On my non-representative hardware, the full build using autotools
(./autogen.sh && CFLAGS=-O2 ./configure && make -j`nproc` && make -j`nproc` install)
takes about 45 seconds.
On the same hardware, the full build using meson
(meson setup -Doptimization=2 dir && meson compile -C dir && meson install -C dir)
takes just about 7.5 seconds.
Given that in most places config.h is included unconditionally,
there is no point in keeping remaining HAVE_CONFIG_H checks.
Public header files do not use config.h and therefore
are not affected by this change anyway.
Fixes:
# ./run-xtests.sh . tst-pam_access1
mv: cannot stat '/etc/security/opasswd': No such file or directory
PASS: tst-pam_access1
mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
==================
1 tests passed
0 tests not run
==================
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
which is less error-prone and implements an additional type check.
* libpam/pam_handlers.c: Include "pam_inline.h".
(_pam_open_config_file): Use PAM_ARRAY_SIZE.
* modules/pam_exec/pam_exec.c: Include "pam_inline.h".
(call_exec): Use PAM_ARRAY_SIZE.
* modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
(filter_mntopts): Use PAM_ARRAY_SIZE.
* modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
(testvectors): Use PAM_ARRAY_SIZE.
* modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
(run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
* tests/tst-pam_get_item.c: Include "pam_inline.h".
(main): Use PAM_ARRAY_SIZE.
* tests/tst-pam_set_item.c: Likewise.
* xtests/tst-pam_pwhistory1.c: Likewise.
* xtests/tst-pam_time1.c: Likewise.
To be able to set CFLAGS from make command-line but not to lose the
warning flags.
* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
This fixes a regression introduced by #69, where motd_path was set
to NULL and passed into strdup() if the motd_dir argument was
not specified in the configuration file. This caused a segmentation
fault.
* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
* xtests/Makefile.am: add test scripts and config file
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
* xtests/tst-pam_motd4.pamd: create
* xtests/tst-pam_motd4.sh: create
Adds specifying multiple paths to motd files and motd.d
directories to be displayed. A colon-separated list of
paths is specified as arguments motd and motd_dir to the
pam_motd module.
This gives packages several options to install motd files to.
By default, the paths are, with highest priority first:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Which is equivalent to the following arguments:
motd=/etc/motd:/run/motd:/usr/lib/motd
motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d
Files with the same filename in a lower-priority directory,
as specified by the order in the colon-separated list, are
overridden, meaning PAM will not display them.
This allows a package to contain motd files under
/usr/lib instead of the host configuration in /etc.
A service may also write a dynamically generated motd in
/run/motd.d/ and have PAM display it without needing a
symlink from /etc/motd.d/ installed.
Closes#68
* modules/pam_motd/pam_motd.8.xml: update documentation
* modules/pam_motd/pam_motd.c: add specifying multiple motd paths
* xtests/.gitignore: add generated test script
* xtests/Makefile.am: add test source, scripts and config files
* xtests/tst-pam_motd.c: create
* xtests/tst-pam_motd.sh: create
* xtests/tst-pam_motd1.pamd: create
* xtests/tst-pam_motd1.sh: create
* xtests/tst-pam_motd2.pamd: create
* xtests/tst-pam_motd2.sh: create
* xtests/tst-pam_motd3.pamd: create
* xtests/tst-pam_motd3.sh: create
There are no bash specific syntax in the xtest scripts. So, remove
the bash dependency.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
* modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to
pam_selinux_check_LDADD.
* modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from
AM_LDFLAGS.
* modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from
AM_LDFLAGS.
* modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from
AM_LDFLAGS.
* modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from
AM_LDFLAGS.
* xtests/Makefile.am: Rename AM_LDFLAGS to LDADD.
Cleanup trailing whitespaces, indentation that uses spaces before tabs,
and blank lines at EOF. Make the project free of warnings reported by
git diff --check 4b825dc642 HEAD
Purpose of commit: bugfix
Commit summary:
---------------
2010-10-20 Thorsten Kukuk <kukuk@thkukuk.de>
* doc/man/Makefile.am: Fix build dependencys of pam_get_authtok.3.
* xtests/Makefile.am: Only build xtests if we run xtests.
Purpose of commit: bugfix
Commit summary:
---------------
2009-02-26 Tomas Mraz <t8m@centrum.cz>
* xtests/Makefile.am: Add tst-pam_unix4.
* xtests/tst-pam_unix4.c: New test for password change
and shadow min days limit.
* xtests/tst-pam_unix4.pamd: Likewise.
* xtests/tst-pam_unix4.sh: Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Ignore
PAM_AUTHTOK_ERR on shadow verification.
* modules/pam_unix/passverify.c (check_shadow_expiry): Return
PAM_AUTHTOK_ERR if sp_min limit for password change is defied.
Purpose of commit: new feature
Commit summary:
---------------
2009-02-25 Tomas Mraz <t8m@centrum.cz>
* xtests/access.conf: Add a line for name resolution test case.
* xtests/tst-pam_access4.c (main): Set PAM_RHOST for testing the LOCAL
keyword. Add a test case for name resolution.
* modules/pam_access/pam_access.c (from_match): Move name resolution
to network_netmask_match().
(network_netmask_match): Do a name resolution of the origin only if
matching against a real network/netmask.
Purpose of commit: new testcase
Commit summary:
---------------
User entries with "|" don't work as expected.
2008-11-24 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/Makefile.am: Add pam_time1 tests.
* xtests/tst-pam_time1.c: New test case.
* xtests/tst-pam_time1.pamd: New.
* xtests/time.conf: New.
* xtests/run-xtests.sh: Copy time.conf.
Purpose of commit: feature
Commit summary:
---------------
2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_exec/pam_exec.c (call_exec): Move all variable
declaration to begin of a block (#1976310).
* xtests/tst-pam_group1.c (run_test): Move no_grps declaration
to begin of function (#1976310).
Purpose of commit: new feature
Commit summary:
---------------
2007-10-19 Tomas Mraz <t8m@centrum.cz>
* xtests/tst-pam_access1.c: Use different name for user and group.
* xtests/tst-pam_access1.sh: Likewise.
* xtests/tst-pam_access2.c: Likewise.
* xtests/tst-pam_access2.sh: Likewise.
* xtests/tst-pam_access4.c: Likewise.
* xtests/tst-pam_access4.sh: Likewise.
* xtests/group.conf: Likewise.
* xtests/tst-pam_group1.c: Likewise.
* xtests/tst-pam_group1.sh: Likewise.
* libpam/pam_dispatch.c (_pam_dispatch_aux): Save states for substacks,
record substack level, skip over virtual substack modules, implement
evaluation of done, die, reset and jumps in substacks. Also fixes
too far jumps in substacks.
* libpam/pam_end.c (pam_end): Drop substack evaluation states.
* libpam/pam_handlers.c (_pam_parse_conf_file): Add substack level
parameter, instead of must_fail use handler_type needed for virtual
substack modules.
(_pam_load_conf_file): Add substack level parameter.
(_pam_init_handlers): Substack level parameter added to
_pam_parse_conf_file() calls.
(_pam_load_module): New function.
(_pam_add_handler): Refactor code into the _pam_load_module(). Add
support for virtual substack modules.
* libpam/pam_private.h: Rename must_fail to handler_type, add stack_level
to struct handler. Define handler type constants. Add struct
for substack evaluation states. Define constant for maximum
substack level. Add substack states pointer to former state struct.
* libpam/pam_start.c (pam_start): Initialize pointer to substack states.
* doc/man/pam.conf-syntax.xml: Document substack control.
* xtests/Makefile.am: Add new tests for substack evaluation.
* xtests/run_xtests.sh: Support multiple .pamd files in a test.
* xtests/tst-pam_authfail.pamd: New tests for substack evaluation.
* xtests/tst-pam_authsucceed.pamd: Likewise.
* xtests/tst-pam_substack1.pamd: Likewise.
* xtests/tst-pam_substack1a.pamd: Likewise.
* xtests/tst-pam_substack1.sh: Likewise.
* xtests/tst-pam_substack2.pamd: Likewise.
* xtests/tst-pam_substack2a.pamd: Likewise.
* xtests/tst-pam_substack2.sh: Likewise.
* xtests/tst-pam_substack3.pamd: Likewise.
* xtests/tst-pam_substack3a.pamd: Likewise.
* xtests/tst-pam_substack3.sh: Likewise.
* xtests/tst-pam_substack4.pamd: Likewise.
* xtests/tst-pam_substack4a.pamd: Likewise.
* xtests/tst-pam_substack4.sh: Likewise.
* xtests/tst-pam_substack5.pamd: Likewise.
* xtests/tst-pam_substack5a.pamd: Likewise.
* xtests/tst-pam_substack5.sh: Likewise.
Purpose of commit: testcase
Commit summary:
---------------
2007-10-18 Tomas Mraz <t8m@centrum.cz>
* xtests/tst-pam_dispatch4.c: Fix comment about the test.
* xtests/tst-pam_dispatch4.pamd: Improve the testcase.
Purpose of commit: new testcase
Commit summary:
---------------
2007-10-12 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/Makefile.am: Add tst-pam_dispatch5 sources
* xtests/tst-pam_dispatch5.c: New test for jump too far.
* xtests/tst-pam_dispatch5.pamd: New test configuration.
Purpose of commit: bugfix
Commit summary:
---------------
2007-10-01 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/tst-pam_group1.c: New test case for user compare in pam_group.
* xtests/tst-pam_group1.sh: Script to run test case.
* xtests/tst-pam_group1.pamd: Config for test case.
* xtests/Makefile.am: Add tst-pam_group1 test case.
* xtests/run-xtests.sh: Save/restore group.conf.
* xtests/group.conf: New.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Don't
free arguments used for putenv().
* doc/man/pam_putenv.3.xml: Document that application has to free
the memory.
Purpose of commit: bugfix
Commit summary:
---------------
2007-09-27 Thorsten Kukuk <kukuk@thkukuk.de>
* xtests/run-xtests.sh: Add support to skip tests.
* xtests/tst-pam_limits1.c: Skip test if RLIMIT_NICE is not
defined.
Purpose of commit: bugfix, release
Commit summary:
---------------
2007-07-06 Thorsten Kukuk <kukuk@thkukuk.de>
* release version 0.99.8.0
* configure.in: Check for audit_log_acct_message instead of
audit_log_user_message.
* libpam/pam_audit.c: Use audit_log_acct_message.
Based on patch from Mark J Cox <mjc@redhat.com>.
* libpam/Makefile.am: Bump version number of libpam.
* modules/pam_umask/pam_umask.c (set_umask): mode_t is 32bit,
not 64bit.
* xtests/tst-pam_limits1.c: Fix printf arguments.
* po/*.po: Merge po files with latest code changes.
Purpose of commit: bugfix
Commit summary:
---------------
2007-06-26 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_limits/pam_limits.c (process_limit): Check upper and
lower limit of nice value, fix off-by-one in conversation to rlim_t.
* xtests/Makefile.am: Add new pam_limits test case.
* xtests/limits.conf: New, config file for test case.
* xtests/pam_limits1.c: New, test case for RLIMIT_NICE.
* xtests/pam_limits1.sh: Likewise.
* xtests/pam_limits1.pamd: Likewise.
Purpose of commit: new features
Commit summary:
---------------
2007-06-20 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_cracklib/pam_cracklib.8.xml: Document new minclass
option.
* modules/pam_cracklib/pam_cracklib.c: Add support for minimum
character classes [#1688777]. Based on patch from Keith Schincke.
* xtests/tst-pam_cracklib2.c: New, test case for minclass option.
* xtests/tst-pam_cracklib2.pamd: New, PAM config file for test case.
* xtests/Makefile.am: Add new testcase.
* xtests/pam_cracklib.c: Fix comment what this application tests.
* configure.in: Use /lib64 on x86-64, ppc64, s390x, sparc64
Purpose of commit: bugfix
Commit summary:
---------------
2007-05-04 Thorsten Kukuk <kukuk@suse.de>
* xtests/run-xtests.sh: Use SRCDIR to find PAM config files.
* xtests/Makefile.am:Call run-xtests.sh with srcdir as first
argument.
Based on patch by Bernard Leak <thisisnotapipe@hotmail.com>.
