Fix or suppress various warnings when compiling with -Wall -Wextra

* conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
* doc/specs/Makefile.am: Likewise.

* libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.

* modules/pam_access/pam_access.c: Avoid double const.

* modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
without copying the NUL byte.

* modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
* modules/pam_time/pam_time.c: Likewise.

* modules/pam_limits/pam_limits.c: Remove unused units variable.

* modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.

* modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.

* modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
of hardcoded value.

* modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.

* modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.

* modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
cast for comparison.

* modules/pam_unix/support.c: Remove unused function.

conf/pam_conv1/Makefile.am

@@ -8,6 +8,8 @@ EXTRA_DIST = README
 
 AM_YFLAGS = -d
 
+pam_conv1_CFLAGS = -Wno-unused-function -Wno-sign-compare
+
 BUILT_SOURCES = pam_conv_y.h
 
 noinst_PROGRAMS = pam_conv1

doc/specs/Makefile.am

@@ -16,6 +16,8 @@ CPPFLAGS = @BUILD_CPPFLAGS@
 CFLAGS = @BUILD_CFLAGS@
 LDFLAGS = @BUILD_LDFLAGS@
 
+padout_CFLAGS = -Wno-unused-function -Wno-sign-compare
+
 BUILT_SOURCES = parse_y.h
 
 noinst_PROGRAMS = padout

libpamc/include/security/pam_client.h

@@ -109,7 +109,7 @@ char **pamc_list_agents(pamc_handle_t pch);
 
 #define PAM_BP_RENEW(old_p, cntrl, data_length)                            \
 do {                                                                       \
-    if (old_p) {                                                           \
+    if ((old_p) != NULL) {                                                 \
 	if (*(old_p)) {                                                    \
 	    u_int32_t __size;                                              \
             __size = PAM_BP_SIZE(*(old_p));                                \

modules/pam_access/pam_access.c

@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     const char *user=NULL;
     const void *void_from=NULL;
     const char *from;
-    const char const *default_config = PAM_ACCESS_CONFIG;
+    const char *default_config = PAM_ACCESS_CONFIG;
     struct passwd *user_pw;
     char hostname[MAXHOSTNAMELEN + 1];
     int rv;

modules/pam_filter/pam_filter.c

@@ -120,8 +120,8 @@ static int process_args(pam_handle_t *pamh
 
 	/* the "ARGS" variable */
 
-#define ARGS_OFFSET    5                          /*  strlen('ARGS=');  */
 #define ARGS_NAME      "ARGS="
+#define ARGS_OFFSET    (sizeof(ARGS_NAME) - 1)
 
 	size += ARGS_OFFSET;
 
@@ -134,7 +134,7 @@ static int process_args(pam_handle_t *pamh
 	    return -1;
 	}
 
-	strncpy(levp[0],ARGS_NAME,ARGS_OFFSET);
+	strcpy(levp[0], ARGS_NAME);
 	for (i=0,size=ARGS_OFFSET; i<argc; ++i) {
 	    strcpy(levp[0]+size, argv[i]);
 	    size += strlen(argv[i]);
@@ -144,8 +144,8 @@ static int process_args(pam_handle_t *pamh
 
 	/* the "SERVICE" variable */
 
-#define SERVICE_OFFSET    8                    /*  strlen('SERVICE=');  */
 #define SERVICE_NAME      "SERVICE="
+#define SERVICE_OFFSET    (sizeof(SERVICE_NAME) - 1)
 
 	retval = pam_get_item(pamh, PAM_SERVICE, &tmp);
 	if (retval != PAM_SUCCESS || tmp == NULL) {
@@ -168,14 +168,14 @@ static int process_args(pam_handle_t *pamh
 	    return -1;
 	}
 
-	strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET);
+	strcpy(levp[1], SERVICE_NAME);
 	strcpy(levp[1]+SERVICE_OFFSET, tmp);
 	levp[1][size] = '\0';                      /* <NUL> terminate */
 
 	/* the "USER" variable */
 
-#define USER_OFFSET    5                          /*  strlen('USER=');  */
 #define USER_NAME      "USER="
+#define USER_OFFSET    (sizeof(USER_NAME) - 1)
 
 	if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS ||
 	    user == NULL) {
@@ -194,14 +194,14 @@ static int process_args(pam_handle_t *pamh
 	    return -1;
 	}
 
-	strncpy(levp[2],USER_NAME,USER_OFFSET);
+	strcpy(levp[2], USER_NAME);
 	strcpy(levp[2]+USER_OFFSET, user);
 	levp[2][size] = '\0';                      /* <NUL> terminate */
 
 	/* the "USER" variable */
 
-#define TYPE_OFFSET    5                          /*  strlen('TYPE=');  */
 #define TYPE_NAME      "TYPE="
+#define TYPE_OFFSET    (sizeof(TYPE_NAME) - 1)
 
 	size = TYPE_OFFSET+strlen(type);
 
@@ -217,7 +217,7 @@ static int process_args(pam_handle_t *pamh
 	    return -1;
 	}
 
-	strncpy(levp[3],TYPE_NAME,TYPE_OFFSET);
+	strcpy(levp[3], TYPE_NAME);
 	strcpy(levp[3]+TYPE_OFFSET, type);
 	levp[3][size] = '\0';                      /* <NUL> terminate */
 

modules/pam_group/pam_group.c

@@ -183,6 +183,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state)
 		    ++src; /* skip it */
 		    break;
 		}
+	    /* fallthrough */
 	    default:
 		*to++ = c;
 		onspace = 0;

modules/pam_limits/pam_limits.c

@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
     FILE *limitsfile;
     const char *proclimits = "/proc/1/limits";
     char line[256];
-    char *units, *hard, *soft, *name;
+    char *hard, *soft, *name;
 
     if (!(limitsfile = fopen(proclimits, "r"))) {
         pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
@@ -410,10 +410,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
         if (pos == maxlen) {
             /* step backwards over "Units" name */
             LIMITS_SKIP_WHITESPACE;
-            LIMITS_MARK_ITEM(units);
-        }
-        else {
-            units = "";
+            LIMITS_MARK_ITEM(hard); /* not a typo, units unused */
         }
 
         /* step backwards over "Hard Limit" value */

modules/pam_listfile/pam_listfile.c

@@ -65,14 +65,14 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
     char mybuf[256],myval[256];
     struct stat fileinfo;
     FILE *inf;
-    char apply_val[256];
+    const char *apply_val;
     int apply_type;
 
     /* Stuff for "extended" items */
     struct passwd *userinfo;
 
     apply_type=APPLY_TYPE_NULL;
-    memset(apply_val,0,sizeof(apply_val));
+    apply_val="";
 
     for(i=0; i < argc; i++) {
 	{
@@ -140,13 +140,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 		    citem = 0;
 	    } else if(!strcmp(mybuf,"apply")) {
 		apply_type=APPLY_TYPE_NONE;
-		memset(apply_val,'\0',sizeof(apply_val));
 		if (myval[0]=='@') {
 		    apply_type=APPLY_TYPE_GROUP;
-		    strncpy(apply_val,myval+1,sizeof(apply_val)-1);
+		    apply_val=myval+1;
 		} else {
 		    apply_type=APPLY_TYPE_USER;
-		    strncpy(apply_val,myval,sizeof(apply_val)-1);
+		    apply_val=myval;
 		}
 	    } else {
 		free(ifname);

modules/pam_rootok/pam_rootok.c

@@ -61,7 +61,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
 
 #ifdef WITH_SELINUX
 static int
-log_callback (int type, const char *fmt, ...)
+log_callback (int type UNUSED, const char *fmt, ...)
 {
     int audit_fd;
     va_list ap;

modules/pam_selinux/pam_selinux.c

@@ -63,8 +63,6 @@
 
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include <selinux/get_default_type.h>
@@ -591,7 +589,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data)
   }
 
   if (security_compute_relabel(data->exec_context, data->prev_tty_context,
-			       SECCLASS_CHR_FILE, &data->tty_context)) {
+			       string_to_security_class("chr_file"), &data->tty_context)) {
     data->tty_context = NULL;
     pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m",
 	       data->tty_path);

modules/pam_sepermit/pam_sepermit.c

@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 		if (*sense == PAM_SUCCESS) {
 			if (ignore)
 				*sense = PAM_IGNORE;
-			if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
+			if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
 				if (sepermit_lock(pamh, user, debug) < 0)
 					*sense = PAM_AUTH_ERR;
 		}

modules/pam_succeed_if/pam_succeed_if.c

@@ -229,9 +229,16 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
 		return PAM_SUCCESS;
 	return PAM_AUTH_ERR;
 }
+
+#ifdef HAVE_INNETGR
+# define SOMETIMES_UNUSED UNUSED
+#else
+# define SOMETIMES_UNUSED
+#endif
+
 /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
 static int
-evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
 {
 #ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 1)
@@ -244,7 +251,7 @@ evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, c
 }
 /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
 static int
-evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh SOMETIMES_UNUSED, const char *host, const char *user, const char *group)
 {
 #ifdef HAVE_INNETGR
 	if (innetgr(group, host, user, NULL) == 0)

modules/pam_time/pam_time.c

@@ -213,6 +213,7 @@ read_field(const pam_handle_t *pamh, int fd, char **buf, int *from, int *state)
 		    ++src; /* skip it */
 		    break;
 		}
+		/* fallthrough */
 	    default:
 		*to++ = c;
 		onspace = 0;

modules/pam_unix/pam_unix_passwd.c

@@ -350,7 +350,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned long long ctrl,
 static int check_old_password(const char *forwho, const char *newpass)
 {
 	static char buf[16384];
-	char *s_luser, *s_uid, *s_npas, *s_pas;
+	char *s_pas;
 	int retval = PAM_SUCCESS;
 	FILE *opwfile;
 	size_t len = strlen(forwho);
@@ -364,9 +364,9 @@ static int check_old_password(const char *forwho, const char *newpass)
 			buf[len] == ',')) {
 			char *sptr;
 			buf[strlen(buf) - 1] = '\0';
-			s_luser = strtok_r(buf, ":,", &sptr);
-			s_uid = strtok_r(NULL, ":,", &sptr);
-			s_npas = strtok_r(NULL, ":,", &sptr);
+			/* s_luser = */ strtok_r(buf, ":,", &sptr);
+			/* s_uid = */ strtok_r(NULL, ":,", &sptr);
+			/* s_npas = */ strtok_r(NULL, ":,", &sptr);
 			s_pas = strtok_r(NULL, ":,", &sptr);
 			while (s_pas != NULL) {
 				char *md5pass = Goodcrypt_md5(newpass, s_pas);
@@ -581,7 +581,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
 		remark = _("You must choose a shorter password.");
 		D(("length exceeded [%s]", remark));
 	} else if (off(UNIX__IAMROOT, ctrl)) {
-		if (strlen(pass_new) < pass_min_len)
+		if ((int)strlen(pass_new) < pass_min_len)
 		  remark = _("You must choose a longer password.");
 		D(("length check [%s]", remark));
 		if (on(UNIX_REMEMBER_PASSWD, ctrl)) {

modules/pam_unix/support.c

@@ -211,11 +211,6 @@ unsigned long long _set_ctrl(pam_handle_t *pamh, int flags, int *remember,
 	return ctrl;
 }
 
-static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED)
-{
-	_pam_delete(x);
-}
-
 /* ************************************************************** *
  * Useful non-trivial functions                                   *
  * ************************************************************** */