2005-09-26 22:54:28 +08:00
|
|
|
Linux-PAM NEWS -- history of user-visible changes.
|
|
|
|
|
2024-01-17 16:00:00 +08:00
|
|
|
Release 1.6.0
|
|
|
|
* Added support of configuration files with arbitrarily long lines.
|
|
|
|
* build: fixed build outside of the source tree.
|
|
|
|
* libpam: added use of getrandom(2) as a source of randomness if available.
|
|
|
|
* libpam: fixed calculation of fail delay with very long delays.
|
|
|
|
* libpam: fixed potential infinite recursion with includes.
|
|
|
|
* libpam: implemented string to number conversions validation when parsing
|
|
|
|
controls in configuration.
|
|
|
|
* pam_access: added quiet_log option.
|
|
|
|
* pam_access: fixed truncation of very long group names.
|
|
|
|
* pam_canonicalize_user: new module to canonicalize user name.
|
|
|
|
* pam_echo: fixed file handling to prevent overflows and short reads.
|
|
|
|
* pam_env: added support of '\' character in environment variable values.
|
|
|
|
* pam_exec: allowed expose_authtok for password PAM_TYPE.
|
|
|
|
* pam_exec: fixed stack overflow with binary output of programs.
|
|
|
|
* pam_faildelay: implemented parameter ranges validation.
|
|
|
|
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
|
|
|
|
* pam_mkhomedir: hardened directory creation against timing attacks.
|
|
|
|
Please note that using *at functions leads to more open file handles
|
|
|
|
during creation.
|
|
|
|
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
|
|
|
|
* pam_nologin: fixed file handling to prevent short reads.
|
|
|
|
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
|
|
|
|
* pam_pwhistory: implemented reliable usernames handling when remembering
|
|
|
|
passwords.
|
|
|
|
* pam_shells: changed to allow shell entries with absolute paths only.
|
|
|
|
* pam_succeed_if: fixed treating empty strings as numerical value 0.
|
|
|
|
* pam_unix: added support of disabled password aging.
|
|
|
|
* pam_unix: synchronized password aging with shadow.
|
|
|
|
* pam_unix: implemented string to number conversions validation.
|
|
|
|
* pam_unix: fixed truncation of very long user names.
|
|
|
|
* pam_unix: corrected rounds retrieval for configured encryption method.
|
|
|
|
* pam_unix: implemented reliable usernames handling when remembering passwords.
|
|
|
|
* pam_unix: changed to always run the helper to obtain shadow password entries.
|
|
|
|
* pam_unix: unix_update helper binary is now built only if SELinux support
|
|
|
|
is enabled.
|
|
|
|
* pam_unix: added audit support to unix_update helper.
|
|
|
|
* pam_userdb: added gdbm support.
|
|
|
|
* Multiple minor bug fixes, portability fixes, documentation improvements,
|
|
|
|
and translation updates.
|
|
|
|
|
2023-04-29 19:11:00 +08:00
|
|
|
Release 1.5.3
|
|
|
|
* configure: added options to configure stylesheets.
|
|
|
|
* configure: added --enable-logind option to use logind instead of utmp
|
|
|
|
in pam_issue and pam_timestamp.
|
|
|
|
* pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing utmp.
|
|
|
|
* Added libeconf support to pam_env and pam_shells.
|
|
|
|
* Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock,
|
|
|
|
pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time.
|
|
|
|
* pam_limits: changed to not fail on missing config files.
|
|
|
|
* pam_pwhistory: added conf= option to specify config file location.
|
|
|
|
* pam_pwhistory: added file= option to specify password history file location.
|
|
|
|
* pam_shells: added shells.d support when libeconf and vendordir are enabled.
|
|
|
|
* Deprecated pam_lastlog: this module is no longer built by default because
|
|
|
|
it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
|
|
|
|
even on 64bit architectures.
|
|
|
|
pam_lastlog will be removed in one of the next releases, consider using
|
|
|
|
pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
|
|
|
|
pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
|
|
|
|
* Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros
|
|
|
|
provided by _pam_macros.h; the memory override performed by these macros can
|
|
|
|
be optimized out by the compiler and therefore can no longer be relied upon.
|
|
|
|
* Multiple minor bug fixes, portability fixes, documentation improvements,
|
|
|
|
and translation updates.
|
|
|
|
|
2021-07-21 04:00:00 +08:00
|
|
|
Release 1.5.2
|
|
|
|
* pam_exec: implemented quiet_log option.
|
|
|
|
* pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
|
|
|
|
* pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
|
|
|
|
sha1 implementation if selected, added option to select
|
|
|
|
the hash algorithm to use with HMAC.
|
|
|
|
* Added pkgconfig files for provided libraries.
|
|
|
|
* Added --with-systemdunitdir configure option to specify systemd unit
|
|
|
|
directory.
|
|
|
|
* Added --with-misc-conv-bufsize configure option to specify the buffer size
|
|
|
|
in libpam_misc's misc_conv() function, raised the default value for this
|
|
|
|
parameter from 512 to 4096.
|
|
|
|
* Multiple minor bug fixes, portability fixes, documentation improvements,
|
|
|
|
and translation updates.
|
2021-03-25 16:43:30 +08:00
|
|
|
|
2020-11-24 21:55:30 +08:00
|
|
|
Release 1.5.1
|
2020-11-25 02:00:00 +08:00
|
|
|
* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
|
|
|
|
doesn't exist and root password is blank
|
2020-11-24 21:55:30 +08:00
|
|
|
* pam_faillock: added nodelay option to not set pam_fail_delay
|
2020-11-23 17:26:07 +08:00
|
|
|
* pam_wheel: use pam_modutil_user_in_group to check for the group membership
|
|
|
|
with getgrouplist where it is available
|
2020-11-24 21:55:30 +08:00
|
|
|
|
2020-10-14 17:30:00 +08:00
|
|
|
Release 1.5.0
|
2020-10-30 16:00:00 +08:00
|
|
|
* Multiple minor bug fixes, portability fixes, and documentation improvements.
|
|
|
|
* Extended libpam API with pam_modutil_check_user_in_passwd function.
|
|
|
|
* configure: added --disable-unix option to disable build of pam_unix module.
|
|
|
|
* pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
|
|
|
|
* pam_limits: added support for nonewprivs item.
|
2020-10-14 17:30:00 +08:00
|
|
|
* pam_motd: read motd files with target user credentials skipping unreadable ones.
|
2020-10-30 16:00:00 +08:00
|
|
|
* pam_pwhistory: added a SELinux helper executable.
|
|
|
|
* pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
|
|
|
|
* pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
|
2020-10-29 16:00:00 +08:00
|
|
|
* Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
|
|
|
|
or pam_pwquality (from libpwquality project) instead.
|
2020-10-29 16:00:00 +08:00
|
|
|
* Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
|
2020-11-04 18:49:30 +08:00
|
|
|
* pam_env: Reading of the user environment is deprecated and will be removed
|
|
|
|
at some point in the future.
|
2020-11-05 21:06:53 +08:00
|
|
|
* libpam: pam_modutil_drop_priv() now correctly sets the target user's
|
|
|
|
supplementary groups, allowing pam_motd to filter messages accordingly
|
2020-10-14 17:30:00 +08:00
|
|
|
|
2020-03-03 23:16:28 +08:00
|
|
|
Release 1.4.0
|
|
|
|
* Multiple minor bug fixes and documentation improvements
|
|
|
|
* Fixed grammar of messages printed via pam_prompt
|
|
|
|
* Added support for a vendor directory and libeconf
|
2020-05-13 16:00:00 +08:00
|
|
|
* configure: Added --enable-Werror option to enable -Werror build
|
2020-03-03 23:16:28 +08:00
|
|
|
* configure: Allowed disabling documentation through --disable-doc
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_get_authtok_verify: Avoid duplicate password verification
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_cracklib: Fixed parsing of options without arguments
|
2020-03-03 23:16:28 +08:00
|
|
|
* pam_env: Changed the default to not read the user .pam_environment file
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_exec: Require a user name to be specified before the command is executed
|
|
|
|
* pam_faillock: New module for locking after multiple auth failures
|
2020-03-03 23:16:28 +08:00
|
|
|
* pam_group, pam_time: Fixed logical error with multiple ! operators
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
|
|
|
|
* pam_lastlog: Do not log info about failed login if the session was opened
|
|
|
|
with PAM_SILENT flag
|
|
|
|
* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
|
|
|
|
* pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
|
|
|
|
limit
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_mkhomedir: Fixed return value when the user is unknown
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_motd: Export MOTD_SHOWN=pam after showing MOTD
|
|
|
|
* pam_motd: Support multiple motd paths specified, with filename overrides
|
|
|
|
* pam_namespace: Added a systemd service, which creates the namespaced
|
|
|
|
instance parent directories during boot
|
|
|
|
* pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_selinux: Check unknown object classes or permissions in current policy
|
|
|
|
* pam_selinux: Fall back to log to syslog if audit logging fails
|
|
|
|
* pam_setquota: New module to set or modify disk quotas on session start
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_shells: Recognize /bin/sh as the default shell
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_succeed_if: Fixed potential override of the default prompt
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_succeed_if: Support lists in group membership checks
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_time: Added conffile= option to specify an alternative configuration file
|
2020-03-03 23:16:28 +08:00
|
|
|
* pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_umask: Added new 'nousergroups' module argument and allowed specifying
|
|
|
|
the default for usergroups at build-time
|
|
|
|
* pam_unix: Added 'nullresetok' option to allow resetting blank passwords
|
|
|
|
* pam_unix: Report unusable hashes found by checksalt to syslog
|
2020-05-13 16:00:00 +08:00
|
|
|
* pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
|
2020-03-05 08:58:23 +08:00
|
|
|
* pam_unix: Support for (gost-)yescrypt hashing methods
|
|
|
|
* pam_unix: Use bcrypt b-variant when it bcrypt is chosen
|
|
|
|
* pam_usertype: New module to tell if uid is in login.defs ranges
|
2020-05-13 16:00:00 +08:00
|
|
|
* Fixed and documented possible values returned by pam_get_user()
|
2020-02-25 01:19:57 +08:00
|
|
|
* Added new API call pam_start_confdir() for special applications that
|
|
|
|
cannot use the system-default PAM configuration paths and need to
|
|
|
|
explicitly specify another path
|
2020-05-13 16:00:00 +08:00
|
|
|
* Deprecated pam_cracklib: this module is no longer built by default and will
|
|
|
|
be removed in the next release, use pam_passwdqc (from passwdqc project)
|
|
|
|
or pam_pwquality (from libpwquality project) instead
|
|
|
|
* Deprecated pam_tally and pam_tally2: these modules are no longer built
|
|
|
|
by default and will be removed in the next release, use pam_faillock instead
|
2020-03-03 23:16:28 +08:00
|
|
|
|
2018-05-18 19:07:13 +08:00
|
|
|
Release 1.3.1
|
|
|
|
* pam_motd: add support for a motd.d directory
|
|
|
|
* pam_umask: Fix documentation to align with order of loading umask
|
|
|
|
* pam_get_user.3: Fix missing word in documentation
|
|
|
|
* pam_tally2 --reset: avoid creating a missing tallylog file
|
|
|
|
* pam_mkhomedir: Allow creating parent of homedir under /
|
|
|
|
* access.conf.5: Add note about spaces around ':'
|
|
|
|
* pam.8: Workaround formatting problem
|
|
|
|
* pam_unix: Check return value of malloc used for setcred data
|
|
|
|
* pam_cracklib: Drop unused prompt macros
|
|
|
|
* pam_tty_audit: Support matching users by uid range
|
|
|
|
* pam_access: support parsing files in /etc/security/access.d/*.conf
|
|
|
|
* pam_localuser: Correct documentation
|
|
|
|
* pam_issue: Fix no prompting in parse escape codes mode
|
|
|
|
* Unification and cleanup of syslog log levels
|
|
|
|
|
|
|
|
|
2016-04-28 19:54:30 +08:00
|
|
|
Release 1.3.0
|
|
|
|
* Remove of static modules support
|
|
|
|
* pam_unix: pass_not_set was removed
|
|
|
|
* Lot of documentation fixes
|
|
|
|
* Use TI-RPC function calls if we build against libtirpc
|
|
|
|
* Add support for new, IPv6 enabled libnsl
|
|
|
|
* Lot of bug fixes
|
|
|
|
* Use fedora.zanata.org for translations
|
|
|
|
|
|
|
|
|
2015-06-22 20:53:01 +08:00
|
|
|
Release 1.2.1
|
|
|
|
* Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec
|
|
|
|
|
2016-04-28 19:54:30 +08:00
|
|
|
|
2015-04-27 22:50:32 +08:00
|
|
|
Release 1.2.0
|
2015-04-27 22:57:39 +08:00
|
|
|
* Update documentation
|
|
|
|
* Update translations
|
|
|
|
* pam_unix: add quiet option
|
|
|
|
* libpam: support alternative configuration files in /usr/lib/pam.d
|
|
|
|
as fallback
|
|
|
|
* pam_env: add support for @{HOME} and @{SHELL}
|
|
|
|
* libpam: add grantor field to audit records
|
|
|
|
* libpam: Introduce pam_modutil_sanitize_helper_fds
|
2015-04-27 22:50:32 +08:00
|
|
|
|
2016-04-28 19:54:30 +08:00
|
|
|
|
2013-09-19 17:30:37 +08:00
|
|
|
Release 1.1.8
|
|
|
|
* pam_unix: bug fix for compiling with SELinux, fix crash at login time
|
|
|
|
|
|
|
|
|
2013-09-11 22:49:07 +08:00
|
|
|
Release 1.1.7
|
|
|
|
* Update translations
|
|
|
|
* pam_exec: add stdout and type= options
|
|
|
|
* pam_tty_audit: add options to control logging of passwords
|
|
|
|
* pam_unix: Read defaults from /etc/login.defs
|
|
|
|
* pam_userdb: Allow modern password hashes
|
|
|
|
* pam_selinux/pam_tally2: Add tty and rhost to audit data
|
|
|
|
* Lot of docu and code fixes
|
|
|
|
|
2013-09-19 17:30:37 +08:00
|
|
|
|
2012-08-17 17:48:15 +08:00
|
|
|
Release 1.1.6
|
|
|
|
* Update translations
|
|
|
|
* pam_cracklib: Add more checks for weak passwords
|
|
|
|
* pam_lastlog: Never lock out root
|
|
|
|
* Lot of bug fixes and smaller enhancements
|
|
|
|
|
|
|
|
|
2011-10-25 20:24:50 +08:00
|
|
|
Release 1.1.5
|
|
|
|
* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
|
|
|
|
* pam_access: Add hostname resolution cache
|
2011-10-27 07:56:54 +08:00
|
|
|
* Documentation: Improvements/fixes
|
2011-10-25 20:24:50 +08:00
|
|
|
|
|
|
|
|
2011-06-21 20:02:33 +08:00
|
|
|
Release 1.1.4
|
|
|
|
|
|
|
|
* Add vietnamese translation
|
2024-01-16 22:50:03 +08:00
|
|
|
* pam_namespace: Add new functionality
|
2011-06-21 20:02:33 +08:00
|
|
|
* pam_securetty: Honour console= kernel option, add noconsole option
|
|
|
|
* pam_limits: Add %group syntax, drop change_uid option, add set_all option
|
|
|
|
* Lot of small bug fixes
|
|
|
|
* Lot of compiler warnings fixed
|
|
|
|
* Add support for libtirpc
|
|
|
|
|
2009-03-09 21:07:34 +08:00
|
|
|
|
2010-10-28 17:36:25 +08:00
|
|
|
Release 1.1.3
|
|
|
|
|
2020-03-29 02:19:41 +08:00
|
|
|
* pam_namespace: Clean environment for child processes (CVE-2010-3853)
|
|
|
|
* libpam: New interface to drop/regain privileges
|
2024-01-16 22:50:03 +08:00
|
|
|
* Drop root privileges in pam_env, pam_mail and pam_xauth before
|
2010-10-28 17:36:25 +08:00
|
|
|
accessing user files (CVE-2010-3430, CVE-2010-3431)
|
|
|
|
* pam_unix: Add minlen option, change default from 6 to 0
|
|
|
|
* Documentation improvements
|
|
|
|
* Lot of small bug fixes
|
|
|
|
|
2010-08-31 19:20:59 +08:00
|
|
|
Release 1.1.2
|
2010-04-06 16:07:11 +08:00
|
|
|
|
2010-08-31 19:20:59 +08:00
|
|
|
* pam_unix: Add minlen= option
|
|
|
|
* pam_group: Add support for UNIX groups beside netgroups
|
|
|
|
* pam_tally: Document that it is deprecated
|
2010-04-06 16:07:11 +08:00
|
|
|
* pam_rootok: Add support for chauthtok and acct_mgmt
|
|
|
|
* Update translations
|
|
|
|
|
2009-12-16 21:17:13 +08:00
|
|
|
Release 1.1.1
|
|
|
|
|
|
|
|
* Update translations
|
|
|
|
* pam_access: Revert netgroup match to original behavior, add new
|
|
|
|
syntax for adding the local hostname to netgroup match
|
2010-10-28 17:36:25 +08:00
|
|
|
* libpam: Add new functions pam_get_authtok_noverify() and
|
2009-12-16 21:17:13 +08:00
|
|
|
pam_get_authtok_verify()
|
|
|
|
* Add sepermit.conf.5 manual page
|
|
|
|
* Lot of bug fixes
|
|
|
|
|
2009-06-19 22:45:29 +08:00
|
|
|
Release 1.1.0
|
|
|
|
|
|
|
|
* Update translations
|
|
|
|
* Documentation updates and fixes
|
|
|
|
|
2009-05-06 00:01:49 +08:00
|
|
|
Release 1.0.92
|
|
|
|
|
|
|
|
* Update translations
|
|
|
|
* pam_succeed_if: Use provided username
|
|
|
|
* pam_mkhomedir: Fix handling of options
|
|
|
|
|
2009-03-09 21:07:34 +08:00
|
|
|
Release 1.0.91
|
|
|
|
|
2009-02-27 02:56:12 +08:00
|
|
|
* Fixed CVE-2009-0579 (minimum days limit on password change is ignored).
|
2009-03-09 21:07:34 +08:00
|
|
|
* Fix libpam internal config/argument parser
|
|
|
|
* Add optional file locking to pam_tally2
|
|
|
|
* Update translations
|
|
|
|
* pam_access improvements
|
|
|
|
* Changes in the behavior of the password stack. Results of PRELIM_CHECK
|
|
|
|
are not used for the final run.
|
2008-04-21 19:21:12 +08:00
|
|
|
|
|
|
|
Release 1.0.90
|
|
|
|
|
2008-07-09 20:23:23 +08:00
|
|
|
* Supply hostname of the machine to netgroup match call in pam_access
|
2008-04-18 20:53:38 +08:00
|
|
|
* Make pam_namespace to work safe on child directories of parent directories
|
2008-07-09 20:23:23 +08:00
|
|
|
owned by users
|
2008-09-19 21:38:32 +08:00
|
|
|
* Redefine LOCAL keyword of pam_access configuration file
|
2008-09-30 22:40:39 +08:00
|
|
|
* Add support for try_first_pass and use_first_pass to pam_cracklib
|
2008-07-09 20:23:23 +08:00
|
|
|
* Print informative messages for rejected login and add silent and
|
|
|
|
no_log_info options to pam_tally
|
2008-09-19 21:38:32 +08:00
|
|
|
* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
|
|
|
|
* New password quality tests in pam_cracklib
|
2008-09-30 22:40:39 +08:00
|
|
|
* New options for pam_lastlog to show last failed login attempt and
|
|
|
|
to disable lastlog update
|
2008-10-10 14:53:45 +08:00
|
|
|
* New pam_pwhistory module to store last used passwords
|
2008-10-17 19:29:55 +08:00
|
|
|
* New pam_tally2 module similar to pam_tally with wordsize independent
|
|
|
|
tally data format
|
2008-11-24 21:56:29 +08:00
|
|
|
* Make libpam not log missing module if its type is prepended with '-'
|
2008-11-28 22:29:12 +08:00
|
|
|
* New pam_timestamp module for authentication based on recent successful
|
|
|
|
login.
|
2008-12-01 20:40:40 +08:00
|
|
|
* Add blowfish support to pam_unix.
|
2008-12-02 23:13:43 +08:00
|
|
|
* Add support for user specific environment file to pam_env.
|
2008-12-03 22:16:33 +08:00
|
|
|
* Add pam_get_authtok to libpam as Linux-PAM extension.
|
2008-12-12 03:41:49 +08:00
|
|
|
* Rename type option of pam_cracklib to authtok_type.
|
|
|
|
|
|
|
|
Release 1.0.3
|
|
|
|
|
|
|
|
* Small bug fix release
|
|
|
|
|
2008-10-10 14:53:45 +08:00
|
|
|
|
|
|
|
Release 1.0.2
|
|
|
|
|
|
|
|
* Regression fixed in pam_selinux
|
|
|
|
* Problem with big UIDs fixed in pam_loginuid
|
2008-04-17 20:52:25 +08:00
|
|
|
|
2008-12-12 03:41:49 +08:00
|
|
|
|
2008-04-17 20:52:25 +08:00
|
|
|
Release 1.0.1
|
|
|
|
|
2008-04-21 19:21:12 +08:00
|
|
|
* Regression fixed in pam_set_item()
|
2008-04-17 20:52:25 +08:00
|
|
|
|
2008-04-04 18:22:59 +08:00
|
|
|
|
|
|
|
Release 1.0.0
|
|
|
|
|
|
|
|
* Small bug fixes
|
|
|
|
* Translation updates
|
|
|
|
|
|
|
|
|
2008-02-13 22:39:41 +08:00
|
|
|
Release 0.99.10.0
|
|
|
|
|
2007-10-20 01:06:29 +08:00
|
|
|
* New substack directive in config file syntax.
|
2007-12-06 04:08:57 +08:00
|
|
|
* New module pam_tty_audit.so for enabling and disabling tty
|
|
|
|
auditing.
|
2007-12-07 04:20:07 +08:00
|
|
|
* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
|
2008-01-23 23:35:12 +08:00
|
|
|
* Auditing login denials based by origin (pam_access), time (pam_time),
|
|
|
|
and number of sessions (pam_limits) to the Linux audit subsystem.
|
|
|
|
* Support sha256 and sha512 algorithms in pam_unix when they are supported
|
|
|
|
by crypt().
|
2008-01-29 23:38:34 +08:00
|
|
|
* New pam_sepermit.so module for allowing/rejecting access based on
|
|
|
|
SELinux mode.
|
Relevant BUGIDs:
Purpose of commit: bugfix, new feature
Commit summary:
---------------
2008-02-13 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d
dir.
* modules/pam_namespace/argv_parse.c: New file.
* modules/pam_namespace/argv_parse.h: New file.
* modules/pam_namespace/namespace.conf.5.xml: Document new features.
* modules/pam_namespace/pam_namespace.8.xml: Likewise.
* modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define.
Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags
and polydir flags.
(polydir_s): Add rdir, replace exclusive with flags, add init_script,
owner, group, and mode.
(instance_data): Add ruser, gid, and ruid.
* modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent().
(add_polydir_entry): Add the entry directly, no copy.
(del_polydir): New function.
(del_polydir_list): Call del_polydir().
(expand_variables, parse_create_params, parse_iscript_params,
parse_method): New functions.
(process_line): Call expand_variables() on polydir and instance prefix.
Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap.
(parse_config_file): Parse .conf files from namespace.d dir after
namespace.conf.
(form_context): Call getcon() or get_default_context_with_level() when
appropriate flags are set.
(poly_name): Handle shared polydir flag.
(inst_init): Execute non-default init script when specified.
(create_polydir): New function.
(create_dirs): Remove the code which checks the polydir. Do not call
inst_init() when noinit flag is set.
(ns_setup): Check the polydir and eventually create it if the create flag
is set.
(setup_namespace): Use ruser uid from idata. Set the namespace polydir
pam data only when namespace was set up correctly. Unmount polydir
based on ruser.
(get_user_data): New function.
(pam_sm_open_session): Check for use_current_context and
use_default_context options. Call get_user_data().
(pam_sm_close_session): Call get_user_data().
2008-02-13 20:49:43 +08:00
|
|
|
* Improved functionality of pam_namespace.so module (method flags,
|
|
|
|
namespace.d configuration directory, new options).
|
2020-03-29 02:19:41 +08:00
|
|
|
* Finally removed deprecated pam_rhosts_auth module.
|
2008-02-13 22:39:41 +08:00
|
|
|
|
2007-10-09 20:50:40 +08:00
|
|
|
|
|
|
|
Release 0.99.9.0
|
2008-02-13 22:39:41 +08:00
|
|
|
|
2007-09-04 05:45:04 +08:00
|
|
|
* misc_conv no longer blocks SIGINT; applications that don't want
|
2007-10-09 20:50:40 +08:00
|
|
|
user-interruptable prompts should block SIGINT themselves
|
|
|
|
* Merge fixes from Debian
|
|
|
|
* Fix parser for pam_group and pam_time
|
2006-05-04 19:32:36 +08:00
|
|
|
|
2008-02-13 22:39:41 +08:00
|
|
|
|
2007-07-18 17:44:16 +08:00
|
|
|
Release 0.99.8.1
|
2008-02-13 22:39:41 +08:00
|
|
|
|
2007-07-18 17:44:16 +08:00
|
|
|
* Fix a regression in audit code introduced with last release
|
|
|
|
* Fix compiling with --disable-nls
|
|
|
|
|
2008-02-13 22:39:41 +08:00
|
|
|
|
2007-07-06 16:23:13 +08:00
|
|
|
Release 0.99.8.0
|
2007-03-12 22:36:40 +08:00
|
|
|
|
2007-03-30 04:33:07 +08:00
|
|
|
* Add translations for ar, ca, da, ru, sv and zu.
|
|
|
|
* Update hungarian translation.
|
|
|
|
* Add support for limits.d directory to pam_limits.
|
2007-06-15 17:38:11 +08:00
|
|
|
* Improve pam_namespace module tobe more useful
|
|
|
|
for MLS, fixed crash with bad config files.
|
2007-06-15 18:17:22 +08:00
|
|
|
* Improve pam_selinux module to be more useful
|
|
|
|
for MLS.
|
2007-06-20 21:54:08 +08:00
|
|
|
* Add minclass option to pam_cracklib
|
2007-07-06 16:23:13 +08:00
|
|
|
* Add new group syntax to pam_access
|
|
|
|
|
2007-03-12 22:36:40 +08:00
|
|
|
|
2007-01-23 18:19:32 +08:00
|
|
|
Release 0.99.7.1
|
|
|
|
|
|
|
|
* Security fix for pam_unix.so (CVE-2007-0003).
|
|
|
|
|
|
|
|
|
2007-01-17 22:18:33 +08:00
|
|
|
Release 0.99.7.0
|
|
|
|
|
|
|
|
* Add manual page for pam_unix.so.
|
2006-11-08 19:21:41 +08:00
|
|
|
* Add pam_faildelay module to set pam_fail_delay() value.
|
2007-01-17 22:18:33 +08:00
|
|
|
* Fix possible seg.fault in libpam/pam_set_data().
|
|
|
|
* Cleanup of configure options.
|
|
|
|
* Update hungarian translation, fix german translation.
|
2006-09-20 21:46:03 +08:00
|
|
|
|
2007-01-23 18:19:32 +08:00
|
|
|
|
2006-08-30 00:21:31 +08:00
|
|
|
Release 0.99.6.3
|
|
|
|
|
|
|
|
* pam_loginuid: New PAM module.
|
2006-08-31 00:09:05 +08:00
|
|
|
* pam_access, pam_succeed_if: Support passwd and session services.
|
2006-08-30 00:21:31 +08:00
|
|
|
|
2006-09-20 21:46:03 +08:00
|
|
|
|
2006-08-25 02:01:22 +08:00
|
|
|
Release 0.99.6.2
|
|
|
|
|
|
|
|
* pam_lastlog: Don't refuse login if lastlog file got lost.
|
|
|
|
* pam_cracklib: Fix a user triggerable crash.
|
|
|
|
* documentation: Regenerate with fixed docbook stylesheet.
|
|
|
|
|
|
|
|
|
2006-08-11 08:39:44 +08:00
|
|
|
Release 0.99.6.1
|
|
|
|
|
|
|
|
* Fix bootstrapping problems.
|
|
|
|
* Bug fixes: pam_keyinit, pam_umask
|
|
|
|
|
2006-08-25 02:01:22 +08:00
|
|
|
|
2006-08-06 03:20:01 +08:00
|
|
|
Release 0.99.6.0
|
|
|
|
|
|
|
|
* pam_namespace: Code cleanup, add init script to tar archive.
|
|
|
|
* pam_succeed_if: Add support for service match.
|
2006-08-05 16:03:11 +08:00
|
|
|
* Add xtests (to run after installation).
|
2006-06-28 22:41:18 +08:00
|
|
|
* Documentation: Convert sgml guides to XML, unify documentation
|
|
|
|
for PAM functions and modules.
|
|
|
|
|
2006-08-25 02:01:22 +08:00
|
|
|
|
2006-06-28 15:22:40 +08:00
|
|
|
Release 0.99.5.0
|
|
|
|
|
2006-05-15 19:52:22 +08:00
|
|
|
* pam_tally: Fix support for large UIDs
|
2006-05-23 01:27:54 +08:00
|
|
|
* Fixed all problems found by Coverity
|
2006-06-17 18:29:10 +08:00
|
|
|
* Add support for Intel C Compiler
|
2006-06-02 00:33:48 +08:00
|
|
|
* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
|
2006-06-02 23:59:25 +08:00
|
|
|
pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
|
2006-06-04 20:11:15 +08:00
|
|
|
pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
|
2006-06-10 02:18:43 +08:00
|
|
|
pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
|
2006-06-19 00:08:02 +08:00
|
|
|
pam_time, pam_limits, pam_debug, pam_tally
|
2006-06-14 23:28:43 +08:00
|
|
|
* The libpam memory debug code was removed
|
2006-06-28 15:22:40 +08:00
|
|
|
* pam_keyinit: New module to initialise kernel session keyring.
|
|
|
|
* pam_namespace: New module to configure private namespace for a session.
|
|
|
|
* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
|
|
|
|
* pam_rhosts_auth: This module is now deprecated.
|
|
|
|
|
2006-05-15 19:52:22 +08:00
|
|
|
|
2006-05-04 19:32:36 +08:00
|
|
|
Release 0.99.4.0
|
|
|
|
|
2006-03-12 16:36:42 +08:00
|
|
|
* Add test suite
|
2006-01-22 15:36:54 +08:00
|
|
|
* Fix building of static variants of libpam, libpamc and libpam_misc
|
2006-01-23 20:36:32 +08:00
|
|
|
* pam_listfile: Add support for password and session management
|
2020-03-29 02:19:41 +08:00
|
|
|
* pam_exec: New PAM module to execute arbitrary commands
|
2006-01-25 07:28:31 +08:00
|
|
|
* Fix building of a static libpam including all PAM modules
|
2006-04-21 20:18:15 +08:00
|
|
|
* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
|
2006-02-07 15:53:27 +08:00
|
|
|
* pam_access: Add network(address) / netmask and IPv6 support
|
|
|
|
* Add manual pages for pam_cracklib, pam_deny and pam_access
|
2006-02-11 02:33:54 +08:00
|
|
|
* pam_pwdb: This deprecated module was removed
|
2006-02-13 06:24:34 +08:00
|
|
|
* Manual pages: Major rewrite/cleanup
|
2006-01-22 15:36:54 +08:00
|
|
|
|
2006-05-04 19:32:36 +08:00
|
|
|
|
2006-01-14 20:34:15 +08:00
|
|
|
Release 0.99.3.0
|
|
|
|
|
2006-01-11 20:18:34 +08:00
|
|
|
* Fix NULL pointer checks in libpam.so
|
2006-01-12 23:34:49 +08:00
|
|
|
* pam_succeed_if, pam_group, pam_time: Support netgroup matching
|
2006-01-14 03:25:41 +08:00
|
|
|
* New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW
|
2006-01-12 18:06:49 +08:00
|
|
|
* Audit PAM calls if Linux Audit is available
|
2006-01-12 23:34:49 +08:00
|
|
|
* Compile upperLOWER and unix_chkpwd as PIE binaries
|
2005-11-21 22:07:49 +08:00
|
|
|
|
2006-01-11 20:18:34 +08:00
|
|
|
|
2005-12-13 01:34:10 +08:00
|
|
|
Release 0.99.2.1
|
|
|
|
|
|
|
|
* Fix install of PS, PDF, TXT and HTML files
|
|
|
|
* pam_mail: Update README
|
|
|
|
* Use %m consistent
|
|
|
|
* pam_modutil_getlogin: Fix parsing of PAM_TTY variable
|
|
|
|
|
2006-01-11 20:18:34 +08:00
|
|
|
|
2005-11-21 22:07:49 +08:00
|
|
|
Release 0.99.2.0
|
|
|
|
|
2005-11-18 17:01:00 +08:00
|
|
|
* Fix parsing of full path tty name in various modules
|
2005-10-21 01:01:06 +08:00
|
|
|
* pam_xauth: Look for xauth executable in multiple places
|
2005-10-27 03:05:32 +08:00
|
|
|
* pam_unix: Disable user check in unix_chkpwd only if real uid
|
|
|
|
is 0 (CVE-2005-2977). Log failed password check attempt.
|
2005-11-18 17:01:00 +08:00
|
|
|
* pam_env: Support /etc/environment again, but don't treat it as
|
|
|
|
error if it is missing.
|
|
|
|
* pam_userdb: Fix memory leak.
|
2005-10-21 01:01:06 +08:00
|
|
|
|
2006-01-11 20:18:34 +08:00
|
|
|
|
2005-09-26 22:54:28 +08:00
|
|
|
Release 0.99.1.0
|
|
|
|
|
|
|
|
* Use autoconf/automake/libtool
|
|
|
|
* Add gettext support
|
|
|
|
* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
|
|
|
|
pt, zh_CN and zh_TW
|
|
|
|
* libpam: Remove pam_authenticate_secondary stub
|
|
|
|
* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
|
|
|
|
and pam_vinfo functions for use by modules as extension
|
|
|
|
* libpam: Add pam_syslog function for unified syslog messages from
|
2005-09-27 14:16:10 +08:00
|
|
|
PAM modules
|
2005-09-26 22:54:28 +08:00
|
|
|
* libpam: Moved functions from pammodutil to libpam
|
|
|
|
* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
|
|
|
|
or /etc/default/login
|
|
|
|
* pam_echo: New PAM module for message output
|
2005-09-27 03:35:39 +08:00
|
|
|
* pam_userdb: Fix regression (crash when crypt param not specified)
|
|
|
|
* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
|
|
|
|
values for other limits are applied)
|
|
|
|
* pam_access: Support for NULL tty - matches ALL and NONE keywords
|
2005-09-27 14:16:10 +08:00
|
|
|
* pam_lastlog: Enable log to wtmp by default. Add "nowtmp" option
|
|
|
|
* pam_radius: This module was removed
|