypt algo */ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { @@ -65,11 +61,9 @@ if (val) { *rounds = strtol(val, NULL, 10); -diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h -index 6f5b2eb..a35a8a8 100644 ---- a/modules/pam_unix/support.h -+++ b/modules/pam_unix/support.h -@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh +--- modules/pam_unix/support.h ++++ modules/pam_unix/support.h 2016/04/11 13:49:32 +@@ -174,4 +174,5 @@ extern int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, int *daysleft); ++++++ unix2_chkpwd.8 ++++++ .\" Copyright (C) 2003 International Business Machines Corporation .\" This file is distributed according to the GNU General Public License. .\" See the file COPYING in the top level source directory for details. .\" .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" .SH NAME unix2_chkpwd \- helper binary that verifies the password of the current user .SH "SYNOPSIS" .ad l .hy 0 /sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR .sp .ad .hy .SH "DESCRIPTION" .PP \fBunix2_chkpwd\fR is a helper program for applications that verifies the password of the current user. It is not intended to be run directly from the command line and logs a security violation if done so. It is typically installed setuid root or setgid shadow and called by applications, which only wishes to do an user authentification and nothing more. .SH "OPTIONS" .PP unix2_chkpwd requires the following arguments: .TP \fIpam_service\fR The name of the service using unix2_chkpwd. This is required to be one of the services in /etc/pam.d .TP \fIusername\fR The name of the user whose password you want to verify. .SH "INPUTS" .PP unix2_chkpwd expects the password via stdin. .SH "RETURN CODES" .PP \fBunix2_chkpwd\fR has the following return codes: .TP 1 unix2_chkpwd was inappropriately called from the command line or the password is incorrect. .TP 0 The password is correct. .SH "HISTORY" Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan .SH "SEE ALSO" .PP \fBpam\fR(8) .SH AUTHOR Emily Ratliff. ++++++ unix2_chkpwd.c ++++++ /* * Set*id helper program for PAM authentication. * * It is supposed to be called from pam_unix2's * pam_sm_authenticate function if the function notices * that it's unable to get the password from the shadow file * because it doesn't have sufficient permissions. * * Copyright (C) 2002 SuSE Linux AG * * Written by [email protected], loosely based on unix_chkpwd * by Andrew Morgan. */ #include <security/pam_appl.h> #include <security/_pam_macros.h> #include <sys/types.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <syslog.h> #include <unistd.h> #include <pwd.h> #include <signal.h> #include <fcntl.h> #include <ctype.h> #include <errno.h> #define BUFLEN 1024 #ifndef LOGINDEFS #define LOGINDEFS "/etc/login.defs" #endif #define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY" #define DEFAULT_FAIL_DELAY_S 10 #define PASSWD_CRACKER_DELAY_MS 100 enum { UNIX_PASSED = 0, UNIX_FAILED = 1 }; static char * program_name; static char pass[64]; static int npass = -1; /* * Log error messages */ static void _log_err(int err, const char *format,...) { va_list args; va_start(args, format); openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH); vsyslog(err, format, args); va_end(args); closelog(); } static void su_sighandler(int sig) { if (sig > 0) { _log_err(LOG_NOTICE, "caught signal %d.", sig); exit(sig); } } /* * Setup signal handlers */ static void setup_signals(void) { struct sigaction action; memset((void *) &action, 0, sizeof(action)); action.sa_handler = su_sighandler; action.sa_flags = SA_RESETHAND; sigaction(SIGILL, &action, NULL); sigaction(SIGTRAP, &action, NULL); sigaction(SIGBUS, &action, NULL); sigaction(SIGSEGV, &action, NULL); action.sa_handler = SIG_IGN; action.sa_flags = 0; sigaction(SIGTERM, &action, NULL); sigaction(SIGHUP, &action, NULL); sigaction(SIGINT, &action, NULL); sigaction(SIGQUIT, &action, NULL); sigaction(SIGALRM, &action, NULL); } static int _converse(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; int num; if (!(reply = malloc(sizeof(*reply) * num_msg))) return PAM_CONV_ERR; for (num = 0; num < num_msg; num++) { reply[num].resp_retcode = PAM_SUCCESS; reply[num].resp = NULL; switch (msg[num]->msg_style) { case PAM_PROMPT_ECHO_ON: return PAM_CONV_ERR; case PAM_PROMPT_ECHO_OFF: /* read the password from stdin */ if (npass < 0) { npass = read(STDIN_FILENO, pass, sizeof(pass)-1); if (npass < 0) { _log_err(LOG_DEBUG, "error reading password"); return UNIX_FAILED; } pass[npass] = '\0'; } reply[num].resp = strdup(pass); break; case PAM_TEXT_INFO: case PAM_ERROR_MSG: /* ignored */ break; default: /* Must be an error of some sort... */ return PAM_CONV_ERR; } } *resp = reply; return PAM_SUCCESS; } static int _authenticate(const char *service, const char *user) { struct pam_conv conv = { _converse, NULL }; pam_handle_t *pamh; int err; err = pam_start(service, user, &conv, &pamh); if (err != PAM_SUCCESS) { _log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)", service, user, err); return UNIX_FAILED; } err = pam_authenticate(pamh, 0); if (err != PAM_SUCCESS) _log_err(LOG_ERR, "pam_authenticate(%s, %s): %s", service, user, pam_strerror(pamh, err)); if (err == PAM_SUCCESS) { err = pam_acct_mgmt(pamh, 0); if (err == PAM_SUCCESS) { int err2 = pam_setcred(pamh, PAM_REFRESH_CRED); if (err2 != PAM_SUCCESS) _log_err(LOG_ERR, "pam_setcred(%s, %s): %s", service, user, pam_strerror(pamh, err2)); /* * ignore errors on refresh credentials. * If this did not work we use the old once. */ } else { _log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s", service, user, pam_strerror(pamh, err)); } } pam_end(pamh, err); if (err != PAM_SUCCESS) return UNIX_FAILED; return UNIX_PASSED; } static char * getuidname(uid_t uid) { struct passwd *pw; static char username[32]; pw = getpwuid(uid); if (pw == NULL) return NULL; strncpy(username, pw->pw_name, sizeof(username)); username[sizeof(username) - 1] = '\0'; endpwent(); return username; } static int sane_pam_service(const char *name) { const char *sp; char path[128]; if (strlen(name) > 32) return 0; for (sp = name; *sp; sp++) { if (!isalnum(*sp) && *sp != '_' && *sp != '-') return 0; } snprintf(path, sizeof(path), "/etc/pam.d/%s", name); return access(path, R_OK) == 0; } static int get_system_fail_delay (void) { FILE *fs; char buf[BUFLEN]; long int delay = -1; char *s; int l; fs = fopen(LOGINDEFS, "r"); if (NULL == fs) { goto bail_out; } while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) { if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) { continue; } s = buf + strspn(buf, " \t"); l = strcspn(s, " \t"); if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) { continue; } s += l; s += strspn(s, " \t"); errno = 0; delay = strtol(s, NULL, 10); if (errno) { delay = -1; } break; } fclose (fs); bail_out: delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay; return (int)delay; } int main(int argc, char *argv[]) { const char *program_name; char *service, *user; int fd; int result = UNIX_FAILED; uid_t uid; uid = getuid(); /* * Make sure standard file descriptors are connected. */ while ((fd = open("/dev/null", O_RDWR)) <= 2) ; close(fd); /* * Get the program name */ if (argc == 0) program_name = "unix2_chkpwd"; else if ((program_name = strrchr(argv[0], '/')) != NULL) program_name++; else program_name = argv[0]; /* * Catch or ignore as many signal as possible. */ setup_signals(); /* * Check argument list */ if (argc < 2 || argc > 3) { _log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc); return UNIX_FAILED; } /* * Get the service name and do some sanity checks on it */ service = argv[1]; if (!sane_pam_service(service)) { _log_err(LOG_ERR, "Illegal service name '%s'", service); return UNIX_FAILED; } /* * Discourage users messing around (fat chance) */ if (isatty(STDIN_FILENO) && uid != 0) { _log_err(LOG_NOTICE, "Inappropriate use of Unix helper binary [UID=%d]", uid); fprintf(stderr, "This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); sleep(10); /* this should discourage/annoy the user */ return UNIX_FAILED; } /* * determine the caller's user name */ user = getuidname(uid); if (argc == 3 && strcmp(user, argv[2])) { user = argv[2]; } result = _authenticate(service, user); /* Discourage use of this program as a * password cracker */ usleep(PASSWD_CRACKER_DELAY_MS * 1000); if (result != UNIX_PASSED && uid != 0) sleep(get_system_fail_delay()); return result; }
