From: Peter Avalos Date: Fri, 23 Dec 2011 21:28:41 +0000 (-0800) Subject: Import OpenPAM Lycopsida. X-Git-Tag: v3.0.0~309^2 X-Git-Url: https://gitweb.dragonflybsd.org/~nant/dragonfly.git/commitdiff_plain/a474e9fefdf3f1b35f44464232abf2c30c7fc9b6 Import OpenPAM Lycopsida. This also includes changeset 509 to prevent a logged error message if the file doesn't exist in openpam_check_owner_perms.c. --- diff --git a/contrib/openpam/CREDITS b/contrib/openpam/CREDITS index c8da3ff7c1..665885c8cf 100644 --- a/contrib/openpam/CREDITS +++ b/contrib/openpam/CREDITS @@ -6,10 +6,11 @@ Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 Principal design and development by: - Dag-Erling Smørgrav + Dag-Erling Smørgrav -The following persons (in no particular order) have contributed, directly -or indirectly, with patches, criticism, suggestions, or ideas: +The following persons (in alphabetical order) have contributed, +directly or indirectly, with patches, criticism, suggestions, or +ideas: Andrew Morgan Brian Fundakowski Feldman @@ -20,18 +21,22 @@ or indirectly, with patches, criticism, suggestions, or ideas: Emmanuel Dreyfus Eric Melville Gary Winiger + Hubert Feyrer Joe Marcus Clarke Juli Mallett - Hubert Feyrer + Jörg Sonnenberger Mark Murray + Matthias Drochner Mike Petullo Mikhail Teterin - Mikko Työläjärvi + Mikko Työläjärvi + Nick Hibma Robert Watson Ruslan Ermilov + Sebastian Krahmer Solar Designer Takanori Saneto Wojciech A. Koszek Yar Tikhiy -$Id: CREDITS 400 2007-10-24 15:04:23Z des $ +$Id: CREDITS 498 2011-11-21 16:27:04Z des $ diff --git a/contrib/openpam/HISTORY b/contrib/openpam/HISTORY index 9c1c26e25c..81af9eac5a 100644 --- a/contrib/openpam/HISTORY +++ b/contrib/openpam/HISTORY @@ -1,3 +1,29 @@ +OpenPAM Lycopsida 2011-12-18 + + - ENHANCE: removed static build autodetection, which didn't work + anyway. Use an explicit, user-specified preprocessor variable + instead. + + - ENHANCE: cleaned up the documentation a bit. + + - ENHANCE: added openpam_subst(3), allowing certain PAM items to be + embedded in strings such as prompts. Apply it to the prompts used + by pam_get_user(3) and pam_get_authtok(3). + + - ENHANCE: added support for the user_prompt, authtok_prompt and + oldauthtok_prompt module options, which override the prompts passed + by the module to pam_set_user(3) and pam_get_authtok(3). + + - ENHANCE: rewrote the policy parser to support quoted option values. + + - ENHANCE: added pamtest(1), a tool for testing modules and policies. + + - ENHANCE: added code to check the ownership and permissions of a + module before loading it. + + - ENHANCE: added / improved input validation in many cases, including + the policy file and some function arguments. +============================================================================ OpenPAM Hydrangea 2007-12-21 - ENHANCE: when compiling with GCC, mark up API functions with GCC @@ -21,7 +47,7 @@ OpenPAM Hydrangea 2007-12-21 contexts), since the module cache was the only part of OpenPAM that was not thread-safe. ============================================================================ -OpenPAM Figwort 2005-06-16 +OpenPAM Figwort 2005-06-16 - BUGFIX: Correct several small signedness and initialization bugs discovered during review by the NetBSD team. @@ -327,4 +353,4 @@ OpenPAM Calamite 2002-02-09 First (beta) release. ============================================================================ -$Id: HISTORY 409 2007-12-21 11:38:50Z des $ +$Id: HISTORY 504 2011-12-18 14:11:12Z des $ diff --git a/contrib/openpam/LICENSE b/contrib/openpam/LICENSE index 0260cca641..e6d4325809 100644 --- a/contrib/openpam/LICENSE +++ b/contrib/openpam/LICENSE @@ -1,6 +1,6 @@ Copyright (c) 2002-2003 Networks Associates Technology, Inc. -Copyright (c) 2004-2007 Dag-Erling Smørgrav +Copyright (c) 2004-2011 Dag-Erling Smørgrav All rights reserved. This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,4 +32,4 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -$Id: LICENSE 408 2007-12-21 11:36:24Z des $ +$Id: LICENSE 437 2011-09-13 12:00:13Z des $ diff --git a/contrib/openpam/README b/contrib/openpam/README index 475dd74f95..02851d1066 100644 --- a/contrib/openpam/README +++ b/contrib/openpam/README @@ -22,6 +22,6 @@ These are some of OpenPAM's features: /usr/local/etc/pam.d/ and /usr/local/etc/pam.conf, in that order; this will be made configurable in a future release. -Please direct bug reports and inquiries to des@freebsd.org. +Please direct bug reports and inquiries to . -$Id: README 320 2006-02-16 20:33:19Z des $ +$Id: README 424 2009-10-29 17:10:22Z des $ diff --git a/contrib/openpam/README.DELETED b/contrib/openpam/README.DELETED index dcc1dd8a44..069d7876d5 100644 --- a/contrib/openpam/README.DELETED +++ b/contrib/openpam/README.DELETED @@ -3,8 +3,7 @@ Makefile.am Makefile.in aclocal.m4 autogen.sh -bin -compile +bin/ config.guess config.h.in config.sub @@ -25,6 +24,6 @@ install-sh lib/Makefile.am lib/Makefile.in ltmain.sh -misc +misc/ missing -modules +modules/ diff --git a/contrib/openpam/README.DRAGONFLY b/contrib/openpam/README.DRAGONFLY deleted file mode 100644 index 6106451b1e..0000000000 --- a/contrib/openpam/README.DRAGONFLY +++ /dev/null @@ -1,5 +0,0 @@ -Original source can be obtained from: -http://www.openpam.org -MD5 (openpam-20071221.tar.gz) = 33b7c097d96331b79cf1559abec78141 - -The file README.DELETED contains a list of deleted files. diff --git a/contrib/openpam/RELNOTES b/contrib/openpam/RELNOTES index d66c8f0061..71f7eb9207 100644 --- a/contrib/openpam/RELNOTES +++ b/contrib/openpam/RELNOTES @@ -1,13 +1,11 @@ - Release notes for OpenPAM Hydrangea + Release notes for OpenPAM Lycopsida =================================== -This release corresponds to the code used in FreeBSD-CURRENT as of the -release date. It has also been tested on several other platforms, and -is expected to work on almost any POSIX-like platform that has GNU -autotools, GNU make and the GNU compiler suite installed. One notable -exception is MacOS X, which ships with a very weird, heavily modified -version of GCC. +This release corresponds to the code used in FreeBSD HEAD as of the +release date, and is also expected to work on almost any POSIX-like +platform that has GNU autotools, GNU make and the GNU compiler suite +installed. The library itself is complete. Documentation exists in the form of man pages for the library functions. These man pages are generated by @@ -18,12 +16,9 @@ of date. The distribution also includes three sample modules (pam_deny, pam_permit and pam_unix) and a sample application (su). These are not intended for actual use, but rather to serve as examples for module or -application developers. +application developers. It also includes a command-line application +(pamtest) which can be used to test policies and modules. -NOTE: to the person who sent me MacOS patches in July 2002: I have -lost your name and email address. Please contact me so I can give you -proper credit for your contribution. +Please direct bug reports and inquiries to . -Please direct bug reports and inquiries to . - -$Id: RELNOTES 404 2007-11-28 12:31:04Z des $ +$Id: RELNOTES 506 2011-12-18 14:25:12Z des $ diff --git a/contrib/openpam/doc/man/openpam.3 b/contrib/openpam/doc/man/openpam.3 index eb23a76c48..c04a2aa967 100644 --- a/contrib/openpam/doc/man/openpam.3 +++ b/contrib/openpam/doc/man/openpam.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM 3 .Os .Sh NAME @@ -47,6 +47,7 @@ .Nm openpam_readline , .Nm openpam_restore_cred , .Nm openpam_set_option , +.Nm openpam_subst , .Nm openpam_ttyconv , .Nm pam_error , .Nm pam_get_authtok , @@ -80,6 +81,8 @@ .Ft "int" .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value" .Ft "int" +.Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template" +.Ft "int" .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data" .Ft "int" .Fn pam_error "const pam_handle_t *pamh" "const char *fmt" "..." @@ -120,6 +123,7 @@ standardization. .Xr openpam_readline 3 , .Xr openpam_restore_cred 3 , .Xr openpam_set_option 3 , +.Xr openpam_subst 3 , .Xr openpam_ttyconv 3 , .Xr pam_error 3 , .Xr pam_get_authtok 3 , diff --git a/contrib/openpam/doc/man/openpam_borrow_cred.3 b/contrib/openpam/doc/man/openpam_borrow_cred.3 index 4ae7123857..25780dba44 100644 --- a/contrib/openpam/doc/man/openpam_borrow_cred.3 +++ b/contrib/openpam/doc/man/openpam_borrow_cred.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_BORROW_CRED 3 .Os .Sh NAME @@ -88,7 +88,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_free_data.3 b/contrib/openpam/doc/man/openpam_free_data.3 index 542a5d2890..b32a345707 100644 --- a/contrib/openpam/doc/man/openpam_free_data.3 +++ b/contrib/openpam/doc/man/openpam_free_data.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_FREE_DATA 3 .Os .Sh NAME @@ -71,7 +71,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_free_envlist.3 b/contrib/openpam/doc/man/openpam_free_envlist.3 index 8f02464ba0..0c1976a912 100644 --- a/contrib/openpam/doc/man/openpam_free_envlist.3 +++ b/contrib/openpam/doc/man/openpam_free_envlist.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_FREE_ENVLIST 3 .Os .Sh NAME @@ -56,6 +56,7 @@ frees all the environment variables in an environment list, and the list itself. It is suitable for freeing the return value from .Xr pam_getenvlist 3 . +.Pp .Sh SEE ALSO .Xr pam 3 , .Xr pam_getenvlist 3 @@ -68,8 +69,5 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +Project by +.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org . diff --git a/contrib/openpam/doc/man/openpam_get_option.3 b/contrib/openpam/doc/man/openpam_get_option.3 index cb5d5e3422..d656612969 100644 --- a/contrib/openpam/doc/man/openpam_get_option.3 +++ b/contrib/openpam/doc/man/openpam_get_option.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_GET_OPTION 3 .Os .Sh NAME @@ -74,7 +74,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_log.3 b/contrib/openpam/doc/man/openpam_log.3 index 208bdf4feb..adfc0061a8 100644 --- a/contrib/openpam/doc/man/openpam_log.3 +++ b/contrib/openpam/doc/man/openpam_log.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_LOG 3 .Os .Sh NAME @@ -64,7 +64,7 @@ The following levels are defined: Debugging messages. These messages are normally not logged unless the global integer variable -.Va _openpam_debug +.Va openpam_debug is set to a non-zero value, in which case they are logged with a .Xr syslog 3 @@ -108,7 +108,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_nullconv.3 b/contrib/openpam/doc/man/openpam_nullconv.3 index 6e9bb8e8f3..1873cba2ee 100644 --- a/contrib/openpam/doc/man/openpam_nullconv.3 +++ b/contrib/openpam/doc/man/openpam_nullconv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_NULLCONV 3 .Os .Sh NAME @@ -95,7 +95,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_readline.3 b/contrib/openpam/doc/man/openpam_readline.3 index 8478920693..cf7ab47f53 100644 --- a/contrib/openpam/doc/man/openpam_readline.3 +++ b/contrib/openpam/doc/man/openpam_readline.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_READLINE 3 .Os .Sh NAME @@ -58,13 +58,19 @@ in a NUL-terminated buffer allocated with The .Nm function performs a certain amount of processing -on the data it reads. +on the data it reads: +.Bl -bullet +.It Comments (introduced by a hash sign) are stripped, as is leading and trailing whitespace. +.It Any amount of linear whitespace is collapsed to a single space. +.It Blank lines are ignored. -If a line ends in a backslash, the backslash is stripped and the next -line is appended. +.It +If a line ends in a backslash, the backslash is stripped and the +next line is appended. +.El .Pp If .Fa lineno @@ -102,7 +108,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_restore_cred.3 b/contrib/openpam/doc/man/openpam_restore_cred.3 index f1da98a938..12ff8b823a 100644 --- a/contrib/openpam/doc/man/openpam_restore_cred.3 +++ b/contrib/openpam/doc/man/openpam_restore_cred.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_RESTORE_CRED 3 .Os .Sh NAME @@ -80,7 +80,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_set_option.3 b/contrib/openpam/doc/man/openpam_set_option.3 index e262584753..f186c000d8 100644 --- a/contrib/openpam/doc/man/openpam_set_option.3 +++ b/contrib/openpam/doc/man/openpam_set_option.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_SET_OPTION 3 .Os .Sh NAME @@ -77,7 +77,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/openpam_subst.3 similarity index 60% copy from contrib/openpam/doc/man/pam_get_authtok.3 copy to contrib/openpam/doc/man/openpam_subst.3 index d2cda79800..565b3e0709 100644 --- a/contrib/openpam/doc/man/pam_get_authtok.3 +++ b/contrib/openpam/doc/man/openpam_subst.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,82 +32,92 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 -.Dt PAM_GET_AUTHTOK 3 +.Dd December 18, 2011 +.Dt OPENPAM_SUBST 3 .Os .Sh NAME -.Nm pam_get_authtok -.Nd retrieve authentication token +.Nm openpam_subst +.Nd substitute PAM item values in a string .Sh LIBRARY .Lb libpam .Sh SYNOPSIS .In sys/types.h .In security/pam_appl.h +.In security/openpam.h .Ft "int" -.Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt" +.Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template" .Sh DESCRIPTION The .Nm -function returns the cached authentication token, -or prompts the user if no token is currently cached. -Either way, a pointer to the authentication token is stored in the -location pointed to by the -.Fa authtok -argument. -.Pp +function expands a string, substituting PAM item +values for all occurrences of specific substitution codes. The -.Fa item -argument must have one of the following values: -.Bl -tag -width 18n -.It Dv PAM_AUTHTOK -Returns the current authentication token, or the new token -when changing authentication tokens. -.It Dv PAM_OLDAUTHTOK -Returns the previous authentication token when changing -authentication tokens. -.El -.Pp -The -.Fa prompt -argument specifies a prompt to use if no token is cached. -If it is -.Dv NULL , -the -.Dv PAM_AUTHTOK_PROMPT -or -.Dv PAM_OLDAUTHTOK_PROMPT -item, -as appropriate, will be used. -If that item is also -.Dv NULL , -a hardcoded default prompt will be used. +.Fa template +argument points to the initial string. +The result is stored in the buffer pointed to by the +.Fa buf +argument; the +.Fa bufsize +argument specifies the size of that buffer. +The actual size of the resulting string, including the terminating NUL +character, is stored in the location pointed to by the +.Fa bufsize +argument. .Pp If -.Fa item -is set to -.Dv PAM_AUTHTOK -and there is a non-null -.Dv PAM_OLDAUTHTOK -item, +.Fa buf +is NULL, or if the buffer is too small to hold the expanded +string, +.Fa bufsize +is updated to reflect the amount of space required to +hold the entire string, and .Nm -will ask the user to confirm the new token by -retyping it. -If there is a mismatch, -.Nm -will return +returns .Dv PAM_TRY_AGAIN . .Pp +If +.Nm +fails for any other reason, the +.Fa bufsize +argument is +untouched, but part of the buffer may still have been overwritten. +.Pp +Substitution codes are introduced by a percent character and correspond +to PAM items: +.Bl -tag -width 18n +.It \&%H +Replaced by the current value of the +.Dv PAM_RHOST +item. +.It \&%h +Replaced by the current value of the +.Dv PAM_HOST +item. +.It \&%s +Replaced by the current value of the +.Dv PAM_SERVICE +item. +.It \&%t +Replaced by the current value of the +.Dv PAM_TTY +item. +.It \&%U +Replaced by the current value of the +.Dv PAM_RUSER +item. +.It \&%u +Replaced by the current value of the +.Dv PAM_USER +item. +.El +.Pp .Sh RETURN VALUES The .Nm function returns one of the following values: .Bl -tag -width 18n -.It Bq Er PAM_BUF_ERR -Memory buffer error. -.It Bq Er PAM_CONV_ERR -Conversation failure. .It Bq Er PAM_SYSTEM_ERR System error. .It Bq Er PAM_TRY_AGAIN @@ -115,6 +125,7 @@ Try again. .El .Sh SEE ALSO .Xr pam 3 , +.Xr pam_get_authtok 3 , .Xr pam_get_item 3 , .Xr pam_get_user 3 , .Xr pam_strerror 3 @@ -127,8 +138,5 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +Project by +.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org . diff --git a/contrib/openpam/doc/man/openpam_ttyconv.3 b/contrib/openpam/doc/man/openpam_ttyconv.3 index 7374a94021..b2cd9d9dc9 100644 --- a/contrib/openpam/doc/man/openpam_ttyconv.3 +++ b/contrib/openpam/doc/man/openpam_ttyconv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt OPENPAM_TTYCONV 3 .Os .Sh NAME @@ -90,7 +90,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam.3 b/contrib/openpam/doc/man/pam.3 index 5740a4d243..11befcda52 100644 --- a/contrib/openpam/doc/man/pam.3 +++ b/contrib/openpam/doc/man/pam.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM 3 .Os .Sh NAME diff --git a/contrib/openpam/doc/man/pam.conf.5 b/contrib/openpam/doc/man/pam.conf.5 index 8ffb6a32b0..3669f927f9 100644 --- a/contrib/openpam/doc/man/pam.conf.5 +++ b/contrib/openpam/doc/man/pam.conf.5 @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2005 Dag-Erling Coïdan Smørgrav +.\" Copyright (c) 2005-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -26,9 +26,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: pam.conf.5 320 2006-02-16 20:33:19Z des $ +.\" $Id: pam.conf.5 485 2011-11-03 16:57:37Z des $ .\" -.Dd June 16, 2005 +.Dd November 3, 2011 .Dt PAM.CONF 5 .Os .Sh NAME @@ -56,8 +56,8 @@ policy is used instead, if it exists. Entries in per-service policy files must be of one of the two forms below: .Bd -unfilled -offset indent -.Ar function-class control-flag module-path Op Ar arguments ... -.Ar function-class Cm include Ar other-service-name +.Ar facility control-flag module-path Op Ar arguments ... +.Ar facility Cm include Ar other-service-name .Ed .Pp Entries in @@ -71,9 +71,8 @@ to the right of a sign. .Pp The -.Ar function-class -field specifies the class of functions the entry applies to, and is -one of: +.Ar facility +field specifies the facility the entry applies to, and is one of: .Bl -tag -width ".Cm password" .It Cm auth Authentication functions @@ -109,7 +108,7 @@ will be failure regardless of the success of later modules. .It Cm requisite If this module succeeds, the result of the chain will be success unless a later module fails. -If it module fails, the chain is broken and the result is failure. +If the module fails, the chain is broken and the result is failure. .It Cm sufficient If this module succeeds, the chain is broken and the result is success. @@ -147,6 +146,11 @@ to call. .Pp The remaining fields are passed as arguments to the module if and when it is invoked. +As a special case, if an argument is of the form ``name=value'' and +the right-hand side is surrounded by single or double quotes, any +whitespace between the quote characters will be considered part of the +same argument rather than a separator between this argument and the +next. .Pp The .Cm include @@ -167,10 +171,9 @@ modify each and every service-specific policy. .Sh AUTHORS The OpenPAM library was developed for the .Fx -Project by ThinkSec -AS and Network Associates Laboratories, the Security Research Division -of Network Associates, Inc.\& under DARPA/SPAWAR contract -N66001-01-C-8035 +Project by ThinkSec AS and Network Associates Laboratories, the +Security Research Division of Network Associates, Inc.\& under +DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Pp diff --git a/contrib/openpam/doc/man/pam_acct_mgmt.3 b/contrib/openpam/doc/man/pam_acct_mgmt.3 index 9fee0d3acc..94100484fb 100644 --- a/contrib/openpam/doc/man/pam_acct_mgmt.3 +++ b/contrib/openpam/doc/man/pam_acct_mgmt.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_ACCT_MGMT 3 .Os .Sh NAME @@ -107,7 +107,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_authenticate.3 b/contrib/openpam/doc/man/pam_authenticate.3 index 4cb1ec3924..8263280f09 100644 --- a/contrib/openpam/doc/man/pam_authenticate.3 +++ b/contrib/openpam/doc/man/pam_authenticate.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_AUTHENTICATE 3 .Os .Sh NAME @@ -121,7 +121,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_chauthtok.3 b/contrib/openpam/doc/man/pam_chauthtok.3 index 570dbc293e..5823866928 100644 --- a/contrib/openpam/doc/man/pam_chauthtok.3 +++ b/contrib/openpam/doc/man/pam_chauthtok.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_CHAUTHTOK 3 .Os .Sh NAME @@ -113,7 +113,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_close_session.3 b/contrib/openpam/doc/man/pam_close_session.3 index d6e3bc3e5a..43e4b0392c 100644 --- a/contrib/openpam/doc/man/pam_close_session.3 +++ b/contrib/openpam/doc/man/pam_close_session.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_CLOSE_SESSION 3 .Os .Sh NAME @@ -103,7 +103,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_conv.3 b/contrib/openpam/doc/man/pam_conv.3 index b74e8f4baf..6b6e697b06 100644 --- a/contrib/openpam/doc/man/pam_conv.3 +++ b/contrib/openpam/doc/man/pam_conv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2002-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: pam_conv.3 408 2007-12-21 11:36:24Z des $ +.\" $Id: pam_conv.3 437 2011-09-13 12:00:13Z des $ .\" .Dd June 16, 2005 .Dt PAM_CONV 3 diff --git a/contrib/openpam/doc/man/pam_end.3 b/contrib/openpam/doc/man/pam_end.3 index bb1309309d..66e2871c0d 100644 --- a/contrib/openpam/doc/man/pam_end.3 +++ b/contrib/openpam/doc/man/pam_end.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_END 3 .Os .Sh NAME @@ -80,7 +80,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_error.3 b/contrib/openpam/doc/man/pam_error.3 index 2863a1e410..c957409c8b 100644 --- a/contrib/openpam/doc/man/pam_error.3 +++ b/contrib/openpam/doc/man/pam_error.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_ERROR 3 .Os .Sh NAME @@ -80,7 +80,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/pam_get_authtok.3 index d2cda79800..7f0c8049aa 100644 --- a/contrib/openpam/doc/man/pam_get_authtok.3 +++ b/contrib/openpam/doc/man/pam_get_authtok.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GET_AUTHTOK 3 .Os .Sh NAME @@ -83,6 +83,25 @@ as appropriate, will be used. If that item is also .Dv NULL , a hardcoded default prompt will be used. +Either way, the prompt is expanded using +.Xr openpam_subst 3 +before it is +passed to the conversation function. +.Pp +If +.Nm +is called from a module and the +.Dv authtok_prompt +/ +.Dv oldauthtok_prompt +option is set in the policy file, the value of that +option takes precedence over both the +.Fa prompt +argument and the +.Dv PAM_AUTHTOK_PROMPT +/ +.Dv PAM_OLDAUTHTOK_PROMPT +item. .Pp If .Fa item @@ -114,6 +133,7 @@ System error. Try again. .El .Sh SEE ALSO +.Xr openpam_subst 3 , .Xr pam 3 , .Xr pam_get_item 3 , .Xr pam_get_user 3 , @@ -127,7 +147,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_data.3 b/contrib/openpam/doc/man/pam_get_data.3 index 6ae03cf11b..49fae056cf 100644 --- a/contrib/openpam/doc/man/pam_get_data.3 +++ b/contrib/openpam/doc/man/pam_get_data.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GET_DATA 3 .Os .Sh NAME @@ -60,6 +60,11 @@ argument. A pointer to the object is stored in the location pointed to by the .Fa data argument. +If +.Nm +fails, the +.Fa data +argument is untouched. .Pp This function and its counterpart .Xr pam_set_data 3 @@ -89,7 +94,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_item.3 b/contrib/openpam/doc/man/pam_get_item.3 index 01c4243566..1244a77a9e 100644 --- a/contrib/openpam/doc/man/pam_get_item.3 +++ b/contrib/openpam/doc/man/pam_get_item.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GET_ITEM 3 .Os .Sh NAME @@ -53,12 +53,18 @@ The function stores a pointer to the item specified by the .Fa item_type -argument in the location specified by the +argument in the location pointed to by the .Fa item argument. The item is retrieved from the PAM context specified by the .Fa pamh argument. +If +.Nm +fails, the +.Fa item +argument is untouched. +.Pp The following item types are recognized: .Bl -tag -width 18n .It Dv PAM_SERVICE @@ -90,6 +96,8 @@ authentication token. .It Dv PAM_OLDAUTHTOK_PROMPT The prompt to use when asking the applicant for an expired authentication token prior to changing it. +.It Dv PAM_HOST +The name of the host the application runs on. .El .Pp See @@ -122,7 +130,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_user.3 b/contrib/openpam/doc/man/pam_get_user.3 index 74b713072b..8f3b426a66 100644 --- a/contrib/openpam/doc/man/pam_get_user.3 +++ b/contrib/openpam/doc/man/pam_get_user.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GET_USER 3 .Os .Sh NAME @@ -70,10 +70,26 @@ If it is .Dv NULL , the .Dv PAM_USER_PROMPT -will be used. +item will be used. If that item is also .Dv NULL , a hardcoded default prompt will be used. +Either way, the prompt is expanded using +.Xr openpam_subst 3 +before it is +passed to the conversation function. +.Pp +If +.Nm +is called from a module and the +.Dv user_prompt +option is +set in the policy file, the value of that option takes precedence over +both the +.Fa prompt +argument and the +.Dv PAM_USER_PROMPT +item. .Pp .Sh RETURN VALUES The @@ -88,6 +104,7 @@ Conversation failure. System error. .El .Sh SEE ALSO +.Xr openpam_subst 3 , .Xr pam 3 , .Xr pam_get_authtok 3 , .Xr pam_get_item 3 , @@ -104,7 +121,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_getenv.3 b/contrib/openpam/doc/man/pam_getenv.3 index bacaf13756..ebd2992f1e 100644 --- a/contrib/openpam/doc/man/pam_getenv.3 +++ b/contrib/openpam/doc/man/pam_getenv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GETENV 3 .Os .Sh NAME @@ -78,7 +78,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_getenvlist.3 b/contrib/openpam/doc/man/pam_getenvlist.3 index bafd482e02..a034c8e3cc 100644 --- a/contrib/openpam/doc/man/pam_getenvlist.3 +++ b/contrib/openpam/doc/man/pam_getenvlist.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_GETENVLIST 3 .Os .Sh NAME @@ -99,7 +99,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_info.3 b/contrib/openpam/doc/man/pam_info.3 index dc1fcc910e..08bf200de5 100644 --- a/contrib/openpam/doc/man/pam_info.3 +++ b/contrib/openpam/doc/man/pam_info.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_INFO 3 .Os .Sh NAME @@ -80,7 +80,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/pam_open_session.3 index 1bc4de4398..13811c7d29 100644 --- a/contrib/openpam/doc/man/pam_open_session.3 +++ b/contrib/openpam/doc/man/pam_open_session.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_OPEN_SESSION 3 .Os .Sh NAME @@ -104,7 +104,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_prompt.3 b/contrib/openpam/doc/man/pam_prompt.3 index 8712647c99..20574f2321 100644 --- a/contrib/openpam/doc/man/pam_prompt.3 +++ b/contrib/openpam/doc/man/pam_prompt.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_PROMPT 3 .Os .Sh NAME @@ -92,7 +92,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_putenv.3 b/contrib/openpam/doc/man/pam_putenv.3 index 0db2828e7c..e69816a0b7 100644 --- a/contrib/openpam/doc/man/pam_putenv.3 +++ b/contrib/openpam/doc/man/pam_putenv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_PUTENV 3 .Os .Sh NAME @@ -83,7 +83,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_set_data.3 b/contrib/openpam/doc/man/pam_set_data.3 index d8c2c610a9..ce4d63d061 100644 --- a/contrib/openpam/doc/man/pam_set_data.3 +++ b/contrib/openpam/doc/man/pam_set_data.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SET_DATA 3 .Os .Sh NAME @@ -93,7 +93,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_set_item.3 b/contrib/openpam/doc/man/pam_set_item.3 index f4662d068c..9f4e78d9aa 100644 --- a/contrib/openpam/doc/man/pam_set_item.3 +++ b/contrib/openpam/doc/man/pam_set_item.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SET_ITEM 3 .Os .Sh NAME @@ -87,7 +87,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_setcred.3 b/contrib/openpam/doc/man/pam_setcred.3 index 4df9b30ba5..1e0a246002 100644 --- a/contrib/openpam/doc/man/pam_setcred.3 +++ b/contrib/openpam/doc/man/pam_setcred.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SETCRED 3 .Os .Sh NAME @@ -116,7 +116,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_setenv.3 b/contrib/openpam/doc/man/pam_setenv.3 index 681ea0329f..43906efd1c 100644 --- a/contrib/openpam/doc/man/pam_setenv.3 +++ b/contrib/openpam/doc/man/pam_setenv.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SETENV 3 .Os .Sh NAME @@ -82,7 +82,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 index b4aa0d9bc7..22e1980d8e 100644 --- a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 +++ b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_ACCT_MGMT 3 .Os .Sh NAME @@ -97,7 +97,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_authenticate.3 b/contrib/openpam/doc/man/pam_sm_authenticate.3 index 0dbb6460e4..e41a70ab0c 100644 --- a/contrib/openpam/doc/man/pam_sm_authenticate.3 +++ b/contrib/openpam/doc/man/pam_sm_authenticate.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_AUTHENTICATE 3 .Os .Sh NAME @@ -99,7 +99,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_chauthtok.3 b/contrib/openpam/doc/man/pam_sm_chauthtok.3 index b348cf2b20..bc3f461b7a 100644 --- a/contrib/openpam/doc/man/pam_sm_chauthtok.3 +++ b/contrib/openpam/doc/man/pam_sm_chauthtok.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_CHAUTHTOK 3 .Os .Sh NAME @@ -55,6 +55,16 @@ function is the service module's implementation of the .Xr pam_chauthtok 3 API function. +.Pp +When the application calls +.Xr pam_chauthtok 3 , +the service function is +called twice, first with the +.Dv PAM_PRELIM_CHECK +flag set and then again +with the +.Dv PAM_UPDATE_AUTHTOK +flag set. .Sh RETURN VALUES The .Nm @@ -99,7 +109,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_close_session.3 b/contrib/openpam/doc/man/pam_sm_close_session.3 index 927d48a5c3..3b1f57e075 100644 --- a/contrib/openpam/doc/man/pam_sm_close_session.3 +++ b/contrib/openpam/doc/man/pam_sm_close_session.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_CLOSE_SESSION 3 .Os .Sh NAME @@ -91,7 +91,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_open_session.3 b/contrib/openpam/doc/man/pam_sm_open_session.3 index bc47b30ce1..cdfe4d4125 100644 --- a/contrib/openpam/doc/man/pam_sm_open_session.3 +++ b/contrib/openpam/doc/man/pam_sm_open_session.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_OPEN_SESSION 3 .Os .Sh NAME @@ -91,7 +91,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_setcred.3 b/contrib/openpam/doc/man/pam_sm_setcred.3 index 6f37589845..6d5c52fc16 100644 --- a/contrib/openpam/doc/man/pam_sm_setcred.3 +++ b/contrib/openpam/doc/man/pam_sm_setcred.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_SM_SETCRED 3 .Os .Sh NAME @@ -97,7 +97,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_start.3 b/contrib/openpam/doc/man/pam_start.3 index b020456229..eaa9f0571c 100644 --- a/contrib/openpam/doc/man/pam_start.3 +++ b/contrib/openpam/doc/man/pam_start.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_START 3 .Os .Sh NAME @@ -102,7 +102,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_strerror.3 b/contrib/openpam/doc/man/pam_strerror.3 index b626eac536..9003102848 100644 --- a/contrib/openpam/doc/man/pam_strerror.3 +++ b/contrib/openpam/doc/man/pam_strerror.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_STRERROR 3 .Os .Sh NAME @@ -53,9 +53,15 @@ The function returns a pointer to a string containing a textual description of the error indicated by the .Fa error_number -argument, in the context of the PAM transaction described by the -.Fa pamh argument. +The +.Fa pamh +argument is ignored. +For compatibility with other implementations, it should be either a +valid PAM handle returned by a previous call to +.Xr pam_start 3 , +or +.Dv NULL . .Sh RETURN VALUES The .Nm @@ -63,7 +69,8 @@ function returns .Dv NULL on failure. .Sh SEE ALSO -.Xr pam 3 +.Xr pam 3 , +.Xr pam_start 3 .Sh STANDARDS .Rs .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" @@ -74,7 +81,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_verror.3 b/contrib/openpam/doc/man/pam_verror.3 index 1a034389f4..4987da30f9 100644 --- a/contrib/openpam/doc/man/pam_verror.3 +++ b/contrib/openpam/doc/man/pam_verror.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_VERROR 3 .Os .Sh NAME @@ -84,7 +84,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_vinfo.3 b/contrib/openpam/doc/man/pam_vinfo.3 index a28965db90..c2ac5b0c4d 100644 --- a/contrib/openpam/doc/man/pam_vinfo.3 +++ b/contrib/openpam/doc/man/pam_vinfo.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_VINFO 3 .Os .Sh NAME @@ -84,7 +84,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_vprompt.3 b/contrib/openpam/doc/man/pam_vprompt.3 index 72bca709bf..381008d7a9 100644 --- a/contrib/openpam/doc/man/pam_vprompt.3 +++ b/contrib/openpam/doc/man/pam_vprompt.3 @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. -.\" Copyright (c) 2004-2007 Dag-Erling Smørgrav +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4$ +.\" $Id$ .\" -.Dd December 21, 2007 +.Dd December 18, 2011 .Dt PAM_VPROMPT 3 .Os .Sh NAME @@ -121,7 +121,8 @@ The .Nm function and this manual page were developed for the .Fx -Project by ThinkSec AS and Network Associates Laboratories, the +Project by +ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/include/security/openpam.h b/contrib/openpam/include/security/openpam.h index 3361d62513..0c896a480a 100644 --- a/contrib/openpam/include/security/openpam.h +++ b/contrib/openpam/include/security/openpam.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam.h 408 2007-12-21 11:36:24Z des $ + * $Id: openpam.h 455 2011-10-29 18:31:11Z des $ */ #ifndef SECURITY_OPENPAM_H_INCLUDED @@ -59,6 +59,12 @@ openpam_borrow_cred(pam_handle_t *_pamh, const struct passwd *_pwd) OPENPAM_NONNULL((1,2)); +int +openpam_subst(const pam_handle_t *_pamh, + char *_buf, + size_t *_bufsize, + const char *_template); + void openpam_free_data(pam_handle_t *_pamh, void *_data, @@ -309,18 +315,17 @@ struct pam_module { * Infrastructure for static modules using GCC linker sets. * You are not expected to understand this. */ -#if defined(__FreeBSD__) +#if !defined(PAM_SOEXT) # define PAM_SOEXT ".so" -#else -# undef NO_STATIC_MODULES -# define NO_STATIC_MODULES #endif -#if defined(__GNUC__) && !defined(__PIC__) && !defined(NO_STATIC_MODULES) +#if defined(OPENPAM_STATIC_MODULES) +# if !defined(__GNUC__) +# error "Don't know how to build static modules on non-GNU compilers" +# endif /* gcc, static linking */ # include # include -# define OPENPAM_STATIC_MODULES # define PAM_EXTERN static # define PAM_MODULE_ENTRY(name) \ static char _pam_name[] = name PAM_SOEXT; \ diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/include/security/openpam_version.h index 1a3b153bd3..ed1c1de69f 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/include/security/openpam_version.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,14 +32,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 409 2007-12-21 11:38:50Z des $ + * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $ */ #ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED #define SECURITY_OPENPAM_VERSION_H_INCLUDED #define OPENPAM -#define OPENPAM_VERSION 20071221 -#define OPENPAM_RELEASE "Hydrangea" +#define OPENPAM_VERSION 20111218 +#define OPENPAM_RELEASE "Lycopsida" #endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ diff --git a/contrib/openpam/include/security/pam_appl.h b/contrib/openpam/include/security/pam_appl.h index 8316c68ab0..b8f0536590 100644 --- a/contrib/openpam/include/security/pam_appl.h +++ b/contrib/openpam/include/security/pam_appl.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_appl.h 408 2007-12-21 11:36:24Z des $ + * $Id: pam_appl.h 437 2011-09-13 12:00:13Z des $ */ #ifndef SECURITY_PAM_APPL_H_INCLUDED @@ -72,8 +72,7 @@ pam_close_session(pam_handle_t *_pamh, int pam_end(pam_handle_t *_pamh, - int _status) - OPENPAM_NONNULL((1)); + int _status); int pam_get_data(const pam_handle_t *_pamh, diff --git a/contrib/openpam/include/security/pam_constants.h b/contrib/openpam/include/security/pam_constants.h index b005c7f4f8..69add34b66 100644 --- a/contrib/openpam/include/security/pam_constants.h +++ b/contrib/openpam/include/security/pam_constants.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_constants.h 408 2007-12-21 11:36:24Z des $ + * $Id: pam_constants.h 443 2011-10-22 01:01:39Z des $ */ #ifndef SECURITY_PAM_CONSTANTS_H_INCLUDED @@ -126,6 +126,7 @@ enum { PAM_REPOSITORY = 10, PAM_AUTHTOK_PROMPT = 11, /* OpenPAM extension */ PAM_OLDAUTHTOK_PROMPT = 12, /* OpenPAM extension */ + PAM_HOST = 13, /* OpenPAM extension */ PAM_NUM_ITEMS /* OpenPAM extension */ }; diff --git a/contrib/openpam/include/security/pam_modules.h b/contrib/openpam/include/security/pam_modules.h index 539f662a04..6242b38092 100644 --- a/contrib/openpam/include/security/pam_modules.h +++ b/contrib/openpam/include/security/pam_modules.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_modules.h 408 2007-12-21 11:36:24Z des $ + * $Id: pam_modules.h 437 2011-09-13 12:00:13Z des $ */ #ifndef SECURITY_PAM_MODULES_H_INCLUDED diff --git a/contrib/openpam/include/security/pam_types.h b/contrib/openpam/include/security/pam_types.h index 0209bc8a62..d0d5b00ce5 100644 --- a/contrib/openpam/include/security/pam_types.h +++ b/contrib/openpam/include/security/pam_types.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_types.h 408 2007-12-21 11:36:24Z des $ + * $Id: pam_types.h 437 2011-09-13 12:00:13Z des $ */ #ifndef SECURITY_PAM_TYPES_H_INCLUDED diff --git a/contrib/openpam/lib/openpam_borrow_cred.c b/contrib/openpam/lib/openpam_borrow_cred.c index 79a349f800..e0dfc55575 100644 --- a/contrib/openpam/lib/openpam_borrow_cred.c +++ b/contrib/openpam/lib/openpam_borrow_cred.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_borrow_cred.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_borrow_cred.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_check_owner_perms.c b/contrib/openpam/lib/openpam_check_owner_perms.c new file mode 100644 index 0000000000..9d64ed6e8b --- /dev/null +++ b/contrib/openpam/lib/openpam_check_owner_perms.c @@ -0,0 +1,129 @@ +/*- + * Copyright (c) 2011 Dag-Erling Smørgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_check_owner_perms.c 499 2011-11-22 11:51:50Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include +#include +#include +#include +#include + +#include + +#include "openpam_impl.h" + +/* + * OpenPAM internal + * + * Verify that the file or directory referenced by the given descriptor is + * owned by either root or the arbitrator and that it is not writable by + * group or other. + */ + +int +openpam_check_desc_owner_perms(const char *name, int fd) +{ + uid_t root, arbitrator; + struct stat sb; + int serrno; + + root = 0; + arbitrator = geteuid(); + if (fstat(fd, &sb) != 0) { + serrno = errno; + openpam_log(PAM_LOG_ERROR, "%s: %m", name); + errno = serrno; + return (-1); + } + if ((sb.st_uid != root && sb.st_uid != arbitrator) || + (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) { + openpam_log(PAM_LOG_ERROR, + "%s: insecure ownership or permissions", name); + errno = EPERM; + return (-1); + } + return (0); +} + +/* + * OpenPAM internal + * + * Verify that a file or directory and all components of the path leading + * up to it are owned by either root or the arbitrator and that they are + * not writable by group or other. + * + * Note that openpam_check_file_owner_perms() should be used instead if + * possible to avoid a race between the ownership / permission check and + * the actual open(). + */ + +int +openpam_check_path_owner_perms(const char *path) +{ + uid_t root, arbitrator; + char pathbuf[PATH_MAX]; + struct stat sb; + int len, serrno; + + root = 0; + arbitrator = geteuid(); + if (realpath(path, pathbuf) == NULL) + return (-1); + len = strlen(pathbuf); + while (len > 0) { + if (stat(pathbuf, &sb) != 0) { + if (errno != ENOENT) { + serrno = errno; + openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf); + errno = serrno; + } + return (-1); + } + if ((sb.st_uid != root && sb.st_uid != arbitrator) || + (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) { + openpam_log(PAM_LOG_ERROR, + "%s: insecure ownership or permissions", pathbuf); + errno = EPERM; + return (-1); + } + while (--len > 0 && pathbuf[len] != '/') + pathbuf[len] = '\0'; + } + return (0); +} + +/* + * NOPARSE + */ diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c index f9197adcfa..d395565aef 100644 --- a/contrib/openpam/lib/openpam_configure.c +++ b/contrib/openpam/lib/openpam_configure.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_configure.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_configure.c 500 2011-11-22 12:07:03Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include @@ -44,80 +48,301 @@ #include #include "openpam_impl.h" +#include "openpam_strlcmp.h" -const char *_pam_facility_name[PAM_NUM_FACILITIES] = { - [PAM_ACCOUNT] = "account", - [PAM_AUTH] = "auth", - [PAM_PASSWORD] = "password", - [PAM_SESSION] = "session", -}; +static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t); -const char *_pam_control_flag_name[PAM_NUM_CONTROL_FLAGS] = { - [PAM_BINDING] = "binding", - [PAM_OPTIONAL] = "optional", - [PAM_REQUIRED] = "required", - [PAM_REQUISITE] = "requisite", - [PAM_SUFFICIENT] = "sufficient", -}; +/* + * Evaluates to non-zero if the argument is a linear whitespace character. + */ +#define is_lws(ch) \ + (ch == ' ' || ch == '\t') -static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t); +/* + * Evaluates to non-zero if the argument is a printable ASCII character. + * Assumes that the execution character set is a superset of ASCII. + */ +#define is_p(ch) \ + (ch >= '!' && ch <= '~') + +/* + * Returns non-zero if the argument belongs to the POSIX Portable Filename + * Character Set. Assumes that the execution character set is a superset + * of ASCII. + */ +#define is_pfcs(ch) \ + ((ch >= '0' && ch <= '9') || \ + (ch >= 'A' && ch <= 'Z') || \ + (ch >= 'a' && ch <= 'z') || \ + ch == '.' || ch == '_' || ch == '-') /* - * Matches a word against the first one in a string. - * Returns non-zero if they match. + * Parse the service name. + * + * Returns the length of the service name, or 0 if the end of the string + * was reached or a disallowed non-whitespace character was encountered. + * + * If parse_service_name() is successful, it updates *service to point to + * the first character of the service name and *line to point one + * character past the end. If it reaches the end of the string, it + * updates *line to point to the terminating NUL character and leaves + * *service unmodified. In all other cases, it leaves both *line and + * *service unmodified. + * + * Allowed characters are all characters in the POSIX portable filename + * character set. */ static int -match_word(const char *str, const char *word) +parse_service_name(char **line, char **service) { + char *b, *e; - while (*str && tolower(*str) == tolower(*word)) - ++str, ++word; - return (*str == ' ' && *word == '\0'); + for (b = *line; *b && is_lws(*b); ++b) + /* nothing */ ; + if (!*b) { + *line = b; + return (0); + } + for (e = b; *e && !is_lws(*e); ++e) + if (!is_pfcs(*e)) + return (0); + if (e == b) + return (0); + *line = e; + *service = b; + return (e - b); } /* - * Return a pointer to the next word (or the final NUL) in a string. + * Parse the facility name. + * + * Returns the corresponding pam_facility_t value, or -1 if the end of the + * string was reached, a disallowed non-whitespace character was + * encountered, or the first word was not a recognized facility name. + * + * If parse_facility_name() is successful, it updates *line to point one + * character past the end of the facility name. If it reaches the end of + * the string, it updates *line to point to the terminating NUL character. + * In all other cases, it leaves *line unmodified. */ -static const char * -next_word(const char *str) +static pam_facility_t +parse_facility_name(char **line) { + char *b, *e; + int i; - /* skip current word */ - while (*str && *str != ' ') - ++str; - /* skip whitespace */ - while (*str == ' ') - ++str; - return (str); + for (b = *line; *b && is_lws(*b); ++b) + /* nothing */ ; + if (!*b) { + *line = b; + return ((pam_facility_t)-1); + } + for (e = b; *e && !is_lws(*e); ++e) + /* nothing */ ; + if (e == b) + return ((pam_facility_t)-1); + for (i = 0; i < PAM_NUM_FACILITIES; ++i) + if (strlcmp(pam_facility_name[i], b, e - b) == 0) + break; + if (i == PAM_NUM_FACILITIES) + return ((pam_facility_t)-1); + *line = e; + return (i); } /* - * Return a malloc()ed copy of the first word in a string. + * Parse the word "include". + * + * If the next word on the line is "include", parse_include() updates + * *line to point one character past "include" and returns 1. Otherwise, + * it leaves *line unmodified and returns 0. + */ +static int +parse_include(char **line) +{ + char *b, *e; + + for (b = *line; *b && is_lws(*b); ++b) + /* nothing */ ; + if (!*b) { + *line = b; + return (-1); + } + for (e = b; *e && !is_lws(*e); ++e) + /* nothing */ ; + if (e == b) + return (0); + if (strlcmp("include", b, e - b) != 0) + return (0); + *line = e; + return (1); +} + +/* + * Parse the control flag. + * + * Returns the corresponding pam_control_t value, or -1 if the end of the + * string was reached, a disallowed non-whitespace character was + * encountered, or the first word was not a recognized control flag. + * + * If parse_control_flag() is successful, it updates *line to point one + * character past the end of the control flag. If it reaches the end of + * the string, it updates *line to point to the terminating NUL character. + * In all other cases, it leaves *line unmodified. + */ +static pam_control_t +parse_control_flag(char **line) +{ + char *b, *e; + int i; + + for (b = *line; *b && is_lws(*b); ++b) + /* nothing */ ; + if (!*b) { + *line = b; + return ((pam_control_t)-1); + } + for (e = b; *e && !is_lws(*e); ++e) + /* nothing */ ; + if (e == b) + return ((pam_control_t)-1); + for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i) + if (strlcmp(pam_control_flag_name[i], b, e - b) == 0) + break; + if (i == PAM_NUM_CONTROL_FLAGS) + return ((pam_control_t)-1); + *line = e; + return (i); +} + +/* + * Parse a file name. + * + * Returns the length of the file name, or 0 if the end of the string was + * reached or a disallowed non-whitespace character was encountered. + * + * If parse_filename() is successful, it updates *filename to point to the + * first character of the filename and *line to point one character past + * the end. If it reaches the end of the string, it updates *line to + * point to the terminating NUL character and leaves *filename unmodified. + * In all other cases, it leaves both *line and *filename unmodified. + * + * Allowed characters are all characters in the POSIX portable filename + * character set, plus the path separator (forward slash). + */ +static int +parse_filename(char **line, char **filename) +{ + char *b, *e; + + for (b = *line; *b && is_lws(*b); ++b) + /* nothing */ ; + if (!*b) { + *line = b; + return (0); + } + for (e = b; *e && !is_lws(*e); ++e) + if (!is_pfcs(*e) && *e != '/') + return (0); + if (e == b) + return (0); + *line = e; + *filename = b; + return (e - b); +} + +/* + * Parse an option. + * + * Returns a dynamically allocated string containing the next module + * option, or NULL if the end of the string was reached or a disallowed + * non-whitespace character was encountered. + * + * If parse_option() is successful, it updates *line to point one + * character past the end of the option. If it reaches the end of the + * string, it updates *line to point to the terminating NUL character. In + * all other cases, it leaves *line unmodified. + * + * If parse_option() fails to allocate memory, it will return NULL and set + * errno to a non-zero value. + * + * Allowed characters for option names are all characters in the POSIX + * portable filename character set. Allowed characters for option values + * are any printable non-whitespace characters. The option value may be + * quoted in either single or double quotes, in which case space + * characters and whichever quote character was not used are allowed. + * Note that the entire value must be quoted, not just part of it. */ static char * -dup_word(const char *str) +parse_option(char **line) { - const char *end; - char *word; + char *nb, *ne, *vb, *ve; + unsigned char q = 0; + char *option; + size_t size; - for (end = str; *end && *end != ' '; ++end) + errno = 0; + for (nb = *line; *nb && is_lws(*nb); ++nb) /* nothing */ ; - if (asprintf(&word, "%.*s", (int)(end - str), str) < 0) + if (!*nb) { + *line = nb; + return (NULL); + } + for (ne = nb; *ne && !is_lws(*ne) && *ne != '='; ++ne) + if (!is_pfcs(*ne)) + return (NULL); + if (ne == nb) + return (NULL); + if (*ne == '=') { + vb = ne + 1; + if (*vb == '"' || *vb == '\'') + q = *vb++; + for (ve = vb; + *ve && *ve != q && (is_p(*ve) || (q && is_lws(*ve))); + ++ve) + /* nothing */ ; + if (q && *ve != q) + /* non-printable character or missing endquote */ + return (NULL); + if (q && *(ve + 1) && !is_lws(*(ve + 1))) + /* garbage after value */ + return (NULL); + } else { + vb = ve = ne; + } + size = (ne - nb) + 1; + if (ve > vb) + size += (ve - vb) + 1; + if ((option = malloc(size)) == NULL) return (NULL); - return (word); + strncpy(option, nb, ne - nb); + if (ve > vb) { + option[ne - nb] = '='; + strncpy(option + (ne - nb) + 1, vb, ve - vb); + } + option[size - 1] = '\0'; + *line = q ? ve + 1 : ve; + return (option); } /* - * Return the length of the first word in a string. + * Consume trailing whitespace. + * + * If there are no non-whitespace characters left on the line, parse_eol() + * updates *line to point at the terminating NUL character and returns 0. + * Otherwise, it leaves *line unmodified and returns a non-zero value. */ static int -wordlen(const char *str) +parse_eol(char **line) { - int i; + char *p; - for (i = 0; str[i] && str[i] != ' '; ++i) + for (p = *line; *p && is_lws(*p); ++p) /* nothing */ ; - return (i); + if (*p) + return ((unsigned char)*p); + *line = p; + return (0); } typedef enum { pam_conf_style, pam_d_style } openpam_style_t; @@ -126,126 +351,139 @@ typedef enum { pam_conf_style, pam_d_style } openpam_style_t; * Extracts given chains from a policy file. */ static int -openpam_read_chain(pam_handle_t *pamh, +openpam_parse_chain(pam_handle_t *pamh, const char *service, pam_facility_t facility, const char *filename, openpam_style_t style) { pam_chain_t *this, **next; - const char *p, *q; - int count, i, lineno, ret; pam_facility_t fclt; pam_control_t ctlf; - char *line, *name; + char *line, *str, *name; + char *option, **optv; + int len, lineno, ret; FILE *f; if ((f = fopen(filename, "r")) == NULL) { openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE, "%s: %m", filename); - return (0); + return (PAM_SUCCESS); + } + if (openpam_check_desc_owner_perms(filename, fileno(f)) != 0) { + fclose(f); + return (PAM_SYSTEM_ERR); } this = NULL; - count = lineno = 0; + name = NULL; + lineno = 0; while ((line = openpam_readline(f, &lineno, NULL)) != NULL) { - p = line; - - /* match service name */ + /* get service name if necessary */ if (style == pam_conf_style) { - if (!match_word(p, service)) { + if ((len = parse_service_name(&line, &str)) == 0) { + openpam_log(PAM_LOG_NOTICE, + "%s(%d): invalid service name (ignored)", + filename, lineno); + FREE(line); + continue; + } + if (strlcmp(service, str, len) != 0) { FREE(line); continue; } - p = next_word(p); } - /* match facility name */ - for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) - if (match_word(p, _pam_facility_name[fclt])) - break; - if (fclt == PAM_NUM_FACILITIES) { - openpam_log(PAM_LOG_NOTICE, - "%s(%d): invalid facility '%.*s' (ignored)", - filename, lineno, wordlen(p), p); + /* get facility name */ + if ((fclt = parse_facility_name(&line)) == (pam_facility_t)-1) { + openpam_log(PAM_LOG_ERROR, + "%s(%d): missing or invalid facility", + filename, lineno); goto fail; } if (facility != fclt && facility != PAM_FACILITY_ANY) { FREE(line); continue; } - p = next_word(p); - /* include other chain */ - if (match_word(p, "include")) { - p = next_word(p); - if (*next_word(p) != '\0') - openpam_log(PAM_LOG_NOTICE, - "%s(%d): garbage at end of 'include' line", + /* check for "include" */ + if (parse_include(&line)) { + if ((len = parse_service_name(&line, &str)) == 0) { + openpam_log(PAM_LOG_ERROR, + "%s(%d): missing or invalid filename", filename, lineno); - if ((name = dup_word(p)) == NULL) + goto fail; + } + if ((name = strndup(str, len)) == NULL) goto syserr; + if (parse_eol(&line) != 0) { + openpam_log(PAM_LOG_ERROR, + "%s(%d): garbage at end of line", + filename, lineno); + goto fail; + } ret = openpam_load_chain(pamh, name, fclt); FREE(name); - if (ret < 0) + if (ret != PAM_SUCCESS) goto fail; - count += ret; FREE(line); continue; } - /* allocate new entry */ - if ((this = calloc(1, sizeof *this)) == NULL) - goto syserr; + /* get control flag */ + if ((ctlf = parse_control_flag(&line)) == (pam_control_t)-1) { + openpam_log(PAM_LOG_ERROR, + "%s(%d): missing or invalid control flag", + filename, lineno); + goto fail; + } - /* control flag */ - for (ctlf = 0; ctlf < PAM_NUM_CONTROL_FLAGS; ++ctlf) - if (match_word(p, _pam_control_flag_name[ctlf])) - break; - if (ctlf == PAM_NUM_CONTROL_FLAGS) { + /* get module name */ + if ((len = parse_filename(&line, &str)) == 0) { openpam_log(PAM_LOG_ERROR, - "%s(%d): invalid control flag '%.*s'", - filename, lineno, wordlen(p), p); + "%s(%d): missing or invalid module name", + filename, lineno); goto fail; } + if ((name = strndup(str, len)) == NULL) + goto syserr; + + /* allocate new entry */ + if ((this = calloc(1, sizeof *this)) == NULL) + goto syserr; this->flag = ctlf; - /* module name */ - p = next_word(p); - if (*p == '\0') { + /* get module options */ + if ((this->optv = malloc(sizeof *optv)) == NULL) + goto syserr; + this->optc = 0; + while ((option = parse_option(&line)) != NULL) { + optv = realloc(this->optv, + (this->optc + 2) * sizeof *optv); + if (optv == NULL) + goto syserr; + this->optv = optv; + this->optv[this->optc++] = option; + } + this->optv[this->optc] = NULL; + if (*line != '\0') { openpam_log(PAM_LOG_ERROR, - "%s(%d): missing module name", + "%s(%d): syntax error in module options", filename, lineno); goto fail; } - if ((name = dup_word(p)) == NULL) - goto syserr; + + /* load module */ this->module = openpam_load_module(name); FREE(name); if (this->module == NULL) goto fail; - /* module options */ - p = q = next_word(p); - while (*q != '\0') { - ++this->optc; - q = next_word(q); - } - this->optv = calloc(this->optc + 1, sizeof(char *)); - if (this->optv == NULL) - goto syserr; - for (i = 0; i < this->optc; ++i) { - if ((this->optv[i] = dup_word(p)) == NULL) - goto syserr; - p = next_word(p); - } - /* hook it up */ for (next = &pamh->chains[fclt]; *next != NULL; next = &(*next)->next) /* nothing */ ; *next = this; this = NULL; - ++count; /* next please... */ FREE(line); @@ -253,14 +491,20 @@ openpam_read_chain(pam_handle_t *pamh, if (!feof(f)) goto syserr; fclose(f); - return (count); - syserr: + return (PAM_SUCCESS); +syserr: openpam_log(PAM_LOG_ERROR, "%s: %m", filename); - fail: +fail: + if (this && this->optc) { + while (this->optc--) + FREE(this->optv[this->optc]); + FREE(this->optv); + } FREE(this); FREE(line); + FREE(name); fclose(f); - return (-1); + return (PAM_SYSTEM_ERR); } static const char *openpam_policy_path[] = { @@ -283,26 +527,26 @@ openpam_load_chain(pam_handle_t *pamh, const char **path; char *filename; size_t len; - int r; + int ret; for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') { if (asprintf(&filename, "%s%s", *path, service) < 0) { openpam_log(PAM_LOG_ERROR, "asprintf(): %m"); - return (-PAM_BUF_ERR); + return (PAM_BUF_ERR); } - r = openpam_read_chain(pamh, service, facility, + ret = openpam_parse_chain(pamh, service, facility, filename, pam_d_style); FREE(filename); } else { - r = openpam_read_chain(pamh, service, facility, + ret = openpam_parse_chain(pamh, service, facility, *path, pam_conf_style); } - if (r != 0) - return (r); + if (ret != PAM_SUCCESS) + return (ret); } - return (0); + return (PAM_SUCCESS); } /* @@ -316,18 +560,23 @@ openpam_configure(pam_handle_t *pamh, const char *service) { pam_facility_t fclt; + const char *p; + + for (p = service; *p; ++p) + if (!is_pfcs(*p)) + return (PAM_SYSTEM_ERR); - if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) + if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) != PAM_SUCCESS) goto load_err; for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) { if (pamh->chains[fclt] != NULL) continue; - if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0) + if (openpam_load_chain(pamh, PAM_OTHER, fclt) != PAM_SUCCESS) goto load_err; } return (PAM_SUCCESS); - load_err: +load_err: openpam_clear_chains(pamh->chains); return (PAM_SYSTEM_ERR); } diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_constants.c similarity index 52% copy from contrib/openpam/lib/openpam_load.c copy to contrib/openpam/lib/openpam_constants.c index 303f3f580a..833e81f280 100644 --- a/contrib/openpam/lib/openpam_load.c +++ b/contrib/openpam/lib/openpam_constants.c @@ -1,6 +1,6 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,18 +32,83 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_load.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_constants.c 491 2011-11-12 00:12:32Z des $ */ -#include -#include -#include +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif #include #include "openpam_impl.h" -const char *_pam_func_name[PAM_NUM_PRIMITIVES] = { +const char *pam_err_name[PAM_NUM_ERRORS] = { + "PAM_SUCCESS", + "PAM_OPEN_ERR", + "PAM_SYMBOL_ERR", + "PAM_SERVICE_ERR", + "PAM_SYSTEM_ERR", + "PAM_BUF_ERR", + "PAM_CONV_ERR", + "PAM_PERM_DENIED", + "PAM_MAXTRIES", + "PAM_AUTH_ERR", + "PAM_NEW_AUTHTOK_REQD", + "PAM_CRED_INSUFFICIENT", + "PAM_AUTHINFO_UNAVAIL", + "PAM_USER_UNKNOWN", + "PAM_CRED_UNAVAIL", + "PAM_CRED_EXPIRED", + "PAM_CRED_ERR", + "PAM_ACCT_EXPIRED", + "PAM_AUTHTOK_EXPIRED", + "PAM_SESSION_ERR", + "PAM_AUTHTOK_ERR", + "PAM_AUTHTOK_RECOVERY_ERR", + "PAM_AUTHTOK_LOCK_BUSY", + "PAM_AUTHTOK_DISABLE_AGING", + "PAM_NO_MODULE_DATA", + "PAM_IGNORE", + "PAM_ABORT", + "PAM_TRY_AGAIN", + "PAM_MODULE_UNKNOWN", + "PAM_DOMAIN_UNKNOWN" +}; + +const char *pam_item_name[PAM_NUM_ITEMS] = { + "(NO ITEM)", + "PAM_SERVICE", + "PAM_USER", + "PAM_TTY", + "PAM_RHOST", + "PAM_CONV", + "PAM_AUTHTOK", + "PAM_OLDAUTHTOK", + "PAM_RUSER", + "PAM_USER_PROMPT", + "PAM_REPOSITORY", + "PAM_AUTHTOK_PROMPT", + "PAM_OLDAUTHTOK_PROMPT", + "PAM_HOST", +}; + +const char *pam_facility_name[PAM_NUM_FACILITIES] = { + [PAM_ACCOUNT] = "account", + [PAM_AUTH] = "auth", + [PAM_PASSWORD] = "password", + [PAM_SESSION] = "session", +}; + +const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS] = { + [PAM_BINDING] = "binding", + [PAM_OPTIONAL] = "optional", + [PAM_REQUIRED] = "required", + [PAM_REQUISITE] = "requisite", + [PAM_SUFFICIENT] = "sufficient", +}; + +const char *pam_func_name[PAM_NUM_PRIMITIVES] = { "pam_authenticate", "pam_setcred", "pam_acct_mgmt", @@ -52,7 +117,7 @@ const char *_pam_func_name[PAM_NUM_PRIMITIVES] = { "pam_chauthtok" }; -const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = { +const char *pam_sm_func_name[PAM_NUM_PRIMITIVES] = { "pam_sm_authenticate", "pam_sm_setcred", "pam_sm_acct_mgmt", @@ -60,94 +125,3 @@ const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = { "pam_sm_close_session", "pam_sm_chauthtok" }; - -/* - * Locate a matching dynamic or static module. - */ - -pam_module_t * -openpam_load_module(const char *path) -{ - pam_module_t *module; - - module = openpam_dynamic(path); - openpam_log(PAM_LOG_DEBUG, "%s dynamic %s", - (module == NULL) ? "no" : "using", path); - -#ifdef OPENPAM_STATIC_MODULES - /* look for a static module */ - if (module == NULL && strchr(path, '/') == NULL) { - module = openpam_static(path); - openpam_log(PAM_LOG_DEBUG, "%s static %s", - (module == NULL) ? "no" : "using", path); - } -#endif - if (module == NULL) { - openpam_log(PAM_LOG_ERROR, "no %s found", path); - return (NULL); - } - return (module); -} - - -/* - * Release a module. - * XXX highly thread-unsafe - */ - -static void -openpam_release_module(pam_module_t *module) -{ - if (module == NULL) - return; - if (module->dlh == NULL) - /* static module */ - return; - dlclose(module->dlh); - openpam_log(PAM_LOG_DEBUG, "releasing %s", module->path); - FREE(module->path); - FREE(module); -} - - -/* - * Destroy a chain, freeing all its links and releasing the modules - * they point to. - */ - -static void -openpam_destroy_chain(pam_chain_t *chain) -{ - if (chain == NULL) - return; - openpam_destroy_chain(chain->next); - chain->next = NULL; - while (chain->optc) { - --chain->optc; - FREE(chain->optv[chain->optc]); - } - FREE(chain->optv); - openpam_release_module(chain->module); - chain->module = NULL; - FREE(chain); -} - - -/* - * Clear the chains and release the modules - */ - -void -openpam_clear_chains(pam_chain_t *policy[]) -{ - int i; - - for (i = 0; i < PAM_NUM_FACILITIES; ++i) { - openpam_destroy_chain(policy[i]); - policy[i] = NULL; - } -} - -/* - * NOPARSE - */ diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_constants.h similarity index 61% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_constants.h index 1a3b153bd3..b92317938c 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_constants.h @@ -1,24 +1,16 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2011 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -32,14 +24,17 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 409 2007-12-21 11:38:50Z des $ + * $Id: openpam_constants.h 491 2011-11-12 00:12:32Z des $ */ -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +#ifndef OPENPAM_CONSTANTS_INCLUDED +#define OPENPAM_CONSTANTS_INCLUDED -#define OPENPAM -#define OPENPAM_VERSION 20071221 -#define OPENPAM_RELEASE "Hydrangea" +extern const char *pam_err_name[PAM_NUM_ERRORS]; +extern const char *pam_item_name[PAM_NUM_ITEMS]; +extern const char *pam_facility_name[PAM_NUM_FACILITIES]; +extern const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS]; +extern const char *pam_func_name[PAM_NUM_PRIMITIVES]; +extern const char *pam_sm_func_name[PAM_NUM_PRIMITIVES]; -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +#endif diff --git a/contrib/openpam/lib/openpam_debug.h b/contrib/openpam/lib/openpam_debug.h new file mode 100644 index 0000000000..ef2884d682 --- /dev/null +++ b/contrib/openpam/lib/openpam_debug.h @@ -0,0 +1,103 @@ +/*- + * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * Network Associates Laboratories, the Security Research Division of + * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_debug.h 491 2011-11-12 00:12:32Z des $ + */ + +#ifndef OPENPAM_DEBUG_INCLUDED +#define OPENPAM_DEBUG_INCLUDED + +#ifdef OPENPAM_DEBUG +#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering") +#define ENTERI(i) do { \ + int i_ = (i); \ + if (i_ > 0 && i_ < PAM_NUM_ITEMS) \ + openpam_log(PAM_LOG_DEBUG, "entering: %s", pam_item_name[i_]); \ + else \ + openpam_log(PAM_LOG_DEBUG, "entering: %d", i_); \ +} while (0) +#define ENTERN(n) do { \ + int n_ = (n); \ + openpam_log(PAM_LOG_DEBUG, "entering: %d", n_); \ +} while (0) +#define ENTERS(s) do { \ + const char *s_ = (s); \ + if (s_ == NULL) \ + openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \ + else \ + openpam_log(PAM_LOG_DEBUG, "entering: '%s'", s_); \ +} while (0) +#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning") +#define RETURNC(c) do { \ + int c_ = (c); \ + if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \ + openpam_log(PAM_LOG_DEBUG, "returning %s", pam_err_name[c_]); \ + else \ + openpam_log(PAM_LOG_DEBUG, "returning %d!", c_); \ + return (c_); \ +} while (0) +#define RETURNN(n) do { \ + int n_ = (n); \ + openpam_log(PAM_LOG_DEBUG, "returning %d", n_); \ + return (n_); \ +} while (0) +#define RETURNP(p) do { \ + const void *p_ = (p); \ + if (p_ == NULL) \ + openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ + else \ + openpam_log(PAM_LOG_DEBUG, "returning %p", p_); \ + return (p_); \ +} while (0) +#define RETURNS(s) do { \ + const char *s_ = (s); \ + if (s_ == NULL) \ + openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ + else \ + openpam_log(PAM_LOG_DEBUG, "returning '%s'", s_); \ + return (s_); \ +} while (0) +#else +#define ENTER() +#define ENTERI(i) +#define ENTERN(n) +#define ENTERS(s) +#define RETURNV() return +#define RETURNC(c) return (c) +#define RETURNN(n) return (n) +#define RETURNP(p) return (p) +#define RETURNS(s) return (s) +#endif + +#endif diff --git a/contrib/openpam/lib/openpam_dispatch.c b/contrib/openpam/lib/openpam_dispatch.c index 69fe472a7a..54dfd3bdc8 100644 --- a/contrib/openpam/lib/openpam_dispatch.c +++ b/contrib/openpam/lib/openpam_dispatch.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_dispatch.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_dispatch.c 501 2011-12-07 01:28:05Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -42,9 +46,9 @@ #include "openpam_impl.h" #if !defined(OPENPAM_RELAX_CHECKS) -static void _openpam_check_error_code(int, int); +static void openpam_check_error_code(int, int); #else -#define _openpam_check_error_code(a, b) +#define openpam_check_error_code(a, b) #endif /* !defined(OPENPAM_RELAX_CHECKS) */ /* @@ -60,9 +64,7 @@ openpam_dispatch(pam_handle_t *pamh, { pam_chain_t *chain; int err, fail, r; -#ifdef DEBUG int debug; -#endif ENTER(); if (pamh == NULL) @@ -72,9 +74,9 @@ openpam_dispatch(pam_handle_t *pamh, if (pamh->current != NULL) { openpam_log(PAM_LOG_ERROR, "%s() called while %s::%s() is in progress", - _pam_func_name[primitive], + pam_func_name[primitive], pamh->current->module->path, - _pam_sm_func_name[pamh->primitive]); + pam_sm_func_name[pamh->primitive]); RETURNC(PAM_ABORT); } @@ -102,28 +104,24 @@ openpam_dispatch(pam_handle_t *pamh, for (err = fail = 0; chain != NULL; chain = chain->next) { if (chain->module->func[primitive] == NULL) { openpam_log(PAM_LOG_ERROR, "%s: no %s()", - chain->module->path, _pam_sm_func_name[primitive]); - continue; + chain->module->path, pam_sm_func_name[primitive]); + r = PAM_SYSTEM_ERR; } else { pamh->primitive = primitive; pamh->current = chain; -#ifdef DEBUG debug = (openpam_get_option(pamh, "debug") != NULL); if (debug) - ++_openpam_debug; + ++openpam_debug; openpam_log(PAM_LOG_DEBUG, "calling %s() in %s", - _pam_sm_func_name[primitive], chain->module->path); -#endif + pam_sm_func_name[primitive], chain->module->path); r = (chain->module->func[primitive])(pamh, flags, chain->optc, (const char **)chain->optv); pamh->current = NULL; -#ifdef DEBUG openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", - chain->module->path, _pam_sm_func_name[primitive], + chain->module->path, pam_sm_func_name[primitive], pam_strerror(pamh, r)); if (debug) - --_openpam_debug; -#endif + --openpam_debug; } if (r == PAM_IGNORE) @@ -143,7 +141,7 @@ openpam_dispatch(pam_handle_t *pamh, continue; } - _openpam_check_error_code(primitive, r); + openpam_check_error_code(primitive, r); /* * Record the return code from the first module to @@ -177,7 +175,7 @@ openpam_dispatch(pam_handle_t *pamh, #if !defined(OPENPAM_RELAX_CHECKS) static void -_openpam_check_error_code(int primitive, int r) +openpam_check_error_code(int primitive, int r) { /* common error codes */ if (r == PAM_SUCCESS || @@ -229,7 +227,7 @@ _openpam_check_error_code(int primitive, int r) } openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d", - _pam_sm_func_name[primitive], r); + pam_sm_func_name[primitive], r); } #endif /* !defined(OPENPAM_RELAX_CHECKS) */ diff --git a/contrib/openpam/lib/openpam_dynamic.c b/contrib/openpam/lib/openpam_dynamic.c index 084408ec1e..d44174fbe8 100644 --- a/contrib/openpam/lib/openpam_dynamic.c +++ b/contrib/openpam/lib/openpam_dynamic.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,13 +32,19 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_dynamic.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_dynamic.c 502 2011-12-18 13:59:22Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include +#include #include #include #include +#include #include @@ -48,6 +54,21 @@ #define RTLD_NOW RTLD_LAZY #endif +/* + * OpenPAM internal + * + * Perform sanity checks and attempt to load a module + */ + +static void * +try_dlopen(const char *modfn) +{ + + if (openpam_check_path_owner_perms(modfn) != 0) + return (NULL); + return (dlopen(modfn, RTLD_NOW)); +} + /* * OpenPAM internal * @@ -57,15 +78,14 @@ pam_module_t * openpam_dynamic(const char *path) { + const pam_module_t *dlmodule; pam_module_t *module; const char *prefix; char *vpath; void *dlh; - int i; + int i, serrno; dlh = NULL; - if ((module = calloc(1, sizeof *module)) == NULL) - goto buf_err; /* Prepend the standard prefix if not an absolute pathname. */ if (path[0] != '/') @@ -75,33 +95,36 @@ openpam_dynamic(const char *path) /* try versioned module first, then unversioned module */ if (asprintf(&vpath, "%s%s.%d", prefix, path, LIB_MAJ) < 0) - goto buf_err; - if ((dlh = dlopen(vpath, RTLD_NOW)) == NULL) { - openpam_log(PAM_LOG_DEBUG, "%s: %s", vpath, dlerror()); + goto err; + if ((dlh = try_dlopen(vpath)) == NULL && errno == ENOENT) { *strrchr(vpath, '.') = '\0'; - if ((dlh = dlopen(vpath, RTLD_NOW)) == NULL) { - openpam_log(PAM_LOG_DEBUG, "%s: %s", vpath, dlerror()); - FREE(vpath); - FREE(module); - return (NULL); - } + dlh = try_dlopen(vpath); } + serrno = errno; FREE(vpath); + errno = serrno; + if (dlh == NULL) + goto err; + if ((module = calloc(1, sizeof *module)) == NULL) + goto buf_err; if ((module->path = strdup(path)) == NULL) goto buf_err; module->dlh = dlh; + dlmodule = dlsym(dlh, "_pam_module"); for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) { - module->func[i] = (pam_func_t)dlsym(dlh, _pam_sm_func_name[i]); + module->func[i] = dlmodule ? dlmodule->func[i] : + (pam_func_t)dlsym(dlh, pam_sm_func_name[i]); if (module->func[i] == NULL) openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", - path, _pam_sm_func_name[i], dlerror()); + path, pam_sm_func_name[i], dlerror()); } return (module); - buf_err: - openpam_log(PAM_LOG_ERROR, "%m"); +buf_err: if (dlh != NULL) dlclose(dlh); FREE(module); +err: + openpam_log(PAM_LOG_ERROR, "%m"); return (NULL); } diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c index d78e1479c7..b833ec9229 100644 --- a/contrib/openpam/lib/openpam_findenv.c +++ b/contrib/openpam/lib/openpam_findenv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_findenv.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_findenv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_free_data.c b/contrib/openpam/lib/openpam_free_data.c index e071c0a101..561687c7ec 100644 --- a/contrib/openpam/lib/openpam_free_data.c +++ b/contrib/openpam/lib/openpam_free_data.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_free_data.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_free_data.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_free_envlist.c b/contrib/openpam/lib/openpam_free_envlist.c index 346c2ddb6b..14754dc403 100644 --- a/contrib/openpam/lib/openpam_free_envlist.c +++ b/contrib/openpam/lib/openpam_free_envlist.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2005 Dag-Erling Coïdan Smørgrav + * Copyright (c) 2005-2011 Dag-Erling Smørgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -25,9 +25,13 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: openpam_free_envlist.c 320 2006-02-16 20:33:19Z des $ + * $Id: openpam_free_envlist.c 447 2011-10-22 02:47:36Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -63,4 +67,6 @@ openpam_free_envlist(char **envlist) * frees all the environment variables in an environment list, and the * list itself. * It is suitable for freeing the return value from =pam_getenvlist. + * + * AUTHOR DES */ diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c index 73bc070a10..b5faa878fd 100644 --- a/contrib/openpam/lib/openpam_get_option.c +++ b/contrib/openpam/lib/openpam_get_option.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_get_option.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_get_option.c 482 2011-11-03 16:33:02Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h index 7704d4ed6f..ba4d45558a 100644 --- a/contrib/openpam/lib/openpam_impl.h +++ b/contrib/openpam/lib/openpam_impl.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,24 +32,15 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_impl.h 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_impl.h 499 2011-11-22 11:51:50Z des $ */ -#ifndef _OPENPAM_IMPL_H_INCLUDED -#define _OPENPAM_IMPL_H_INCLUDED - -#ifdef HAVE_CONFIG_H -# include -#endif +#ifndef OPENPAM_IMPL_H_INCLUDED +#define OPENPAM_IMPL_H_INCLUDED #include -extern const char *_pam_func_name[PAM_NUM_PRIMITIVES]; -extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES]; -extern const char *_pam_err_name[PAM_NUM_ERRORS]; -extern const char *_pam_item_name[PAM_NUM_ITEMS]; - -extern int _openpam_debug; +extern int openpam_debug; /* * Control flags @@ -75,6 +66,9 @@ typedef enum { PAM_NUM_FACILITIES } pam_facility_t; +/* + * Module chains + */ typedef struct pam_chain pam_chain_t; struct pam_chain { pam_module_t *module; @@ -84,6 +78,21 @@ struct pam_chain { pam_chain_t *next; }; +/* + * Service policies + */ +#if defined(OPENPAM_EMBEDDED) +typedef struct pam_policy pam_policy_t; +struct pam_policy { + const char *service; + pam_chain_t *chains[PAM_NUM_FACILITIES]; +}; +extern pam_policy_t *pam_embedded_policies[]; +#endif + +/* + * Module-specific data + */ typedef struct pam_data pam_data_t; struct pam_data { char *name; @@ -92,6 +101,9 @@ struct pam_data { pam_data_t *next; }; +/* + * PAM context + */ struct pam_handle { char *service; @@ -111,6 +123,9 @@ struct pam_handle { }; #ifdef NGROUPS_MAX +/* + * Saved credentials + */ #define PAM_SAVED_CRED "pam_saved_cred" struct pam_saved_cred { uid_t euid; @@ -120,14 +135,23 @@ struct pam_saved_cred { }; #endif +/* + * Default policy + */ #define PAM_OTHER "other" +/* + * Internal functions + */ int openpam_configure(pam_handle_t *, const char *); int openpam_dispatch(pam_handle_t *, int, int); int openpam_findenv(pam_handle_t *, const char *, size_t); pam_module_t *openpam_load_module(const char *); void openpam_clear_chains(pam_chain_t **); +int openpam_check_desc_owner_perms(const char *, int); +int openpam_check_path_owner_perms(const char *); + #ifdef OPENPAM_STATIC_MODULES pam_module_t *openpam_static(const char *); #endif @@ -135,66 +159,7 @@ pam_module_t *openpam_dynamic(const char *); #define FREE(p) do { free((p)); (p) = NULL; } while (0) -#ifdef DEBUG -#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering") -#define ENTERI(i) do { \ - int _i = (i); \ - if (_i > 0 && _i < PAM_NUM_ITEMS) \ - openpam_log(PAM_LOG_DEBUG, "entering: %s", _pam_item_name[_i]); \ - else \ - openpam_log(PAM_LOG_DEBUG, "entering: %d", _i); \ -} while (0) -#define ENTERN(n) do { \ - int _n = (n); \ - openpam_log(PAM_LOG_DEBUG, "entering: %d", _n); \ -} while (0) -#define ENTERS(s) do { \ - const char *_s = (s); \ - if (_s == NULL) \ - openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \ - else \ - openpam_log(PAM_LOG_DEBUG, "entering: '%s'", _s); \ -} while (0) -#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning") -#define RETURNC(c) do { \ - int _c = (c); \ - if (_c >= 0 && _c < PAM_NUM_ERRORS) \ - openpam_log(PAM_LOG_DEBUG, "returning %s", _pam_err_name[_c]); \ - else \ - openpam_log(PAM_LOG_DEBUG, "returning %d!", _c); \ - return (_c); \ -} while (0) -#define RETURNN(n) do { \ - int _n = (n); \ - openpam_log(PAM_LOG_DEBUG, "returning %d", _n); \ - return (_n); \ -} while (0) -#define RETURNP(p) do { \ - const void *_p = (p); \ - if (_p == NULL) \ - openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ - else \ - openpam_log(PAM_LOG_DEBUG, "returning %p", _p); \ - return (p); \ -} while (0) -#define RETURNS(s) do { \ - const char *_s = (s); \ - if (_s == NULL) \ - openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ - else \ - openpam_log(PAM_LOG_DEBUG, "returning '%s'", _s); \ - return (_s); \ -} while (0) -#else -#define ENTER() -#define ENTERI(i) -#define ENTERN(n) -#define ENTERS(s) -#define RETURNV() return -#define RETURNC(c) return (c) -#define RETURNN(n) return (n) -#define RETURNP(p) return (p) -#define RETURNS(s) return (s) -#endif +#include "openpam_constants.h" +#include "openpam_debug.h" #endif diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c index 303f3f580a..0eb8ea7d9c 100644 --- a/contrib/openpam/lib/openpam_load.c +++ b/contrib/openpam/lib/openpam_load.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_load.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_load.c 491 2011-11-12 00:12:32Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include @@ -43,24 +47,6 @@ #include "openpam_impl.h" -const char *_pam_func_name[PAM_NUM_PRIMITIVES] = { - "pam_authenticate", - "pam_setcred", - "pam_acct_mgmt", - "pam_open_session", - "pam_close_session", - "pam_chauthtok" -}; - -const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = { - "pam_sm_authenticate", - "pam_sm_setcred", - "pam_sm_acct_mgmt", - "pam_sm_open_session", - "pam_sm_close_session", - "pam_sm_chauthtok" -}; - /* * Locate a matching dynamic or static module. */ @@ -122,10 +108,8 @@ openpam_destroy_chain(pam_chain_t *chain) return; openpam_destroy_chain(chain->next); chain->next = NULL; - while (chain->optc) { - --chain->optc; + while (chain->optc--) FREE(chain->optv[chain->optc]); - } FREE(chain->optv); openpam_release_module(chain->module); chain->module = NULL; diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c index e49229484b..9e3d28b5b4 100644 --- a/contrib/openpam/lib/openpam_log.c +++ b/contrib/openpam/lib/openpam_log.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_log.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_log.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include @@ -47,9 +51,9 @@ #include "openpam_impl.h" #ifdef OPENPAM_DEBUG -int _openpam_debug = 1; +int openpam_debug = 1; #else -int _openpam_debug = 0; +int openpam_debug = 0; #endif #if !defined(openpam_log) @@ -68,7 +72,7 @@ openpam_log(int level, const char *fmt, ...) switch (level) { case PAM_LOG_DEBUG: - if (!_openpam_debug) + if (!openpam_debug) return; priority = LOG_DEBUG; break; @@ -99,7 +103,7 @@ _openpam_log(int level, const char *func, const char *fmt, ...) switch (level) { case PAM_LOG_DEBUG: - if (!_openpam_debug) + if (!openpam_debug) return; priority = LOG_DEBUG; break; @@ -136,7 +140,7 @@ _openpam_log(int level, const char *func, const char *fmt, ...) * =PAM_LOG_DEBUG: * Debugging messages. * These messages are normally not logged unless the global - * integer variable :_openpam_debug is set to a non-zero + * integer variable :openpam_debug is set to a non-zero * value, in which case they are logged with a =syslog * priority of =LOG_DEBUG. * =PAM_LOG_VERBOSE: diff --git a/contrib/openpam/lib/openpam_nullconv.c b/contrib/openpam/lib/openpam_nullconv.c index 3294dcf82a..a95b1e0c50 100644 --- a/contrib/openpam/lib/openpam_nullconv.c +++ b/contrib/openpam/lib/openpam_nullconv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_nullconv.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_nullconv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_readline.c b/contrib/openpam/lib/openpam_readline.c index 17f03f3ae0..9cc8cc107c 100644 --- a/contrib/openpam/lib/openpam_readline.c +++ b/contrib/openpam/lib/openpam_readline.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_readline.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_readline.c 473 2011-11-03 10:48:25Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include @@ -83,33 +87,23 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp) } /* eof */ if (ch == EOF) { - /* remove trailing whitespace */ - while (len > 0 && isspace((int)line[len - 1])) - --len; - line[len] = '\0'; - if (len == 0) - goto fail; + /* done */ break; } /* eol */ if (ch == '\n') { if (lineno != NULL) ++*lineno; - - /* remove trailing whitespace */ - while (len > 0 && isspace((int)line[len - 1])) - --len; - line[len] = '\0'; /* skip blank lines */ if (len == 0) continue; /* continuation */ if (line[len - 1] == '\\') { line[--len] = '\0'; - /* fall through to whitespace case */ - } else { - break; + continue; } + /* done */ + break; } /* whitespace */ if (isspace(ch)) { @@ -123,10 +117,16 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp) line_putch(ch); } + /* remove trailing whitespace */ + while (len > 0 && isspace((unsigned char)line[len - 1])) + --len; + line[len] = '\0'; + if (len == 0) + goto fail; if (lenp != NULL) *lenp = len; return (line); - fail: +fail: FREE(line); return (NULL); } @@ -136,13 +136,14 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp) * in a NUL-terminated buffer allocated with =malloc. * * The =openpam_readline function performs a certain amount of processing - * on the data it reads. - * Comments (introduced by a hash sign) are stripped, as is leading and - * trailing whitespace. - * Any amount of linear whitespace is collapsed to a single space. - * Blank lines are ignored. - * If a line ends in a backslash, the backslash is stripped and the next - * line is appended. + * on the data it reads: + * + * - Comments (introduced by a hash sign) are stripped, as is leading and + * trailing whitespace. + * - Any amount of linear whitespace is collapsed to a single space. + * - Blank lines are ignored. + * - If a line ends in a backslash, the backslash is stripped and the + * next line is appended. * * If =lineno is not =NULL, the integer variable it points to is * incremented every time a newline character is read. diff --git a/contrib/openpam/lib/openpam_restore_cred.c b/contrib/openpam/lib/openpam_restore_cred.c index 20e80d41a2..41d44d024d 100644 --- a/contrib/openpam/lib/openpam_restore_cred.c +++ b/contrib/openpam/lib/openpam_restore_cred.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_restore_cred.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_restore_cred.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c index 57161d3129..c7cb1c7c41 100644 --- a/contrib/openpam/lib/openpam_set_option.c +++ b/contrib/openpam/lib/openpam_set_option.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_set_option.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_set_option.c 482 2011-11-03 16:33:02Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/openpam_static.c b/contrib/openpam/lib/openpam_static.c index c06ceedb2f..40b807cb36 100644 --- a/contrib/openpam/lib/openpam_static.c +++ b/contrib/openpam/lib/openpam_static.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_static.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_static.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -43,7 +47,7 @@ #ifdef OPENPAM_STATIC_MODULES -SET_DECLARE(_openpam_static_modules, pam_module_t); +SET_DECLARE(openpam_static_modules, pam_module_t); /* * OpenPAM internal @@ -56,7 +60,7 @@ openpam_static(const char *path) { pam_module_t **module; - SET_FOREACH(module, _openpam_static_modules) { + SET_FOREACH(module, openpam_static_modules) { if (strcmp((*module)->path, path) == 0) return (*module); } diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_strlcmp.h similarity index 61% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_strlcmp.h index 1a3b153bd3..c692225d7f 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_strlcmp.h @@ -1,24 +1,16 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2011 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -32,14 +24,23 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 409 2007-12-21 11:38:50Z des $ + * $Id: openpam_strlcmp.h 475 2011-11-03 15:29:24Z des $ */ -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +#ifndef OPENPAM_STRLCMP_H_INCLUDED +#define OPENPAM_STRLCMP_H_INCLUDED + +#ifndef HAVE_STRLCMP +/* like strcmp(3), but verifies that the entirety of s1 was matched */ +static int +strlcmp(const char *s1, const char *s2, size_t len) +{ -#define OPENPAM -#define OPENPAM_VERSION 20071221 -#define OPENPAM_RELEASE "Hydrangea" + for (; len && *s1 && *s2; --len, ++s1, ++s2) + if (*s1 != *s2) + return ((unsigned char)*s1 - (unsigned char)*s2); + return ((unsigned char)*s1); +} +#endif -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +#endif diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_strlcpy.h similarity index 61% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_strlcpy.h index 1a3b153bd3..921653b6e9 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_strlcpy.h @@ -1,24 +1,16 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2011 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -32,14 +24,26 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 409 2007-12-21 11:38:50Z des $ + * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $ */ -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +#ifndef OPENPAM_STRLCPY_H_INCLUDED +#define OPENPAM_STRLCPY_H_INCLUDED + +#ifndef HAVE_STRLCPY +/* like strcpy(3), but always NUL-terminates; returns strlen(src) */ +size_t +strlcpy(char *dst, const char *src, size_t size) +{ + size_t len; -#define OPENPAM -#define OPENPAM_VERSION 20071221 -#define OPENPAM_RELEASE "Hydrangea" + for (len = 0; *src && size > 1; ++len, --size) + *dst++ = *src++; + *dst = '\0'; + while (*src) + ++len, ++src; + return (len); +} +#endif -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +#endif diff --git a/contrib/openpam/lib/openpam_subst.c b/contrib/openpam/lib/openpam_subst.c new file mode 100644 index 0000000000..d54b8270da --- /dev/null +++ b/contrib/openpam/lib/openpam_subst.c @@ -0,0 +1,168 @@ +/*- + * Copyright (c) 2011 Dag-Erling Smørgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_subst.c 461 2011-11-02 14:00:38Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "openpam_impl.h" + +#define subst_char(ch) do { \ + int ch_ = (ch); \ + if (buf && len < *bufsize) \ + *buf++ = ch_; \ + ++len; \ +} while (0) + +#define subst_string(s) do { \ + const char *s_ = (s); \ + while (*s_) \ + subst_char(*s_++); \ +} while (0) + +#define subst_item(i) do { \ + int i_ = (i); \ + const void *p_; \ + ret = pam_get_item(pamh, i_, &p_); \ + if (ret == PAM_SUCCESS && p_ != NULL) \ + subst_string(p_); \ +} while (0) + +/* + * OpenPAM internal + * + * Substitute PAM item values in a string + */ + +int +openpam_subst(const pam_handle_t *pamh, + char *buf, size_t *bufsize, const char *template) +{ + size_t len; + int ret; + + ENTERS(template); + if (template == NULL) + template = "(null)"; + + len = 1; /* initialize to 1 for terminating NUL */ + ret = PAM_SUCCESS; + while (*template && ret == PAM_SUCCESS) { + if (template[0] == '%') { + ++template; + switch (*template) { + case 's': + subst_item(PAM_SERVICE); + break; + case 't': + subst_item(PAM_TTY); + break; + case 'h': + subst_item(PAM_HOST); + break; + case 'u': + subst_item(PAM_USER); + break; + case 'H': + subst_item(PAM_RHOST); + break; + case 'U': + subst_item(PAM_RUSER); + break; + case '\0': + subst_char('%'); + break; + default: + subst_char('%'); + subst_char(*template); + } + ++template; + } else { + subst_char(*template++); + } + } + if (buf) + *buf = '\0'; + if (ret == PAM_SUCCESS) { + if (len > *bufsize) + ret = PAM_TRY_AGAIN; + *bufsize = len; + } + RETURNC(ret); +} + +/* + * Error codes: + * + * =pam_get_item + * !PAM_SYMBOL_ERR + * PAM_TRY_AGAIN + */ + +/** + * The =openpam_subst function expands a string, substituting PAM item + * values for all occurrences of specific substitution codes. + * The =template argument points to the initial string. + * The result is stored in the buffer pointed to by the =buf argument; the + * =bufsize argument specifies the size of that buffer. + * The actual size of the resulting string, including the terminating NUL + * character, is stored in the location pointed to by the =bufsize + * argument. + * + * If =buf is NULL, or if the buffer is too small to hold the expanded + * string, =bufsize is updated to reflect the amount of space required to + * hold the entire string, and =openpam_subst returns =PAM_TRY_AGAIN. + * + * If =openpam_subst fails for any other reason, the =bufsize argument is + * untouched, but part of the buffer may still have been overwritten. + * + * Substitution codes are introduced by a percent character and correspond + * to PAM items: + * + * %H: + * Replaced by the current value of the =PAM_RHOST item. + * %h: + * Replaced by the current value of the =PAM_HOST item. + * %s: + * Replaced by the current value of the =PAM_SERVICE item. + * %t: + * Replaced by the current value of the =PAM_TTY item. + * %U: + * Replaced by the current value of the =PAM_RUSER item. + * %u: + * Replaced by the current value of the =PAM_USER item. + * + * >pam_get_authtok + * >pam_get_item + * >pam_get_user + * + * AUTHOR DES + */ diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c index a6820b9d71..ec078f4180 100644 --- a/contrib/openpam/lib/openpam_ttyconv.c +++ b/contrib/openpam/lib/openpam_ttyconv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_ttyconv.c 408 2007-12-21 11:36:24Z des $ + * $Id: openpam_ttyconv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -211,7 +215,7 @@ openpam_ttyconv(int n, } *resp = aresp; RETURNC(PAM_SUCCESS); - fail: +fail: for (i = 0; i < n; ++i) { if (aresp[i].resp != NULL) { memset(aresp[i].resp, 0, strlen(aresp[i].resp)); diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c index 0088ecf8b2..49c34ab3ea 100644 --- a/contrib/openpam/lib/pam_acct_mgmt.c +++ b/contrib/openpam/lib/pam_acct_mgmt.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_acct_mgmt.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_acct_mgmt.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c index 3b5a78d119..fc6c20f394 100644 --- a/contrib/openpam/lib/pam_authenticate.c +++ b/contrib/openpam/lib/pam_authenticate.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_authenticate.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_authenticate.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_authenticate_secondary.c b/contrib/openpam/lib/pam_authenticate_secondary.c index 27e3ce790b..1a57313589 100644 --- a/contrib/openpam/lib/pam_authenticate_secondary.c +++ b/contrib/openpam/lib/pam_authenticate_secondary.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_authenticate_secondary.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_authenticate_secondary.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include /* diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c index ecf1063c71..1750b0f5fd 100644 --- a/contrib/openpam/lib/pam_chauthtok.c +++ b/contrib/openpam/lib/pam_chauthtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_chauthtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_chauthtok.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c index ab50e357ed..9e63a1dc96 100644 --- a/contrib/openpam/lib/pam_close_session.c +++ b/contrib/openpam/lib/pam_close_session.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_close_session.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_close_session.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_end.c b/contrib/openpam/lib/pam_end.c index 80baf8ac82..09cde350ea 100644 --- a/contrib/openpam/lib/pam_end.c +++ b/contrib/openpam/lib/pam_end.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_end.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_end.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_error.c b/contrib/openpam/lib/pam_error.c index f42a6b5fbf..1e0de5b267 100644 --- a/contrib/openpam/lib/pam_error.c +++ b/contrib/openpam/lib/pam_error.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_error.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_error.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c index 2a974c9c86..a0613eff9c 100644 --- a/contrib/openpam/lib/pam_get_authtok.c +++ b/contrib/openpam/lib/pam_get_authtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_authtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_authtok.c 455 2011-10-29 18:31:11Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -61,8 +65,10 @@ pam_get_authtok(pam_handle_t *pamh, const char **authtok, const char *prompt) { + char prompt_buf[1024]; + size_t prompt_size; const void *oldauthtok, *prevauthtok, *promptp; - const char *default_prompt; + const char *prompt_option, *default_prompt; char *resp, *resp2; int pitem, r, style, twice; @@ -74,6 +80,7 @@ pam_get_authtok(pam_handle_t *pamh, switch (item) { case PAM_AUTHTOK: pitem = PAM_AUTHTOK_PROMPT; + prompt_option = "authtok_prompt"; default_prompt = authtok_prompt; r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); if (r == PAM_SUCCESS && oldauthtok != NULL) { @@ -83,6 +90,7 @@ pam_get_authtok(pam_handle_t *pamh, break; case PAM_OLDAUTHTOK: pitem = PAM_OLDAUTHTOK_PROMPT; + prompt_option = "oldauthtok_prompt"; default_prompt = oldauthtok_prompt; twice = 0; break; @@ -99,13 +107,21 @@ pam_get_authtok(pam_handle_t *pamh, else if (openpam_get_option(pamh, "use_first_pass")) RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); } - if (prompt == NULL) { - r = pam_get_item(pamh, pitem, &promptp); - if (r != PAM_SUCCESS || promptp == NULL) - prompt = default_prompt; - else + /* pam policy overrides the module's choice */ + if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) + prompt = promptp; + /* no prompt provided, see if there is one tucked away somewhere */ + if (prompt == NULL) + if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL) prompt = promptp; - } + /* fall back to hardcoded default */ + if (prompt == NULL) + prompt = default_prompt; + /* expand */ + prompt_size = sizeof prompt_buf; + r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); + if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) + prompt = prompt_buf; style = openpam_get_option(pamh, "echo_pass") ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; r = pam_prompt(pamh, style, &resp, "%s", prompt); @@ -160,6 +176,13 @@ pam_get_authtok(pam_handle_t *pamh, * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, * as appropriate, will be used. * If that item is also =NULL, a hardcoded default prompt will be used. + * Either way, the prompt is expanded using =openpam_subst before it is + * passed to the conversation function. + * + * If =pam_get_authtok is called from a module and the ;authtok_prompt / + * ;oldauthtok_prompt option is set in the policy file, the value of that + * option takes precedence over both the =prompt argument and the + * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item. * * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK * item, =pam_get_authtok will ask the user to confirm the new token by @@ -168,4 +191,5 @@ pam_get_authtok(pam_handle_t *pamh, * * >pam_get_item * >pam_get_user + * >openpam_subst */ diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c index 0cceef0c97..1a8ba1de8d 100644 --- a/contrib/openpam/lib/pam_get_data.c +++ b/contrib/openpam/lib/pam_get_data.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_data.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_data.c 444 2011-10-22 01:03:23Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -80,6 +84,7 @@ pam_get_data(const pam_handle_t *pamh, * context specified by the =pamh argument. * A pointer to the object is stored in the location pointed to by the * =data argument. + * If =pam_get_data fails, the =data argument is untouched. * * This function and its counterpart =pam_set_data are useful for managing * data that are meaningful only to a particular service module. diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c index 9f127bea23..95b9df6d02 100644 --- a/contrib/openpam/lib/pam_get_item.c +++ b/contrib/openpam/lib/pam_get_item.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,31 +32,19 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_item.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_item.c 491 2011-11-12 00:12:32Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include "openpam_impl.h" -const char *_pam_item_name[PAM_NUM_ITEMS] = { - "(NO ITEM)", - "PAM_SERVICE", - "PAM_USER", - "PAM_TTY", - "PAM_RHOST", - "PAM_CONV", - "PAM_AUTHTOK", - "PAM_OLDAUTHTOK", - "PAM_RUSER", - "PAM_USER_PROMPT", - "PAM_REPOSITORY", - "PAM_AUTHTOK_PROMPT", - "PAM_OLDAUTHTOK_PROMPT" -}; - /* * XSSO 4.2.1 * XSSO 6 page 46 @@ -83,9 +71,10 @@ pam_get_item(const pam_handle_t *pamh, case PAM_RUSER: case PAM_CONV: case PAM_USER_PROMPT: + case PAM_REPOSITORY: case PAM_AUTHTOK_PROMPT: case PAM_OLDAUTHTOK_PROMPT: - case PAM_REPOSITORY: + case PAM_HOST: *item = pamh->item[item_type]; RETURNC(PAM_SUCCESS); default: @@ -102,10 +91,12 @@ pam_get_item(const pam_handle_t *pamh, /** * The =pam_get_item function stores a pointer to the item specified by - * the =item_type argument in the location specified by the =item + * the =item_type argument in the location pointed to by the =item * argument. * The item is retrieved from the PAM context specified by the =pamh * argument. + * If =pam_get_item fails, the =item argument is untouched. + * * The following item types are recognized: * * =PAM_SERVICE: @@ -135,6 +126,8 @@ pam_get_item(const pam_handle_t *pamh, * =PAM_OLDAUTHTOK_PROMPT: * The prompt to use when asking the applicant for an * expired authentication token prior to changing it. + * =PAM_HOST: + * The name of the host the application runs on. * * See =pam_start for a description of =struct pam_conv. * diff --git a/contrib/openpam/lib/pam_get_mapped_authtok.c b/contrib/openpam/lib/pam_get_mapped_authtok.c index c49a9182f6..54ff6c3e7e 100644 --- a/contrib/openpam/lib/pam_get_mapped_authtok.c +++ b/contrib/openpam/lib/pam_get_mapped_authtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_mapped_authtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_mapped_authtok.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include /* diff --git a/contrib/openpam/lib/pam_get_mapped_username.c b/contrib/openpam/lib/pam_get_mapped_username.c index 359baee462..4f8ac17fd1 100644 --- a/contrib/openpam/lib/pam_get_mapped_username.c +++ b/contrib/openpam/lib/pam_get_mapped_username.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_mapped_username.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_mapped_username.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include /* diff --git a/contrib/openpam/lib/pam_get_user.c b/contrib/openpam/lib/pam_get_user.c index 115a3eaf33..53245b99e5 100644 --- a/contrib/openpam/lib/pam_get_user.c +++ b/contrib/openpam/lib/pam_get_user.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_user.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_get_user.c 455 2011-10-29 18:31:11Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -58,6 +62,8 @@ pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) { + char prompt_buf[1024]; + size_t prompt_size; const void *promptp; char *resp; int r; @@ -68,13 +74,22 @@ pam_get_user(pam_handle_t *pamh, r = pam_get_item(pamh, PAM_USER, (const void **)user); if (r == PAM_SUCCESS && *user != NULL) RETURNC(PAM_SUCCESS); - if (prompt == NULL) { - r = pam_get_item(pamh, PAM_USER_PROMPT, &promptp); - if (r != PAM_SUCCESS || promptp == NULL) - prompt = user_prompt; - else + /* pam policy overrides the module's choice */ + if ((promptp = openpam_get_option(pamh, "user_prompt")) != NULL) + prompt = promptp; + /* no prompt provided, see if there is one tucked away somewhere */ + if (prompt == NULL) + if (pam_get_item(pamh, PAM_USER_PROMPT, &promptp) && + promptp != NULL) prompt = promptp; - } + /* fall back to hardcoded default */ + if (prompt == NULL) + prompt = user_prompt; + /* expand */ + prompt_size = sizeof prompt_buf; + r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); + if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) + prompt = prompt_buf; r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp, "%s", prompt); if (r != PAM_SUCCESS) RETURNC(r); @@ -105,9 +120,16 @@ pam_get_user(pam_handle_t *pamh, * * The =prompt argument specifies a prompt to use if no user name is * cached. - * If it is =NULL, the =PAM_USER_PROMPT will be used. + * If it is =NULL, the =PAM_USER_PROMPT item will be used. * If that item is also =NULL, a hardcoded default prompt will be used. + * Either way, the prompt is expanded using =openpam_subst before it is + * passed to the conversation function. + * + * If =pam_get_user is called from a module and the ;user_prompt option is + * set in the policy file, the value of that option takes precedence over + * both the =prompt argument and the =PAM_USER_PROMPT item. * * >pam_get_item * >pam_get_authtok + * >openpam_subst */ diff --git a/contrib/openpam/lib/pam_getenv.c b/contrib/openpam/lib/pam_getenv.c index f2d791084c..e2ebf579ed 100644 --- a/contrib/openpam/lib/pam_getenv.c +++ b/contrib/openpam/lib/pam_getenv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_getenv.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_getenv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_getenvlist.c b/contrib/openpam/lib/pam_getenvlist.c index c0e128a8fc..06c003f02e 100644 --- a/contrib/openpam/lib/pam_getenvlist.c +++ b/contrib/openpam/lib/pam_getenvlist.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_getenvlist.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_getenvlist.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_info.c b/contrib/openpam/lib/pam_info.c index 2e4dbc74af..7e51dbf6b8 100644 --- a/contrib/openpam/lib/pam_info.c +++ b/contrib/openpam/lib/pam_info.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_info.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_info.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c index f8d6eca62c..36c59b049e 100644 --- a/contrib/openpam/lib/pam_open_session.c +++ b/contrib/openpam/lib/pam_open_session.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_open_session.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_open_session.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_prompt.c b/contrib/openpam/lib/pam_prompt.c index 76da55f64b..194e765523 100644 --- a/contrib/openpam/lib/pam_prompt.c +++ b/contrib/openpam/lib/pam_prompt.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_prompt.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_prompt.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c index 79d6228ab1..369066d8ea 100644 --- a/contrib/openpam/lib/pam_putenv.c +++ b/contrib/openpam/lib/pam_putenv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_putenv.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_putenv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c index 963de9285c..a8de632f7b 100644 --- a/contrib/openpam/lib/pam_set_data.c +++ b/contrib/openpam/lib/pam_set_data.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_set_data.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_set_data.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c index 9b606183a8..05d538f7bd 100644 --- a/contrib/openpam/lib/pam_set_item.c +++ b/contrib/openpam/lib/pam_set_item.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_set_item.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_set_item.c 496 2011-11-21 16:20:45Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -66,6 +70,10 @@ pam_set_item(pam_handle_t *pamh, osize = nsize = 0; switch (item_type) { case PAM_SERVICE: + /* set once only, by pam_start() */ + if (*slot != NULL) + RETURNC(PAM_SYSTEM_ERR); + /* fall through */ case PAM_USER: case PAM_AUTHTOK: case PAM_OLDAUTHTOK: @@ -75,6 +83,7 @@ pam_set_item(pam_handle_t *pamh, case PAM_USER_PROMPT: case PAM_AUTHTOK_PROMPT: case PAM_OLDAUTHTOK_PROMPT: + case PAM_HOST: if (*slot != NULL) osize = strlen(*slot) + 1; if (item != NULL) diff --git a/contrib/openpam/lib/pam_set_mapped_authtok.c b/contrib/openpam/lib/pam_set_mapped_authtok.c index 01ad25584d..d8db84fd34 100644 --- a/contrib/openpam/lib/pam_set_mapped_authtok.c +++ b/contrib/openpam/lib/pam_set_mapped_authtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_set_mapped_authtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_set_mapped_authtok.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include /* diff --git a/contrib/openpam/lib/pam_set_mapped_username.c b/contrib/openpam/lib/pam_set_mapped_username.c index ae3619bd22..4b8f815391 100644 --- a/contrib/openpam/lib/pam_set_mapped_username.c +++ b/contrib/openpam/lib/pam_set_mapped_username.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_set_mapped_username.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_set_mapped_username.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include /* diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c index 80eb468608..51fb0816b6 100644 --- a/contrib/openpam/lib/pam_setcred.c +++ b/contrib/openpam/lib/pam_setcred.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_setcred.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_setcred.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c index e73f6b52b2..fbe6a8f1b6 100644 --- a/contrib/openpam/lib/pam_setenv.c +++ b/contrib/openpam/lib/pam_setenv.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_setenv.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_setenv.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include diff --git a/contrib/openpam/lib/pam_sm_acct_mgmt.c b/contrib/openpam/lib/pam_sm_acct_mgmt.c index a57e86a43b..f5c14cf99a 100644 --- a/contrib/openpam/lib/pam_sm_acct_mgmt.c +++ b/contrib/openpam/lib/pam_sm_acct_mgmt.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_acct_mgmt.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_acct_mgmt.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_authenticate.c b/contrib/openpam/lib/pam_sm_authenticate.c index 7f4bb1c70c..97851af43e 100644 --- a/contrib/openpam/lib/pam_sm_authenticate.c +++ b/contrib/openpam/lib/pam_sm_authenticate.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_authenticate.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_authenticate.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_authenticate_secondary.c b/contrib/openpam/lib/pam_sm_authenticate_secondary.c index bde0366ad5..3f3f6bdf47 100644 --- a/contrib/openpam/lib/pam_sm_authenticate_secondary.c +++ b/contrib/openpam/lib/pam_sm_authenticate_secondary.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_authenticate_secondary.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_authenticate_secondary.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_chauthtok.c b/contrib/openpam/lib/pam_sm_chauthtok.c index 2c41d6d905..593344cca2 100644 --- a/contrib/openpam/lib/pam_sm_chauthtok.c +++ b/contrib/openpam/lib/pam_sm_chauthtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_chauthtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_chauthtok.c 466 2011-11-02 23:33:43Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include @@ -80,4 +84,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, /** * The =pam_sm_chauthtok function is the service module's implementation * of the =pam_chauthtok API function. + * + * When the application calls =pam_chauthtok, the service function is + * called twice, first with the =PAM_PRELIM_CHECK flag set and then again + * with the =PAM_UPDATE_AUTHTOK flag set. */ diff --git a/contrib/openpam/lib/pam_sm_close_session.c b/contrib/openpam/lib/pam_sm_close_session.c index 25cee92579..290f497b1c 100644 --- a/contrib/openpam/lib/pam_sm_close_session.c +++ b/contrib/openpam/lib/pam_sm_close_session.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_close_session.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_close_session.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_get_mapped_authtok.c b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c index 9d85d5f6b8..e86e6e5d36 100644 --- a/contrib/openpam/lib/pam_sm_get_mapped_authtok.c +++ b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_get_mapped_authtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_get_mapped_authtok.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_get_mapped_username.c b/contrib/openpam/lib/pam_sm_get_mapped_username.c index ee4d2506ad..596ca6cb1a 100644 --- a/contrib/openpam/lib/pam_sm_get_mapped_username.c +++ b/contrib/openpam/lib/pam_sm_get_mapped_username.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_get_mapped_username.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_get_mapped_username.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_open_session.c b/contrib/openpam/lib/pam_sm_open_session.c index bfe0794a89..acb401ab3d 100644 --- a/contrib/openpam/lib/pam_sm_open_session.c +++ b/contrib/openpam/lib/pam_sm_open_session.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_open_session.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_open_session.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_set_mapped_authtok.c b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c index 54fd370495..dab40fd9d0 100644 --- a/contrib/openpam/lib/pam_sm_set_mapped_authtok.c +++ b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_set_mapped_authtok.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_set_mapped_authtok.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_set_mapped_username.c b/contrib/openpam/lib/pam_sm_set_mapped_username.c index 0239dbb4df..3011016b4b 100644 --- a/contrib/openpam/lib/pam_sm_set_mapped_username.c +++ b/contrib/openpam/lib/pam_sm_set_mapped_username.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_set_mapped_username.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_set_mapped_username.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_sm_setcred.c b/contrib/openpam/lib/pam_sm_setcred.c index 4d472b34dd..0d306838bc 100644 --- a/contrib/openpam/lib/pam_sm_setcred.c +++ b/contrib/openpam/lib/pam_sm_setcred.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_sm_setcred.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_sm_setcred.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c index ee6468b664..84e0085b30 100644 --- a/contrib/openpam/lib/pam_start.c +++ b/contrib/openpam/lib/pam_start.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,14 +32,27 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_start.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_start.c 503 2011-12-18 14:00:33Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include +#include +#include #include #include "openpam_impl.h" +#include "openpam_strlcpy.h" + +#ifdef _SC_HOST_NAME_MAX +#define HOST_NAME_MAX sysconf(_SC_HOST_NAME_MAX) +#else +#define HOST_NAME_MAX 1024 +#endif /* * XSSO 4.2.1 @@ -54,6 +67,7 @@ pam_start(const char *service, const struct pam_conv *pam_conv, pam_handle_t **pamh) { + char hostname[HOST_NAME_MAX + 1]; struct pam_handle *ph; int r; @@ -62,20 +76,20 @@ pam_start(const char *service, RETURNC(PAM_BUF_ERR); if ((r = pam_set_item(ph, PAM_SERVICE, service)) != PAM_SUCCESS) goto fail; + if (gethostname(hostname, sizeof hostname) != 0) + strlcpy(hostname, "localhost", sizeof hostname); + if ((r = pam_set_item(ph, PAM_HOST, hostname)) != PAM_SUCCESS) + goto fail; if ((r = pam_set_item(ph, PAM_USER, user)) != PAM_SUCCESS) goto fail; if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS) goto fail; - - r = openpam_configure(ph, service); - if (r != PAM_SUCCESS) + if ((r = openpam_configure(ph, service)) != PAM_SUCCESS) goto fail; - *pamh = ph; openpam_log(PAM_LOG_DEBUG, "pam_start(\"%s\") succeeded", service); RETURNC(PAM_SUCCESS); - - fail: +fail: pam_end(ph, r); RETURNC(r); } diff --git a/contrib/openpam/lib/pam_strerror.c b/contrib/openpam/lib/pam_strerror.c index 24498c4566..e29219d847 100644 --- a/contrib/openpam/lib/pam_strerror.c +++ b/contrib/openpam/lib/pam_strerror.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,48 +32,19 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_strerror.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_strerror.c 491 2011-11-12 00:12:32Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include "openpam_impl.h" -const char *_pam_err_name[PAM_NUM_ERRORS] = { - "PAM_SUCCESS", - "PAM_OPEN_ERR", - "PAM_SYMBOL_ERR", - "PAM_SERVICE_ERR", - "PAM_SYSTEM_ERR", - "PAM_BUF_ERR", - "PAM_CONV_ERR", - "PAM_PERM_DENIED", - "PAM_MAXTRIES", - "PAM_AUTH_ERR", - "PAM_NEW_AUTHTOK_REQD", - "PAM_CRED_INSUFFICIENT", - "PAM_AUTHINFO_UNAVAIL", - "PAM_USER_UNKNOWN", - "PAM_CRED_UNAVAIL", - "PAM_CRED_EXPIRED", - "PAM_CRED_ERR", - "PAM_ACCT_EXPIRED", - "PAM_AUTHTOK_EXPIRED", - "PAM_SESSION_ERR", - "PAM_AUTHTOK_ERR", - "PAM_AUTHTOK_RECOVERY_ERR", - "PAM_AUTHTOK_LOCK_BUSY", - "PAM_AUTHTOK_DISABLE_AGING", - "PAM_NO_MODULE_DATA", - "PAM_IGNORE", - "PAM_ABORT", - "PAM_TRY_AGAIN", - "PAM_MODULE_UNKNOWN", - "PAM_DOMAIN_UNKNOWN" -}; - /* * XSSO 4.2.1 * XSSO 6 page 92 @@ -159,6 +130,8 @@ pam_strerror(const pam_handle_t *pamh, /** * The =pam_strerror function returns a pointer to a string containing a * textual description of the error indicated by the =error_number - * argument, in the context of the PAM transaction described by the =pamh * argument. + * The =pamh argument is ignored. + * For compatibility with other implementations, it should be either a + * valid PAM handle returned by a previous call to =pam_start, or =NULL. */ diff --git a/contrib/openpam/lib/pam_verror.c b/contrib/openpam/lib/pam_verror.c index 0b128d1386..9ed85b688a 100644 --- a/contrib/openpam/lib/pam_verror.c +++ b/contrib/openpam/lib/pam_verror.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_verror.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_verror.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_vinfo.c b/contrib/openpam/lib/pam_vinfo.c index 5282714454..95f45f4d20 100644 --- a/contrib/openpam/lib/pam_vinfo.c +++ b/contrib/openpam/lib/pam_vinfo.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_vinfo.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_vinfo.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include diff --git a/contrib/openpam/lib/pam_vprompt.c b/contrib/openpam/lib/pam_vprompt.c index e1215c3d72..1e390e09c3 100644 --- a/contrib/openpam/lib/pam_vprompt.c +++ b/contrib/openpam/lib/pam_vprompt.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2007 Dag-Erling Smørgrav + * Copyright (c) 2004-2011 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,9 +32,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_vprompt.c 408 2007-12-21 11:36:24Z des $ + * $Id: pam_vprompt.c 437 2011-09-13 12:00:13Z des $ */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include #include #include