the requested primitive. This is a significant change, but it should
only affect poorly-written PAM modules, and the alternative is a
potential fail-open situation.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@501 185d5e19-27fe-0310-9dcf-9bff6b9f3609
are actually passed to each service function in the classic (argc,
argv) form. The only place where the compiler could have caught this
used a type cast, and it did not show up in testing either because all
of the modules I tested use openpam_get_option(3) instead of
manipulating argv directly.
The cleaned-up policy parsing code remains in place, but options are
once more stored as strings, pretty much the way they appear in the
policy file, except that quotes are stripped.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@482 185d5e19-27fe-0310-9dcf-9bff6b9f3609
bonus, it should now be much easier to read and understand.
This also changes the way options are stored: they are now stored as a list
of { key, value } pairs rather than "key=value" strings.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@478 185d5e19-27fe-0310-9dcf-9bff6b9f3609
would previously return 0 because it expected the next character after
the matched word to be a space.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@474 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Don't treat "\\\n" as whitespace. It's not what most people would
expect, and the documentation doesn't mention it.
- Improve the documentation a bit now that gendoc.pl supports bullet
lists.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@473 185d5e19-27fe-0310-9dcf-9bff6b9f3609
OPENPAM_MODULES_DIR macro was defined in config.h in addition to
CFLAGS. Place OPENPAM_MODULES_DIR unconditionally in config.h and
remove it from CFLAGS.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@462 185d5e19-27fe-0310-9dcf-9bff6b9f3609
codes in a string with the values of selected PAM items. Use it for
prompts.
Furthermore, modify pam_get_user(3) and pam_get_authtok(3) to look for
module options named {user,authtok,oldauthtok}_prompt, as appropriate.
If found, these options take precedence over both the caller's prompt
and the PAM_{USER,AUTHTOK,OLDAUTHTOK}_PROMPT items. The usefulness of
these options is somewhat limited by the fact that the policy file
parser does not support quoted strings; that's next on the todo list.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@455 185d5e19-27fe-0310-9dcf-9bff6b9f3609
argument (for pam_get_data(3)) are untouched if the function fails.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@444 185d5e19-27fe-0310-9dcf-9bff6b9f3609
the sake of completeness. It is automatically set in pam_start(3).
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@443 185d5e19-27fe-0310-9dcf-9bff6b9f3609
header, as it may define symbols which modify the behaviour of those headers.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@416 185d5e19-27fe-0310-9dcf-9bff6b9f3609
if OPENPAM_DEBUG is not defined (doing so generates far more debugging
information than you will ever want)
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@414 185d5e19-27fe-0310-9dcf-9bff6b9f3609
directory which was specified at configure time.
Inspired by: NetBSD
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@308 185d5e19-27fe-0310-9dcf-9bff6b9f3609
apparently isn't present on some platforms (e.g. Solaris 8)
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@281 185d5e19-27fe-0310-9dcf-9bff6b9f3609
final argument as void ** rather than const void **, but having seen
the strict aliasing warnings gcc generates at higher -O levels, it
makes a lot more sense. Change the prototype and definition back to
what the XSSO specifies, and make the necessary changes to avoid
warnings in code that calls pam_get_data().
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@277 185d5e19-27fe-0310-9dcf-9bff6b9f3609
thinking (or smoking) at the time. Really fix it this time.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@275 185d5e19-27fe-0310-9dcf-9bff6b9f3609
handling considerably simpler, eliminating the need for setjmp(3) and
evil global variables.
Portions submitted by: Dmitry V. Levin <ldv@altlinux.org>
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@264 185d5e19-27fe-0310-9dcf-9bff6b9f3609
address some related style issues.
Submitted by: Dmitry V. Levin <ldv@altlinux.org>
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@262 185d5e19-27fe-0310-9dcf-9bff6b9f3609
have to check that the item isn't NULL.
Submitted by: marcus
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@258 185d5e19-27fe-0310-9dcf-9bff6b9f3609
loader, reducing the number of times each file is read. Also fix
a few minor nits (such as making facility names and control flags
case insensitive like they are in Solaris).
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@243 185d5e19-27fe-0310-9dcf-9bff6b9f3609
reporting: error messages relating to policy files now include line
numbers, and the parser will warn about invalid facility names.
Also fix an off-by-one bug in the option handling code.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@241 185d5e19-27fe-0310-9dcf-9bff6b9f3609
immediately overwritten), replace all use of free(3) with a macro
that clears the pointer after freeing the memory it pointed to.
Suggested by: Dmitry V. Levin <ldv@altlinux.org>
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@232 185d5e19-27fe-0310-9dcf-9bff6b9f3609
change the copyright date on generated man pages from 2002 to 2001-2003
since work on this part of OpenPAM started in late 2001.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@221 185d5e19-27fe-0310-9dcf-9bff6b9f3609
on all platforms, notably OpenBSD).
Submitted by: Mike Petullo <mike@flyn.org>
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@216 185d5e19-27fe-0310-9dcf-9bff6b9f3609
module which has the "debug" option, and disable it upon return.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@210 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This allows modules etc. to emit PAM_LOG_DEBUG messages independently
of whether libpam was compiled with -DDEBUG.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@209 185d5e19-27fe-0310-9dcf-9bff6b9f3609
avoid a warning about assigning void * to a function pointer.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@208 185d5e19-27fe-0310-9dcf-9bff6b9f3609
complained that it didn't work. Make it return a pointer to the
actual value of the requested environment variable.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@204 185d5e19-27fe-0310-9dcf-9bff6b9f3609
effects as arguments to macros. Also impose some sort of consistency
in the naming of variables that hold error codes.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@203 185d5e19-27fe-0310-9dcf-9bff6b9f3609
a debugging message and fail.
If the effective uid is non-zero but identical to the target uid,
save the current credentials and return without doing anything else.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@201 185d5e19-27fe-0310-9dcf-9bff6b9f3609
as if the user had just pressed enter.
Obtained from: TrustedBSD
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@192 185d5e19-27fe-0310-9dcf-9bff6b9f3609
service module. Use that information to generate a much better
error message when indirect recursion is detected.
Instrument openpam_dispatch()'s entry and exit points.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@186 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Add a member to the pam_handle structure indicating which primitive
is currently executing.
Add a ton of debugging macros.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@185 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Try to emulate Solaris more closely.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@158 185d5e19-27fe-0310-9dcf-9bff6b9f3609
extensions). Also add a page about the conversation system, and
remove that information from the pam_start page.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@153 185d5e19-27fe-0310-9dcf-9bff6b9f3609
use it to fill the gaps in incomplete policies as well as to replace
missing ones.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@137 185d5e19-27fe-0310-9dcf-9bff6b9f3609
later detect if it hasn't been touched.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@130 185d5e19-27fe-0310-9dcf-9bff6b9f3609
user credentials) and openpam_free_data() (generic cleanup function
for pam_set_data() consumers)
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@106 185d5e19-27fe-0310-9dcf-9bff6b9f3609
to prompt the user, prompt her twice and compare the responses.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@105 185d5e19-27fe-0310-9dcf-9bff6b9f3609
what token it wants. Also introduce PAM_OLDAUTHTOK_PROMPT.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@100 185d5e19-27fe-0310-9dcf-9bff6b9f3609
unbreaks the pam_ldap module.
Based on a patch by Joe Marcus Clarke <marcus@marcuscom.com>.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@98 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Don't log dlopen() failures, since they're rarely interesting;
instead, log a failure if no module was found at all.
- When loading a versioned module, store its logical name in the
module structure rather than its physical name, since it will be
looked up by its logical name if it's needed again.
- Initialize module->next->prev when adding a module to the cache.
- Set modules to NULL when releasing the last module in the cache.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@94 185d5e19-27fe-0310-9dcf-9bff6b9f3609
support for module versioning. OpenPAM will prefer a PAM module with
the same version number as the library itself to one with no version
number at all.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@87 185d5e19-27fe-0310-9dcf-9bff6b9f3609
supported setting new options. Add support for unsetting options
and changing the value of existing options.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@85 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- "sufficient" should not terminate the chain if the PAM_PRELIM_CHECK
flag is set.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@81 185d5e19-27fe-0310-9dcf-9bff6b9f3609
and add timeout functionality (defaults to off).
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@72 185d5e19-27fe-0310-9dcf-9bff6b9f3609
linker set for cosmetic reasons.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@70 185d5e19-27fe-0310-9dcf-9bff6b9f3609
check that the pam_conv structure it returns is not NULL.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@57 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Don't forget to fill the pam_conv structure after allocating it.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@55 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Accept PAM_SUCCESS and PAM_ABORT as valid return codes, even though
the normal code path will not call _openpam_check_error_code() if
the module returns one of them.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@53 185d5e19-27fe-0310-9dcf-9bff6b9f3609
buffer by exactly one character. Add some slack.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@52 185d5e19-27fe-0310-9dcf-9bff6b9f3609
one newline character.
If DEBUG is defined, echo the log message to STDERR.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@51 185d5e19-27fe-0310-9dcf-9bff6b9f3609
last character of a configuration line.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@49 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Move OpenPAM API extensions into <security/openpam.h> to avoid
namespace pollution for apps or modules that do not use them.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@39 185d5e19-27fe-0310-9dcf-9bff6b9f3609
of an object rather than a type.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@35 185d5e19-27fe-0310-9dcf-9bff6b9f3609
that lists modules that don't implement the required functionality.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@33 185d5e19-27fe-0310-9dcf-9bff6b9f3609
to reduce the chance of every running into a naming conflict.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@32 185d5e19-27fe-0310-9dcf-9bff6b9f3609
Replace the "dispatching" flag with a pam_chain_t pointer. It is set
to point at the currently executing module right before calling the
module, and cleared right after the module returns. Note that this
isn't intended to prevent reentrancy in multi-threaded applications,
but simply to prevent modules from using the application interface.
When recursion is detected, return PAM_ABORT rather than
PAM_SYSTEM_ERR, since this is a programmatical error rather than
a runtime one.
Sponsored by: DARPA, NAI Labs
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@25 185d5e19-27fe-0310-9dcf-9bff6b9f3609