From 577efdee5765de6f1318271c1d558ba8ec3ebc5e Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Wed, 11 Jul 2012 01:43:11 -0700 Subject: [PATCH] Import OpenPAM Micrampelis. See HISTORY for the details. --- contrib/openpam/CREDITS | 10 +- contrib/openpam/HISTORY | 58 +- contrib/openpam/LICENSE | 4 +- contrib/openpam/README.DELETED | 3 + contrib/openpam/RELNOTES | 9 +- contrib/openpam/doc/man/openpam.3 | 25 +- contrib/openpam/doc/man/openpam_borrow_cred.3 | 16 +- contrib/openpam/doc/man/openpam_free_data.3 | 14 +- .../openpam/doc/man/openpam_free_envlist.3 | 15 +- ...m_open_session.3 => openpam_get_feature.3} | 93 ++- contrib/openpam/doc/man/openpam_get_option.3 | 16 +- contrib/openpam/doc/man/openpam_log.3 | 17 +- contrib/openpam/doc/man/openpam_nullconv.3 | 16 +- contrib/openpam/doc/man/openpam_readline.3 | 36 +- ...openpam_readline.3 => openpam_readlinev.3} | 137 ++-- contrib/openpam/doc/man/openpam_readword.3 | 152 +++++ .../openpam/doc/man/openpam_restore_cred.3 | 16 +- ...pam_set_option.3 => openpam_set_feature.3} | 50 +- contrib/openpam/doc/man/openpam_set_option.3 | 16 +- ...npam_restore_cred.3 => openpam_straddch.3} | 94 ++- contrib/openpam/doc/man/openpam_subst.3 | 22 +- contrib/openpam/doc/man/openpam_ttyconv.3 | 18 +- contrib/openpam/doc/man/pam.3 | 5 +- contrib/openpam/doc/man/pam.conf.5 | 10 +- contrib/openpam/doc/man/pam_acct_mgmt.3 | 16 +- contrib/openpam/doc/man/pam_authenticate.3 | 18 +- contrib/openpam/doc/man/pam_chauthtok.3 | 16 +- contrib/openpam/doc/man/pam_close_session.3 | 16 +- contrib/openpam/doc/man/pam_conv.3 | 7 +- contrib/openpam/doc/man/pam_end.3 | 17 +- contrib/openpam/doc/man/pam_error.3 | 16 +- contrib/openpam/doc/man/pam_get_authtok.3 | 22 +- contrib/openpam/doc/man/pam_get_data.3 | 16 +- contrib/openpam/doc/man/pam_get_item.3 | 16 +- contrib/openpam/doc/man/pam_get_user.3 | 18 +- contrib/openpam/doc/man/pam_getenv.3 | 14 +- contrib/openpam/doc/man/pam_getenvlist.3 | 14 +- contrib/openpam/doc/man/pam_info.3 | 16 +- contrib/openpam/doc/man/pam_open_session.3 | 16 +- contrib/openpam/doc/man/pam_prompt.3 | 16 +- contrib/openpam/doc/man/pam_putenv.3 | 16 +- contrib/openpam/doc/man/pam_set_data.3 | 14 +- contrib/openpam/doc/man/pam_set_item.3 | 14 +- contrib/openpam/doc/man/pam_setcred.3 | 16 +- contrib/openpam/doc/man/pam_setenv.3 | 18 +- contrib/openpam/doc/man/pam_sm_acct_mgmt.3 | 14 +- contrib/openpam/doc/man/pam_sm_authenticate.3 | 14 +- contrib/openpam/doc/man/pam_sm_chauthtok.3 | 14 +- .../openpam/doc/man/pam_sm_close_session.3 | 14 +- contrib/openpam/doc/man/pam_sm_open_session.3 | 14 +- contrib/openpam/doc/man/pam_sm_setcred.3 | 14 +- contrib/openpam/doc/man/pam_start.3 | 14 +- contrib/openpam/doc/man/pam_strerror.3 | 14 +- contrib/openpam/doc/man/pam_verror.3 | 16 +- contrib/openpam/doc/man/pam_vinfo.3 | 16 +- contrib/openpam/doc/man/pam_vprompt.3 | 16 +- contrib/openpam/include/security/openpam.h | 43 +- .../include/security/openpam_version.h | 6 +- .../openpam/lib/openpam_check_owner_perms.c | 23 +- contrib/openpam/lib/openpam_configure.c | 594 +++++++----------- contrib/openpam/lib/openpam_constants.h | 9 +- .../openpam_version.h => lib/openpam_ctype.h} | 53 +- contrib/openpam/lib/openpam_debug.h | 45 +- contrib/openpam/lib/openpam_dynamic.c | 81 ++- .../openpam_features.c} | 54 +- .../{openpam_strlcpy.h => openpam_features.h} | 35 +- ...pam_get_option.c => openpam_get_feature.c} | 88 +-- contrib/openpam/lib/openpam_get_option.c | 3 +- contrib/openpam/lib/openpam_impl.h | 18 +- contrib/openpam/lib/openpam_load.c | 6 +- contrib/openpam/lib/openpam_log.c | 14 +- contrib/openpam/lib/openpam_readline.c | 52 +- contrib/openpam/lib/openpam_readlinev.c | 156 +++++ contrib/openpam/lib/openpam_readword.c | 207 ++++++ .../openpam_set_feature.c} | 60 +- contrib/openpam/lib/openpam_set_option.c | 3 +- contrib/openpam/lib/openpam_straddch.c | 111 ++++ .../{openpam_strlcpy.h => openpam_strlcat.h} | 21 +- contrib/openpam/lib/openpam_strlcmp.h | 5 +- contrib/openpam/lib/openpam_strlcpy.h | 7 +- contrib/openpam/lib/openpam_subst.c | 5 +- contrib/openpam/lib/openpam_ttyconv.c | 12 +- contrib/openpam/lib/pam_get_authtok.c | 12 +- contrib/openpam/lib/pam_putenv.c | 4 +- contrib/openpam/lib/pam_setenv.c | 4 +- 85 files changed, 1988 insertions(+), 1087 deletions(-) copy contrib/openpam/doc/man/{pam_open_session.3 => openpam_get_feature.3} (61%) copy contrib/openpam/doc/man/{openpam_readline.3 => openpam_readlinev.3} (53%) create mode 100644 contrib/openpam/doc/man/openpam_readword.3 copy contrib/openpam/doc/man/{openpam_set_option.3 => openpam_set_feature.3} (76%) copy contrib/openpam/doc/man/{openpam_restore_cred.3 => openpam_straddch.3} (61%) copy contrib/openpam/{include/security/openpam_version.h => lib/openpam_ctype.h} (55%) copy contrib/openpam/{include/security/openpam_version.h => lib/openpam_features.c} (61%) copy contrib/openpam/lib/{openpam_strlcpy.h => openpam_features.h} (72%) copy contrib/openpam/lib/{openpam_get_option.c => openpam_get_feature.c} (53%) create mode 100644 contrib/openpam/lib/openpam_readlinev.c create mode 100644 contrib/openpam/lib/openpam_readword.c copy contrib/openpam/{include/security/openpam_version.h => lib/openpam_set_feature.c} (62%) create mode 100644 contrib/openpam/lib/openpam_straddch.c copy contrib/openpam/lib/{openpam_strlcpy.h => openpam_strlcat.h} (74%) diff --git a/contrib/openpam/CREDITS b/contrib/openpam/CREDITS index 665885c8cf..2725d8888c 100644 --- a/contrib/openpam/CREDITS +++ b/contrib/openpam/CREDITS @@ -16,15 +16,19 @@ ideas: Brian Fundakowski Feldman Christos Zoulas Daniel Richard G. - Darren J. Moffat + Darren J. Moffat Dmitry V. Levin + Don Lewis Emmanuel Dreyfus Eric Melville - Gary Winiger + Gary Winiger + Gleb Smirnoff Hubert Feyrer + Jason Evans Joe Marcus Clarke Juli Mallett Jörg Sonnenberger + Maëlle Lesage Mark Murray Matthias Drochner Mike Petullo @@ -39,4 +43,4 @@ ideas: Wojciech A. Koszek Yar Tikhiy -$Id: CREDITS 498 2011-11-21 16:27:04Z des $ +$Id: CREDITS 587 2012-04-08 11:12:10Z des $ diff --git a/contrib/openpam/HISTORY b/contrib/openpam/HISTORY index 81af9eac5a..3cc4c96e08 100644 --- a/contrib/openpam/HISTORY +++ b/contrib/openpam/HISTORY @@ -1,3 +1,51 @@ +OpenPAM Micrampelis 2012-05-26 + + - FEATURE: Add an openpam_readword(3) function which reads the next + word from an input stream, applying shell quoting and escaping + rules. Add numerous unit tests for openpam_readword(3). + + - FEATURE: Add an openpam_readlinev(3) function which uses the + openpam_readword(3) function to read words from an input stream one + at a time until it reaches an unquoted, unescaped newline, and + returns an array of those words. Add several unit tests for + openpam_readlinev(3). + + - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the + machine's hostname. This was implemented in Lycopsida but + inadvertantly left out of the release notes. + + - FEATURE: In pam_get_authtok(3), if neither the application nor the + module have specified a prompt and PAM_HOST and PAM_RHOST are both + defined but not equal, use a different default prompt that includes + PAM_USER and PAM_HOST. + + - ENHANCE: Rewrite the policy parser to used openpam_readlinev(), + which greatly simplifies the code. + + - ENHANCE: The previous implementation of the policy parser relied on + the openpam_readline(3) function, which (by design) munges + whitespace and understands neither quotes nor backslash escapes. + As a result of the aforementioned rewrite, whitespace, quotes and + backslash escapes in policy files are now handled in a consistent + and predictable manner. + + - ENHANCE: On platforms that have it, use fdlopen(3) to load modules. + This closes the race between the ownership / permission check and + the dlopen(3) call. + + - ENHANCE: Reduce the amount of pointless error messages generated + while searching for a module. + + - ENHANCE: Numerous documentation improvements, both in content and + formatting. + + - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed + OpenPAM's behavior when several policies exist for the same + service, from ignoring all but the first to concatenating them all. + Revert to the original behavior. + + - BUGFIX: Plug a memory leak in the policy parser. +============================================================================ OpenPAM Lycopsida 2011-12-18 - ENHANCE: removed static build autodetection, which didn't work @@ -269,7 +317,7 @@ OpenPAM Cinchona 2002-04-08 - ENHANCE: Add openpam_free_data(), a generic cleanup function for pam_set_data() consumers. ============================================================================ -OpenPAM Centaury 2002-03-14 +OpenPAM Centaury 2002-03-14 - BUGFIX: Add missing #include to openpam_log.c. @@ -308,7 +356,7 @@ OpenPAM Celandine 2002-03-05 module with the same version number as the library itself to one with no version number at all. ============================================================================ -OpenPAM Cantaloupe 2002-02-22 +OpenPAM Cantaloupe 2002-02-22 - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures. @@ -338,7 +386,7 @@ OpenPAM Cantaloupe 2002-02-22 - ENHANCE: openpam_get_authtok() now respects the echo_pass, try_first_pass, and use_first_pass options. ============================================================================ -OpenPAM Caliopsis 2002-02-13 +OpenPAM Caliopsis 2002-02-13 Fixed a number of bugs in the previous release, including: - a number of bugs in and related to pam_[gs]et_item(3) @@ -349,8 +397,8 @@ Fixed a number of bugs in the previous release, including: - missing 'continue' in openpam_dispatch.c caused successes to be counted as failures ============================================================================ -OpenPAM Calamite 2002-02-09 +OpenPAM Calamite 2002-02-09 First (beta) release. ============================================================================ -$Id: HISTORY 504 2011-12-18 14:11:12Z des $ +$Id: HISTORY 609 2012-05-26 13:57:45Z des $ diff --git a/contrib/openpam/LICENSE b/contrib/openpam/LICENSE index e6d4325809..511979487a 100644 --- a/contrib/openpam/LICENSE +++ b/contrib/openpam/LICENSE @@ -1,6 +1,6 @@ Copyright (c) 2002-2003 Networks Associates Technology, Inc. -Copyright (c) 2004-2011 Dag-Erling Smørgrav +Copyright (c) 2004-2012 Dag-Erling Smørgrav All rights reserved. This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,4 +32,4 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -$Id: LICENSE 437 2011-09-13 12:00:13Z des $ +$Id: LICENSE 546 2012-03-31 23:13:20Z des $ diff --git a/contrib/openpam/README.DELETED b/contrib/openpam/README.DELETED index 069d7876d5..04d8d620f0 100644 --- a/contrib/openpam/README.DELETED +++ b/contrib/openpam/README.DELETED @@ -1,6 +1,7 @@ INSTALL Makefile.am Makefile.in +TODO aclocal.m4 autogen.sh bin/ @@ -27,3 +28,5 @@ ltmain.sh misc/ missing modules/ +pamgdb.in +t/ diff --git a/contrib/openpam/RELNOTES b/contrib/openpam/RELNOTES index 71f7eb9207..536460158a 100644 --- a/contrib/openpam/RELNOTES +++ b/contrib/openpam/RELNOTES @@ -1,6 +1,6 @@ - Release notes for OpenPAM Lycopsida - =================================== + Release notes for OpenPAM Micrampelis + ===================================== This release corresponds to the code used in FreeBSD HEAD as of the release date, and is also expected to work on almost any POSIX-like @@ -19,6 +19,9 @@ intended for actual use, but rather to serve as examples for module or application developers. It also includes a command-line application (pamtest) which can be used to test policies and modules. +Unit tests for limited portions of the library can be found in the t +subdirectory. + Please direct bug reports and inquiries to . -$Id: RELNOTES 506 2011-12-18 14:25:12Z des $ +$Id: RELNOTES 609 2012-05-26 13:57:45Z des $ diff --git a/contrib/openpam/doc/man/openpam.3 b/contrib/openpam/doc/man/openpam.3 index c04a2aa967..a3ff7fc6ce 100644 --- a/contrib/openpam/doc/man/openpam.3 +++ b/contrib/openpam/doc/man/openpam.3 @@ -34,19 +34,24 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM 3 .Os .Sh NAME .Nm openpam_borrow_cred , .Nm openpam_free_data , .Nm openpam_free_envlist , +.Nm openpam_get_feature , .Nm openpam_get_option , .Nm openpam_log , .Nm openpam_nullconv , .Nm openpam_readline , +.Nm openpam_readlinev , +.Nm openpam_readword , .Nm openpam_restore_cred , +.Nm openpam_set_feature , .Nm openpam_set_option , +.Nm openpam_straddch , .Nm openpam_subst , .Nm openpam_ttyconv , .Nm pam_error , @@ -68,6 +73,8 @@ .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status" .Ft "void" .Fn openpam_free_envlist "char **envlist" +.Ft "int" +.Fn openpam_get_feature "int feature" "int *onoff" .Ft "const char *" .Fn openpam_get_option "pam_handle_t *pamh" "const char *option" .Ft "void" @@ -76,11 +83,19 @@ .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data" .Ft "char *" .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp" +.Ft "char **" +.Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp" +.Ft "char *" +.Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp" .Ft "int" .Fn openpam_restore_cred "pam_handle_t *pamh" .Ft "int" +.Fn openpam_set_feature "int feature" "int onoff" +.Ft "int" .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value" .Ft "int" +.Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch" +.Ft "int" .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template" .Ft "int" .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data" @@ -117,12 +132,17 @@ standardization. .Xr openpam_borrow_cred 3 , .Xr openpam_free_data 3 , .Xr openpam_free_envlist 3 , +.Xr openpam_get_feature 3 , .Xr openpam_get_option 3 , .Xr openpam_log 3 , .Xr openpam_nullconv 3 , .Xr openpam_readline 3 , +.Xr openpam_readlinev 3 , +.Xr openpam_readword 3 , .Xr openpam_restore_cred 3 , +.Xr openpam_set_feature 3 , .Xr openpam_set_option 3 , +.Xr openpam_straddch 3 , .Xr openpam_subst 3 , .Xr openpam_ttyconv 3 , .Xr pam_error 3 , @@ -146,3 +166,6 @@ Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. +.Pp +The OpenPAM library is maintained by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_borrow_cred.3 b/contrib/openpam/doc/man/openpam_borrow_cred.3 index 25780dba44..dd05b4430c 100644 --- a/contrib/openpam/doc/man/openpam_borrow_cred.3 +++ b/contrib/openpam/doc/man/openpam_borrow_cred.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_BORROW_CRED 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_borrow_cred "pam_handle_t *pamh" "const struct passwd *pwd" .Sh DESCRIPTION The -.Nm +.Fn openpam_borrow_cred function saves the current credentials and switches to those of the user specified by its .Fa pwd @@ -62,7 +62,7 @@ The original credentials can be restored using .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_borrow_cred function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -81,15 +81,15 @@ System error. .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_borrow_cred function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_borrow_cred +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_free_data.3 b/contrib/openpam/doc/man/openpam_free_data.3 index b32a345707..4d9e0eeed0 100644 --- a/contrib/openpam/doc/man/openpam_free_data.3 +++ b/contrib/openpam/doc/man/openpam_free_data.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_FREE_DATA 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status" .Sh DESCRIPTION The -.Nm +.Fn openpam_free_data function is a cleanup function suitable for passing to .Xr pam_set_data 3 . @@ -64,15 +64,15 @@ argument to .Xr pam_set_data 3 .Sh STANDARDS The -.Nm +.Fn openpam_free_data function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_free_data +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_free_envlist.3 b/contrib/openpam/doc/man/openpam_free_envlist.3 index 0c1976a912..cf8c585539 100644 --- a/contrib/openpam/doc/man/openpam_free_envlist.3 +++ b/contrib/openpam/doc/man/openpam_free_envlist.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_FREE_ENVLIST 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_free_envlist "char **envlist" .Sh DESCRIPTION The -.Nm +.Fn openpam_free_envlist function is a convenience function which frees all the environment variables in an environment list, and the list itself. @@ -62,12 +62,11 @@ It is suitable for freeing the return value from .Xr pam_getenvlist 3 .Sh STANDARDS The -.Nm +.Fn openpam_free_envlist function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org . +.Fn openpam_free_envlist +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/openpam_get_feature.3 similarity index 61% copy from contrib/openpam/doc/man/pam_open_session.3 copy to contrib/openpam/doc/man/openpam_get_feature.3 index 13811c7d29..e63ef0cd6a 100644 --- a/contrib/openpam/doc/man/pam_open_session.3 +++ b/contrib/openpam/doc/man/openpam_get_feature.3 @@ -34,79 +34,72 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 -.Dt PAM_OPEN_SESSION 3 +.Dd May 26, 2012 +.Dt OPENPAM_GET_FEATURE 3 .Os .Sh NAME -.Nm pam_open_session -.Nd open a user session +.Nm openpam_get_feature +.Nd query the state of an optional feature .Sh LIBRARY .Lb libpam .Sh SYNOPSIS .In sys/types.h .In security/pam_appl.h +.In security/openpam.h .Ft "int" -.Fn pam_open_session "pam_handle_t *pamh" "int flags" +.Fn openpam_get_feature "int feature" "int *onoff" .Sh DESCRIPTION -The -.Nm -sets up a user session for a previously -authenticated user. -The session should later be torn down by a call to -.Xr pam_close_session 3 . +.Bf Sy +This function is experimental and may be modified or removed in a future release without further warning. +.Ef .Pp The -.Fa flags -argument is the binary or of zero or more of the following -values: +.Fn openpam_get_feature +function stores the current state of the +specified feature in the variable pointed to by its +.Fa onoff +argument. +.Pp +The following features are recognized: .Bl -tag -width 18n -.It Dv PAM_SILENT -Do not emit any messages. +.It Dv OPENPAM_RESTRICT_SERVICE_NAME +Disallow path separators in service names. +This feature is enabled by default. +Disabling it allows the application to specify the path to +the desired policy file directly. +.It Dv OPENPAM_VERIFY_POLICY_FILE +Verify the ownership and permissions of the policy file +and the path leading up to it. +This feature is enabled by default. +.It Dv OPENPAM_RESTRICT_MODULE_NAME +Disallow path separators in module names. +This feature is disabled by default. +Enabling it prevents the use of modules in non-standard +locations. +.It Dv OPENPAM_VERIFY_MODULE_FILE +Verify the ownership and permissions of each loadable +module and the path leading up to it. +This feature is enabled by default. .El -.Pp -If any other bits are set, -.Nm -will return -.Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn openpam_get_feature function returns one of the following values: .Bl -tag -width 18n -.It Bq Er PAM_ABORT -General failure. -.It Bq Er PAM_BUF_ERR -Memory buffer error. -.It Bq Er PAM_CONV_ERR -Conversation failure. -.It Bq Er PAM_PERM_DENIED -Permission denied. -.It Bq Er PAM_SERVICE_ERR -Error in service module. -.It Bq Er PAM_SESSION_ERR -Session failure. .It Bq Er PAM_SYMBOL_ERR Invalid symbol. -.It Bq Er PAM_SYSTEM_ERR -System error. .El .Sh SEE ALSO +.Xr openpam_set_feature 3 , .Xr pam 3 , -.Xr pam_close_session 3 , .Xr pam_strerror 3 .Sh STANDARDS -.Rs -.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" -.%D "June 1997" -.Re +The +.Fn openpam_get_feature +function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +.Fn openpam_get_feature +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_get_option.3 b/contrib/openpam/doc/man/openpam_get_option.3 index d656612969..68a6b2e777 100644 --- a/contrib/openpam/doc/man/openpam_get_option.3 +++ b/contrib/openpam/doc/man/openpam_get_option.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_GET_OPTION 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_get_option "pam_handle_t *pamh" "const char *option" .Sh DESCRIPTION The -.Nm +.Fn openpam_get_option function returns the value of the specified option in the context of the currently executing service module, or .Dv NULL @@ -58,7 +58,7 @@ if the option is not set or no module is currently executing. .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_get_option function returns .Dv NULL on failure. @@ -67,15 +67,15 @@ on failure. .Xr pam 3 .Sh STANDARDS The -.Nm +.Fn openpam_get_option function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_get_option +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_log.3 b/contrib/openpam/doc/man/openpam_log.3 index adfc0061a8..e5e3192c8a 100644 --- a/contrib/openpam/doc/man/openpam_log.3 +++ b/contrib/openpam/doc/man/openpam_log.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_LOG 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_log "int level" "const char *fmt" "..." .Sh DESCRIPTION The -.Nm +.Fn openpam_log function logs messages using .Xr syslog 3 . It is primarily intended for internal use by the library and modules. @@ -60,6 +60,9 @@ The argument indicates the importance of the message. The following levels are defined: .Bl -tag -width 18n +.It Dv PAM_LOG_LIBDEBUG +Debugging messages. +For internal use only. .It Dv PAM_LOG_DEBUG Debugging messages. These messages are normally not logged unless the global @@ -101,15 +104,15 @@ corresponding arguments. .Xr syslog 3 .Sh STANDARDS The -.Nm +.Fn openpam_log function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_log +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_nullconv.3 b/contrib/openpam/doc/man/openpam_nullconv.3 index 1873cba2ee..f5194d38ff 100644 --- a/contrib/openpam/doc/man/openpam_nullconv.3 +++ b/contrib/openpam/doc/man/openpam_nullconv.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_NULLCONV 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data" .Sh DESCRIPTION The -.Nm +.Fn openpam_nullconv function is a null conversation function suitable for applications that want to use PAM but don't support interactive dialog with the user. @@ -71,7 +71,7 @@ try to query the user. .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_nullconv function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_CONV_ERR @@ -88,15 +88,15 @@ Conversation failure. .Xr pam_vprompt 3 .Sh STANDARDS The -.Nm +.Fn openpam_nullconv function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_nullconv +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_readline.3 b/contrib/openpam/doc/man/openpam_readline.3 index cf7ab47f53..32dd55b19f 100644 --- a/contrib/openpam/doc/man/openpam_readline.3 +++ b/contrib/openpam/doc/man/openpam_readline.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_READLINE 3 .Os .Sh NAME @@ -44,27 +44,32 @@ .Lb libpam .Sh SYNOPSIS .In sys/types.h +.In stdio.h .In security/pam_appl.h .In security/openpam.h .Ft "char *" .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp" .Sh DESCRIPTION +.Bf Sy +This function is deprecated and may be removed in a future release without further warning. The -.Nm +.Fn openpam_readlinev +function may be used to achieve similar results. +.Ef +.Pp +The +.Fn openpam_readline function reads a line from a file, and returns it in a NUL-terminated buffer allocated with .Xr malloc 3 . .Pp The -.Nm +.Fn openpam_readline function performs a certain amount of processing on the data it reads: .Bl -bullet .It -Comments (introduced by a hash sign) are stripped, as is leading and -trailing whitespace. -.It -Any amount of linear whitespace is collapsed to a single space. +Comments (introduced by a hash sign) are stripped. .It Blank lines are ignored. .It @@ -89,27 +94,28 @@ terminating NUL character) is stored in the variable it points to. The caller is responsible for releasing the returned buffer by passing it to .Xr free 3 . +.Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_readline function returns .Dv NULL on failure. .Sh SEE ALSO -.Xr free 3 , -.Xr malloc 3 , +.Xr openpam_readlinev 3 , +.Xr openpam_readword 3 , .Xr pam 3 .Sh STANDARDS The -.Nm +.Fn openpam_readline function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_readline +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_readline.3 b/contrib/openpam/doc/man/openpam_readlinev.3 similarity index 53% copy from contrib/openpam/doc/man/openpam_readline.3 copy to contrib/openpam/doc/man/openpam_readlinev.3 index cf7ab47f53..f2ba1a6b77 100644 --- a/contrib/openpam/doc/man/openpam_readline.3 +++ b/contrib/openpam/doc/man/openpam_readlinev.3 @@ -34,43 +34,28 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 -.Dt OPENPAM_READLINE 3 +.Dd May 26, 2012 +.Dt OPENPAM_READLINEV 3 .Os .Sh NAME -.Nm openpam_readline -.Nd read a line from a file +.Nm openpam_readlinev +.Nd read a line from a file and split it into words .Sh LIBRARY .Lb libpam .Sh SYNOPSIS .In sys/types.h +.In stdio.h .In security/pam_appl.h .In security/openpam.h -.Ft "char *" -.Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp" +.Ft "char **" +.Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp" .Sh DESCRIPTION The -.Nm -function reads a line from a file, and returns it -in a NUL-terminated buffer allocated with -.Xr malloc 3 . -.Pp -The -.Nm -function performs a certain amount of processing -on the data it reads: -.Bl -bullet -.It -Comments (introduced by a hash sign) are stripped, as is leading and -trailing whitespace. -.It -Any amount of linear whitespace is collapsed to a single space. -.It -Blank lines are ignored. -.It -If a line ends in a backslash, the backslash is stripped and the -next line is appended. -.El +.Fn openpam_readlinev +function reads a line from a file, splits it +into words according to the rules described in the +.Xr openpam_readword 3 +manual page, and returns a list of those words. .Pp If .Fa lineno @@ -78,39 +63,97 @@ is not .Dv NULL , the integer variable it points to is incremented every time a newline character is read. +This includes quoted or escaped newline characters and the newline +character at the end of the line. .Pp If .Fa lenp is not .Dv NULL , -the length of the line (not including the -terminating NUL character) is stored in the variable it points to. +the number of words on the line is stored in the +variable to which it points. +.Sh RETURN VALUES +If successful, the +.Fn openpam_readlinev +function returns a pointer to a +dynamically allocated array of pointers to individual dynamically +allocated NUL-terminated strings, each containing a single word, in the +order in which they were encountered on the line. +The array is terminated by a +.Dv NULL +pointer. .Pp -The caller is responsible for releasing the returned buffer by passing -it to +The caller is responsible for freeing both the array and the individual +strings by passing each of them to .Xr free 3 . -.Sh RETURN VALUES +.Pp +If the end of the line was reached before any words were read, +.Fn openpam_readlinev +returns a pointer to a dynamically allocated array +containing a single +.Dv NULL +pointer. +.Pp The -.Nm -function returns +.Fn openpam_readlinev +function can fail and return .Dv NULL -on failure. +for one of +four reasons: +.Bl -bullet +.It +The end of the file was reached before any words were read; +.Va errno +is +zero, +.Xr ferror 3 +returns zero, and +.Xr feof 3 +returns a non-zero value. +.It +The end of the file was reached while a quote or backslash escape +was in effect; +.Va errno +is set to +.Dv EINVAL , +.Xr ferror 3 +returns zero, and +.Xr feof 3 +returns a non-zero value. +.It +An error occurred while reading from the file; +.Va errno +is non-zero, +.Xr ferror 3 +returns a non-zero value and +.Xr feof 3 +returns zero. +.It +A +.Xr malloc 3 +or +.Xr realloc 3 +call failed; +.Va errno +is set to +.Dv ENOMEM , +.Xr ferror 3 +returns a non-zero value, and +.Xr feof 3 +may or may not return +a non-zero value. +.El .Sh SEE ALSO -.Xr free 3 , -.Xr malloc 3 , +.Xr openpam_readline 3 , +.Xr openpam_readword 3 , .Xr pam 3 .Sh STANDARDS The -.Nm +.Fn openpam_readlinev function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +.Fn openpam_readlinev +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_readword.3 b/contrib/openpam/doc/man/openpam_readword.3 new file mode 100644 index 0000000000..6f5f58d34b --- /dev/null +++ b/contrib/openpam/doc/man/openpam_readword.3 @@ -0,0 +1,152 @@ +.\"- +.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc. +.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by ThinkSec AS and +.\" Network Associates Laboratories, the Security Research Division of +.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 +.\" ("CBOSS"), as part of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd May 26, 2012 +.Dt OPENPAM_READWORD 3 +.Os +.Sh NAME +.Nm openpam_readword +.Nd read a word from a file, respecting shell quoting rules +.Sh LIBRARY +.Lb libpam +.Sh SYNOPSIS +.In sys/types.h +.In stdio.h +.In security/pam_appl.h +.In security/openpam.h +.Ft "char *" +.Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp" +.Sh DESCRIPTION +The +.Fn openpam_readword +function reads the next word from a file, and +returns it in a NUL-terminated buffer allocated with +.Xr malloc 3 . +.Pp +A word is a sequence of non-whitespace characters. +However, whitespace characters can be included in a word if quoted or +escaped according to the following rules: +.Bl -bullet +.It +An unescaped single or double quote introduces a quoted string, +which ends when the same quote character is encountered a second +time. +The quotes themselves are stripped. +.It +Within a single- or double-quoted string, all whitespace characters, +including the newline character, are preserved as-is. +.It +Outside a quoted string, a backslash escapes the next character, +which is preserved as-is, unless that character is a newline, in +which case it is discarded and reading continues at the beginning of +the next line as if the backslash and newline had not been there. +In all cases, the backslash itself is discarded. +.It +Within a single-quoted string, double quotes and backslashes are +preserved as-is. +.It +Within a double-quoted string, a single quote is preserved as-is, +and a backslash is preserved as-is unless used to escape a double +quote. +.El +.Pp +In addition, if the first non-whitespace character on the line is a +hash character (#), the rest of the line is discarded. +If a hash character occurs within a word, however, it is preserved +as-is. +A backslash at the end of a comment does cause line continuation. +.Pp +If +.Fa lineno +is not +.Dv NULL , +the integer variable it points to is +incremented every time a quoted or escaped newline character is read. +.Pp +If +.Fa lenp +is not +.Dv NULL , +the length of the word (after quotes and +backslashes have been removed) is stored in the variable it points to. +.Sh RETURN VALUES +If successful, the +.Fn openpam_readword +function returns a pointer to a +dynamically allocated NUL-terminated string containing the first word +encountered on the line. +.Pp +The caller is responsible for releasing the returned buffer by passing +it to +.Xr free 3 . +.Pp +If +.Fn openpam_readword +reaches the end of the line or file before any +characters are copied to the word, it returns +.Dv NULL . +In the former +case, the newline is pushed back to the file. +.Pp +If +.Fn openpam_readword +reaches the end of the file while a quote or +backslash escape is in effect, it sets +.Va errno +to +.Dv EINVAL +and returns +.Dv NULL . +.Sh IMPLEMENTATION NOTES +The parsing rules are intended to be equivalent to the normal POSIX +shell quoting rules. +Any discrepancy is a bug and should be reported to the author along +with sample input that can be used to reproduce the error. +.Pp +.Sh SEE ALSO +.Xr openpam_readline 3 , +.Xr openpam_readlinev 3 , +.Xr pam 3 +.Sh STANDARDS +The +.Fn openpam_readword +function is an OpenPAM extension. +.Sh AUTHORS +The +.Fn openpam_readword +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_restore_cred.3 b/contrib/openpam/doc/man/openpam_restore_cred.3 index 12ff8b823a..d088ded591 100644 --- a/contrib/openpam/doc/man/openpam_restore_cred.3 +++ b/contrib/openpam/doc/man/openpam_restore_cred.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_RESTORE_CRED 3 .Os .Sh NAME @@ -50,13 +50,13 @@ .Fn openpam_restore_cred "pam_handle_t *pamh" .Sh DESCRIPTION The -.Nm +.Fn openpam_restore_cred function restores the credentials saved by .Xr openpam_borrow_cred 3 . .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_restore_cred function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_NO_MODULE_DATA @@ -73,15 +73,15 @@ System error. .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_restore_cred function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_restore_cred +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_set_option.3 b/contrib/openpam/doc/man/openpam_set_feature.3 similarity index 76% copy from contrib/openpam/doc/man/openpam_set_option.3 copy to contrib/openpam/doc/man/openpam_set_feature.3 index f186c000d8..8356dec611 100644 --- a/contrib/openpam/doc/man/openpam_set_option.3 +++ b/contrib/openpam/doc/man/openpam_set_feature.3 @@ -34,12 +34,12 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 -.Dt OPENPAM_SET_OPTION 3 +.Dd May 26, 2012 +.Dt OPENPAM_SET_FEATURE 3 .Os .Sh NAME -.Nm openpam_set_option -.Nd sets the value of a module option +.Nm openpam_set_feature +.Nd enable or disable an optional feature .Sh LIBRARY .Lb libpam .Sh SYNOPSIS @@ -47,39 +47,41 @@ .In security/pam_appl.h .In security/openpam.h .Ft "int" -.Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value" +.Fn openpam_set_feature "int feature" "int onoff" .Sh DESCRIPTION +.Bf Sy +This function is experimental and may be modified or removed in a future release without further warning. +.Ef +.Pp The -.Nm -function sets the specified option in the -context of the currently executing service module. +.Fn openpam_set_feature +function sets the state of the specified +feature to the value specified by the +.Fa onoff +argument. +See +.Xr openpam_get_feature 3 +for a list of recognized features. .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_set_feature function returns one of the following values: .Bl -tag -width 18n -.It Bq Er PAM_BUF_ERR -Memory buffer error. -.It Bq Er PAM_SYSTEM_ERR -System error. +.It Bq Er PAM_SYMBOL_ERR +Invalid symbol. .El .Sh SEE ALSO -.Xr openpam_get_option 3 , +.Xr openpam_get_feature 3 , .Xr pam 3 , .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_set_feature function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +.Fn openpam_set_feature +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_set_option.3 b/contrib/openpam/doc/man/openpam_set_option.3 index f186c000d8..b1e2267c99 100644 --- a/contrib/openpam/doc/man/openpam_set_option.3 +++ b/contrib/openpam/doc/man/openpam_set_option.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_SET_OPTION 3 .Os .Sh NAME @@ -50,13 +50,13 @@ .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value" .Sh DESCRIPTION The -.Nm +.Fn openpam_set_option function sets the specified option in the context of the currently executing service module. .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_set_option function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -70,15 +70,15 @@ System error. .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_set_option function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_set_option +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/openpam_restore_cred.3 b/contrib/openpam/doc/man/openpam_straddch.3 similarity index 61% copy from contrib/openpam/doc/man/openpam_restore_cred.3 copy to contrib/openpam/doc/man/openpam_straddch.3 index 12ff8b823a..c55582477e 100644 --- a/contrib/openpam/doc/man/openpam_restore_cred.3 +++ b/contrib/openpam/doc/man/openpam_straddch.3 @@ -34,12 +34,12 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 -.Dt OPENPAM_RESTORE_CRED 3 +.Dd May 26, 2012 +.Dt OPENPAM_STRADDCH 3 .Os .Sh NAME -.Nm openpam_restore_cred -.Nd restore credentials +.Nm openpam_straddch +.Nd add a character to a string, expanding the buffer if needed .Sh LIBRARY .Lb libpam .Sh SYNOPSIS @@ -47,42 +47,76 @@ .In security/pam_appl.h .In security/openpam.h .Ft "int" -.Fn openpam_restore_cred "pam_handle_t *pamh" +.Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch" .Sh DESCRIPTION The -.Nm -function restores the credentials saved by -.Xr openpam_borrow_cred 3 . +.Fn openpam_straddch +function appends a character to a dynamically +allocated NUL-terminated buffer, reallocating the buffer as needed. +.Pp +The +.Fa str +argument points to a variable containing either a pointer to +an existing buffer or +.Dv NULL . +If the value of the variable pointed to by +.Fa str +is +.Dv NULL , +a new buffer +is allocated. +.Pp +The +.Fa size +and +.Fa len +argument point to variables used to hold the size +of the buffer and the length of the string it contains, respectively. +.Pp +If a new buffer is allocated or an existing buffer is reallocated to +make room for the additional character, +.Fa str +and +.Fa size +are updated +accordingly. +.Pp +The +.Fn openpam_straddch +function ensures that the buffer is always +NUL-terminated. +.Pp +If the +.Fn openpam_straddch +function is successful, it increments the +integer variable pointed to by +.Fa len +and returns 0. +Otherwise, it leaves the variables pointed to by +.Fa str , +.Fa size +and +.Fa len +unmodified, sets +.Va errno +to +.Dv ENOMEM +and returns -1. .Pp .Sh RETURN VALUES The -.Nm -function returns one of the following values: -.Bl -tag -width 18n -.It Bq Er PAM_NO_MODULE_DATA -Module data not found. -.It Bq Er PAM_SYSTEM_ERR -System error. -.El +.Fn openpam_straddch +function returns 0 on success and -1 on failure. .Sh SEE ALSO -.Xr setegid 2 , -.Xr seteuid 2 , -.Xr setgroups 2 , -.Xr openpam_borrow_cred 3 , .Xr pam 3 , .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_straddch function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -ThinkSec AS and Network Associates Laboratories, the -Security Research Division of Network Associates, Inc.\& under -DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. +.Fn openpam_straddch +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_subst.3 b/contrib/openpam/doc/man/openpam_subst.3 index 565b3e0709..47297c92cc 100644 --- a/contrib/openpam/doc/man/openpam_subst.3 +++ b/contrib/openpam/doc/man/openpam_subst.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_SUBST 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template" .Sh DESCRIPTION The -.Nm +.Fn openpam_subst function expands a string, substituting PAM item values for all occurrences of specific substitution codes. The @@ -73,12 +73,12 @@ string, .Fa bufsize is updated to reflect the amount of space required to hold the entire string, and -.Nm +.Fn openpam_subst returns .Dv PAM_TRY_AGAIN . .Pp If -.Nm +.Fn openpam_subst fails for any other reason, the .Fa bufsize argument is @@ -112,10 +112,9 @@ Replaced by the current value of the .Dv PAM_USER item. .El -.Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_subst function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_SYSTEM_ERR @@ -131,12 +130,11 @@ Try again. .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn openpam_subst function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the -.Fx -Project by -.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org . +.Fn openpam_subst +function and this manual page were +developed by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/openpam_ttyconv.3 b/contrib/openpam/doc/man/openpam_ttyconv.3 index b2cd9d9dc9..3e97cb4b3d 100644 --- a/contrib/openpam/doc/man/openpam_ttyconv.3 +++ b/contrib/openpam/doc/man/openpam_ttyconv.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt OPENPAM_TTYCONV 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data" .Sh DESCRIPTION The -.Nm +.Fn openpam_ttyconv function is a standard conversation function suitable for use on TTY devices. It should be adequate for the needs of most text-based interactive programs. .Pp The -.Nm +.Fn openpam_ttyconv function allows the application to specify a timeout for user input by setting the global integer variable .Va openpam_ttyconv_timeout @@ -65,7 +65,7 @@ to the length of the timeout in seconds. .Pp .Sh RETURN VALUES The -.Nm +.Fn openpam_ttyconv function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -83,15 +83,15 @@ System error. .Xr pam_vprompt 3 .Sh STANDARDS The -.Nm +.Fn openpam_ttyconv function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn openpam_ttyconv +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam.3 b/contrib/openpam/doc/man/pam.3 index 11befcda52..196a3c75cb 100644 --- a/contrib/openpam/doc/man/pam.3 +++ b/contrib/openpam/doc/man/pam.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM 3 .Os .Sh NAME @@ -291,3 +291,6 @@ Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. +.Pp +The OpenPAM library is maintained by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/pam.conf.5 b/contrib/openpam/doc/man/pam.conf.5 index 3669f927f9..d5f80d57a1 100644 --- a/contrib/openpam/doc/man/pam.conf.5 +++ b/contrib/openpam/doc/man/pam.conf.5 @@ -26,9 +26,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: pam.conf.5 485 2011-11-03 16:57:37Z des $ +.\" $Id: pam.conf.5 610 2012-05-26 14:03:45Z des $ .\" -.Dd November 3, 2011 +.Dd May 26, 2012 .Dt PAM.CONF 5 .Os .Sh NAME @@ -50,7 +50,7 @@ decreasing order of preference: .Pp If none of these locations contains a policy for the given service, the -.Dv default +.Dq Dv other policy is used instead, if it exists. .Pp Entries in per-service policy files must be of one of the two forms @@ -177,5 +177,5 @@ DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Pp -This manual page was written by -.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org . +The OpenPAM library is maintained by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/pam_acct_mgmt.3 b/contrib/openpam/doc/man/pam_acct_mgmt.3 index 94100484fb..f79c4646c4 100644 --- a/contrib/openpam/doc/man/pam_acct_mgmt.3 +++ b/contrib/openpam/doc/man/pam_acct_mgmt.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_ACCT_MGMT 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_acct_mgmt function verifies and enforces account restrictions after the user has been authenticated. .Pp @@ -65,12 +65,12 @@ Fail if the user's authentication token is null. .El .Pp If any other bits are set, -.Nm +.Fn pam_acct_mgmt will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_acct_mgmt function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -104,11 +104,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_acct_mgmt +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_authenticate.3 b/contrib/openpam/doc/man/pam_authenticate.3 index 8263280f09..c521a388ba 100644 --- a/contrib/openpam/doc/man/pam_authenticate.3 +++ b/contrib/openpam/doc/man/pam_authenticate.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_AUTHENTICATE 3 .Os .Sh NAME @@ -49,14 +49,14 @@ .Fn pam_authenticate "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_authenticate function attempts to authenticate the user associated with the pam context specified by the .Fa pamh argument. .Pp The application is free to call -.Nm +.Fn pam_authenticate as many times as it wishes, but some modules may maintain an internal retry counter and return @@ -75,12 +75,12 @@ Fail if the user's authentication token is null. .El .Pp If any other bits are set, -.Nm +.Fn pam_authenticate will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_authenticate function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -118,11 +118,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_authenticate +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_chauthtok.3 b/contrib/openpam/doc/man/pam_chauthtok.3 index 5823866928..11647e7ad0 100644 --- a/contrib/openpam/doc/man/pam_chauthtok.3 +++ b/contrib/openpam/doc/man/pam_chauthtok.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_CHAUTHTOK 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_chauthtok "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_chauthtok function attempts to change the authentication token for the user associated with the pam context specified by the .Fa pamh @@ -67,12 +67,12 @@ Change only those authentication tokens that have expired. .El .Pp If any other bits are set, -.Nm +.Fn pam_chauthtok will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_chauthtok function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -110,11 +110,11 @@ Try again. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_chauthtok +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_close_session.3 b/contrib/openpam/doc/man/pam_close_session.3 index 43e4b0392c..dba62e816a 100644 --- a/contrib/openpam/doc/man/pam_close_session.3 +++ b/contrib/openpam/doc/man/pam_close_session.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_CLOSE_SESSION 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_close_session "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_close_session function tears down the user session previously set up by .Xr pam_open_session 3 . @@ -64,12 +64,12 @@ Do not emit any messages. .El .Pp If any other bits are set, -.Nm +.Fn pam_close_session will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_close_session function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -100,11 +100,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_close_session +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_conv.3 b/contrib/openpam/doc/man/pam_conv.3 index 6b6e697b06..a1b121b101 100644 --- a/contrib/openpam/doc/man/pam_conv.3 +++ b/contrib/openpam/doc/man/pam_conv.3 @@ -32,9 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: pam_conv.3 437 2011-09-13 12:00:13Z des $ +.\" $Id: pam_conv.3 610 2012-05-26 14:03:45Z des $ .\" -.Dd June 16, 2005 +.Dd May 26, 2012 .Dt PAM_CONV 3 .Os .Sh NAME @@ -181,3 +181,6 @@ the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. +.Pp +The OpenPAM library is maintained by +.An Dag-Erling Sm\(/orgrav Aq des@des.no . diff --git a/contrib/openpam/doc/man/pam_end.3 b/contrib/openpam/doc/man/pam_end.3 index 66e2871c0d..0d669125be 100644 --- a/contrib/openpam/doc/man/pam_end.3 +++ b/contrib/openpam/doc/man/pam_end.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_END 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_end "pam_handle_t *pamh" "int status" .Sh DESCRIPTION The -.Nm +.Fn pam_end function terminates a PAM transaction and destroys the corresponding PAM context, releasing all resources allocated to it. .Pp @@ -57,11 +57,10 @@ The .Fa status argument should be set to the error code returned by the last API call before the call to -.Nm -. +.Fn pam_end . .Sh RETURN VALUES The -.Nm +.Fn pam_end function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_SYSTEM_ERR @@ -77,11 +76,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_end +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_error.3 b/contrib/openpam/doc/man/pam_error.3 index c957409c8b..6767772b57 100644 --- a/contrib/openpam/doc/man/pam_error.3 +++ b/contrib/openpam/doc/man/pam_error.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_ERROR 3 .Os .Sh NAME @@ -49,13 +49,13 @@ .Fn pam_error "const pam_handle_t *pamh" "const char *fmt" "..." .Sh DESCRIPTION The -.Nm +.Fn pam_error function displays an error message through the intermediary of the given PAM context's conversation function. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_error function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -73,15 +73,15 @@ System error. .Xr pam_verror 3 .Sh STANDARDS The -.Nm +.Fn pam_error function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_error +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/pam_get_authtok.3 index 7f0c8049aa..84c133dd52 100644 --- a/contrib/openpam/doc/man/pam_get_authtok.3 +++ b/contrib/openpam/doc/man/pam_get_authtok.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GET_AUTHTOK 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt" .Sh DESCRIPTION The -.Nm +.Fn pam_get_authtok function returns the cached authentication token, or prompts the user if no token is currently cached. Either way, a pointer to the authentication token is stored in the @@ -89,7 +89,7 @@ before it is passed to the conversation function. .Pp If -.Nm +.Fn pam_get_authtok is called from a module and the .Dv authtok_prompt / @@ -110,17 +110,17 @@ is set to and there is a non-null .Dv PAM_OLDAUTHTOK item, -.Nm +.Fn pam_get_authtok will ask the user to confirm the new token by retyping it. If there is a mismatch, -.Nm +.Fn pam_get_authtok will return .Dv PAM_TRY_AGAIN . .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_get_authtok function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -140,15 +140,15 @@ Try again. .Xr pam_strerror 3 .Sh STANDARDS The -.Nm +.Fn pam_get_authtok function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_get_authtok +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_data.3 b/contrib/openpam/doc/man/pam_get_data.3 index 49fae056cf..db4b723cf7 100644 --- a/contrib/openpam/doc/man/pam_get_data.3 +++ b/contrib/openpam/doc/man/pam_get_data.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GET_DATA 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_get_data "const pam_handle_t *pamh" "const char *module_data_name" "const void **data" .Sh DESCRIPTION The -.Nm +.Fn pam_get_data function looks up the opaque object associated with the string specified by the .Fa module_data_name @@ -61,7 +61,7 @@ A pointer to the object is stored in the location pointed to by the .Fa data argument. If -.Nm +.Fn pam_get_data fails, the .Fa data argument is untouched. @@ -72,7 +72,7 @@ are useful for managing data that are meaningful only to a particular service module. .Sh RETURN VALUES The -.Nm +.Fn pam_get_data function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_NO_MODULE_DATA @@ -91,11 +91,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_get_data +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_item.3 b/contrib/openpam/doc/man/pam_get_item.3 index 1244a77a9e..aaa1badd7f 100644 --- a/contrib/openpam/doc/man/pam_get_item.3 +++ b/contrib/openpam/doc/man/pam_get_item.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GET_ITEM 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_get_item "const pam_handle_t *pamh" "int item_type" "const void **item" .Sh DESCRIPTION The -.Nm +.Fn pam_get_item function stores a pointer to the item specified by the .Fa item_type @@ -60,7 +60,7 @@ The item is retrieved from the PAM context specified by the .Fa pamh argument. If -.Nm +.Fn pam_get_item fails, the .Fa item argument is untouched. @@ -107,7 +107,7 @@ for a description of .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_get_item function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_SYMBOL_ERR @@ -127,11 +127,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_get_item +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_get_user.3 b/contrib/openpam/doc/man/pam_get_user.3 index 8f3b426a66..448f41898b 100644 --- a/contrib/openpam/doc/man/pam_get_user.3 +++ b/contrib/openpam/doc/man/pam_get_user.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GET_USER 3 .Os .Sh NAME @@ -49,13 +49,13 @@ .Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt" .Sh DESCRIPTION The -.Nm +.Fn pam_get_user function returns the name of the target user, as specified to .Xr pam_start 3 . If no user was specified, nor set using .Xr pam_set_item 3 , -.Nm +.Fn pam_get_user will prompt for a user name. Either way, a pointer to the user name is stored in the location pointed to by the @@ -80,7 +80,7 @@ before it is passed to the conversation function. .Pp If -.Nm +.Fn pam_get_user is called from a module and the .Dv user_prompt option is @@ -93,7 +93,7 @@ item. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_get_user function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -118,11 +118,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_get_user +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_getenv.3 b/contrib/openpam/doc/man/pam_getenv.3 index ebd2992f1e..1f0df73f2d 100644 --- a/contrib/openpam/doc/man/pam_getenv.3 +++ b/contrib/openpam/doc/man/pam_getenv.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GETENV 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_getenv "pam_handle_t *pamh" "const char *name" .Sh DESCRIPTION The -.Nm +.Fn pam_getenv function returns the value of an environment variable. Its semantics are similar to those of .Xr getenv 3 , @@ -58,7 +58,7 @@ context's environment list instead of the application's. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_getenv function returns .Dv NULL on failure. @@ -75,11 +75,11 @@ on failure. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_getenv +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_getenvlist.3 b/contrib/openpam/doc/man/pam_getenvlist.3 index a034c8e3cc..9af378459b 100644 --- a/contrib/openpam/doc/man/pam_getenvlist.3 +++ b/contrib/openpam/doc/man/pam_getenvlist.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_GETENVLIST 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_getenvlist "pam_handle_t *pamh" .Sh DESCRIPTION The -.Nm +.Fn pam_getenvlist function returns a copy of the given PAM context's environment list as a pointer to an array of strings. The last element in the array is @@ -77,7 +77,7 @@ after use: .Ed .Sh RETURN VALUES The -.Nm +.Fn pam_getenvlist function returns .Dv NULL on failure. @@ -96,11 +96,11 @@ on failure. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_getenvlist +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_info.3 b/contrib/openpam/doc/man/pam_info.3 index 08bf200de5..c08b5748c6 100644 --- a/contrib/openpam/doc/man/pam_info.3 +++ b/contrib/openpam/doc/man/pam_info.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_INFO 3 .Os .Sh NAME @@ -49,13 +49,13 @@ .Fn pam_info "const pam_handle_t *pamh" "const char *fmt" "..." .Sh DESCRIPTION The -.Nm +.Fn pam_info function displays an informational message through the intermediary of the given PAM context's conversation function. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_info function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -73,15 +73,15 @@ System error. .Xr pam_vinfo 3 .Sh STANDARDS The -.Nm +.Fn pam_info function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_info +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/pam_open_session.3 index 13811c7d29..1cde0e4371 100644 --- a/contrib/openpam/doc/man/pam_open_session.3 +++ b/contrib/openpam/doc/man/pam_open_session.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_OPEN_SESSION 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_open_session "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_open_session sets up a user session for a previously authenticated user. The session should later be torn down by a call to @@ -65,12 +65,12 @@ Do not emit any messages. .El .Pp If any other bits are set, -.Nm +.Fn pam_open_session will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_open_session function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -101,11 +101,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_open_session +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_prompt.3 b/contrib/openpam/doc/man/pam_prompt.3 index 20574f2321..0ff7742b7f 100644 --- a/contrib/openpam/doc/man/pam_prompt.3 +++ b/contrib/openpam/doc/man/pam_prompt.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_PROMPT 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_prompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "..." .Sh DESCRIPTION The -.Nm +.Fn pam_prompt function constructs a message from the specified format string and arguments and passes it to the given PAM context's conversation function. @@ -67,7 +67,7 @@ for further details. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_prompt function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -85,15 +85,15 @@ System error. .Xr pam_vprompt 3 .Sh STANDARDS The -.Nm +.Fn pam_prompt function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_prompt +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_putenv.3 b/contrib/openpam/doc/man/pam_putenv.3 index e69816a0b7..4e9c6938e6 100644 --- a/contrib/openpam/doc/man/pam_putenv.3 +++ b/contrib/openpam/doc/man/pam_putenv.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_PUTENV 3 .Os .Sh NAME @@ -49,8 +49,8 @@ .Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue" .Sh DESCRIPTION The -.Nm -function sets a environment variable. +.Fn pam_putenv +function sets an environment variable. Its semantics are similar to those of .Xr putenv 3 , but it modifies the PAM @@ -58,7 +58,7 @@ context's environment list instead of the application's. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_putenv function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -80,11 +80,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_putenv +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_set_data.3 b/contrib/openpam/doc/man/pam_set_data.3 index ce4d63d061..c02ae2ef6e 100644 --- a/contrib/openpam/doc/man/pam_set_data.3 +++ b/contrib/openpam/doc/man/pam_set_data.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SET_DATA 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)" .Sh DESCRIPTION The -.Nm +.Fn pam_set_data function associates a pointer to an opaque object with an arbitrary string specified by the .Fa module_data_name @@ -71,7 +71,7 @@ are useful for managing data that are meaningful only to a particular service module. .Sh RETURN VALUES The -.Nm +.Fn pam_set_data function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -90,11 +90,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_set_data +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_set_item.3 b/contrib/openpam/doc/man/pam_set_item.3 index 9f4e78d9aa..668c4f39ff 100644 --- a/contrib/openpam/doc/man/pam_set_item.3 +++ b/contrib/openpam/doc/man/pam_set_item.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SET_ITEM 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item" .Sh DESCRIPTION The -.Nm +.Fn pam_set_item function sets the item specified by the .Fa item_type argument to a copy of the object pointed to by the @@ -63,7 +63,7 @@ See for a list of recognized item types. .Sh RETURN VALUES The -.Nm +.Fn pam_set_item function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -84,11 +84,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_set_item +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_setcred.3 b/contrib/openpam/doc/man/pam_setcred.3 index 1e0a246002..a4f82493f7 100644 --- a/contrib/openpam/doc/man/pam_setcred.3 +++ b/contrib/openpam/doc/man/pam_setcred.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SETCRED 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_setcred "pam_handle_t *pamh" "int flags" .Sh DESCRIPTION The -.Nm +.Fn pam_setcred function manages the application's credentials. .Pp The @@ -72,12 +72,12 @@ Refresh credentials. The latter four are mutually exclusive. .Pp If any other bits are set, -.Nm +.Fn pam_setcred will return .Dv PAM_SYMBOL_ERR . .Sh RETURN VALUES The -.Nm +.Fn pam_setcred function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -113,11 +113,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_setcred +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_setenv.3 b/contrib/openpam/doc/man/pam_setenv.3 index 43906efd1c..e3b9c131e2 100644 --- a/contrib/openpam/doc/man/pam_setenv.3 +++ b/contrib/openpam/doc/man/pam_setenv.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SETENV 3 .Os .Sh NAME @@ -49,8 +49,8 @@ .Fn pam_setenv "pam_handle_t *pamh" "const char *name" "const char *value" "int overwrite" .Sh DESCRIPTION The -.Nm -function sets a environment variable. +.Fn pam_setenv +function sets an environment variable. Its semantics are similar to those of .Xr setenv 3 , but it modifies the PAM @@ -58,7 +58,7 @@ context's environment list instead of the application's. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_setenv function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -75,15 +75,15 @@ System error. .Xr setenv 3 .Sh STANDARDS The -.Nm +.Fn pam_setenv function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_setenv +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 index 22e1980d8e..35dd05bb5c 100644 --- a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 +++ b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_ACCT_MGMT 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn pam_sm_acct_mgmt "pam_handle_t *pamh" "int flags" "int argc" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_acct_mgmt function is the service module's implementation of the .Xr pam_acct_mgmt 3 API function. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_acct_mgmt function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -94,11 +94,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_acct_mgmt +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_authenticate.3 b/contrib/openpam/doc/man/pam_sm_authenticate.3 index e41a70ab0c..4c27bb7601 100644 --- a/contrib/openpam/doc/man/pam_sm_authenticate.3 +++ b/contrib/openpam/doc/man/pam_sm_authenticate.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_AUTHENTICATE 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn pam_sm_authenticate "pam_handle_t *pamh" "int flags" "int argc" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_authenticate function is the service module's implementation of the .Xr pam_authenticate 3 API function. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_authenticate function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -96,11 +96,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_authenticate +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_chauthtok.3 b/contrib/openpam/doc/man/pam_sm_chauthtok.3 index bc3f461b7a..8e28b05f99 100644 --- a/contrib/openpam/doc/man/pam_sm_chauthtok.3 +++ b/contrib/openpam/doc/man/pam_sm_chauthtok.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_CHAUTHTOK 3 .Os .Sh NAME @@ -50,7 +50,7 @@ .Fn pam_sm_chauthtok "pam_handle_t *pamh" "int flags" "int argc" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_chauthtok function is the service module's implementation of the .Xr pam_chauthtok 3 @@ -67,7 +67,7 @@ with the flag set. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_chauthtok function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -106,11 +106,11 @@ Try again. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_chauthtok +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_close_session.3 b/contrib/openpam/doc/man/pam_sm_close_session.3 index 3b1f57e075..bfb5d87ee3 100644 --- a/contrib/openpam/doc/man/pam_sm_close_session.3 +++ b/contrib/openpam/doc/man/pam_sm_close_session.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_CLOSE_SESSION 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn pam_sm_close_session "pam_handle_t *pamh" "int flags" "int args" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_close_session function is the service module's implementation of the .Xr pam_close_session 3 API function. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_close_session function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -88,11 +88,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_close_session +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_open_session.3 b/contrib/openpam/doc/man/pam_sm_open_session.3 index cdfe4d4125..b92fb45b1b 100644 --- a/contrib/openpam/doc/man/pam_sm_open_session.3 +++ b/contrib/openpam/doc/man/pam_sm_open_session.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_OPEN_SESSION 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn pam_sm_open_session "pam_handle_t *pamh" "int flags" "int argc" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_open_session function is the service module's implementation of the .Xr pam_open_session 3 API function. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_open_session function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -88,11 +88,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_open_session +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_sm_setcred.3 b/contrib/openpam/doc/man/pam_sm_setcred.3 index 6d5c52fc16..19b192e217 100644 --- a/contrib/openpam/doc/man/pam_sm_setcred.3 +++ b/contrib/openpam/doc/man/pam_sm_setcred.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_SM_SETCRED 3 .Os .Sh NAME @@ -50,14 +50,14 @@ .Fn pam_sm_setcred "pam_handle_t *pamh" "int flags" "int argc" "const char **argv" .Sh DESCRIPTION The -.Nm +.Fn pam_sm_setcred function is the service module's implementation of the .Xr pam_setcred 3 API function. .Sh RETURN VALUES The -.Nm +.Fn pam_sm_setcred function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_ABORT @@ -94,11 +94,11 @@ Unknown user. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_sm_setcred +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_start.3 b/contrib/openpam/doc/man/pam_start.3 index eaa9f0571c..4e28d3e57b 100644 --- a/contrib/openpam/doc/man/pam_start.3 +++ b/contrib/openpam/doc/man/pam_start.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_START 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh" .Sh DESCRIPTION The -.Nm +.Fn pam_start function creates and initializes a PAM context. .Pp The @@ -78,7 +78,7 @@ for details. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_start function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -99,11 +99,11 @@ System error. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_start +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_strerror.3 b/contrib/openpam/doc/man/pam_strerror.3 index 9003102848..5b24b68e8a 100644 --- a/contrib/openpam/doc/man/pam_strerror.3 +++ b/contrib/openpam/doc/man/pam_strerror.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_STRERROR 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_strerror "const pam_handle_t *pamh" "int error_number" .Sh DESCRIPTION The -.Nm +.Fn pam_strerror function returns a pointer to a string containing a textual description of the error indicated by the .Fa error_number @@ -64,7 +64,7 @@ or .Dv NULL . .Sh RETURN VALUES The -.Nm +.Fn pam_strerror function returns .Dv NULL on failure. @@ -78,11 +78,11 @@ on failure. .Re .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_strerror +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_verror.3 b/contrib/openpam/doc/man/pam_verror.3 index 4987da30f9..d4a8cc5486 100644 --- a/contrib/openpam/doc/man/pam_verror.3 +++ b/contrib/openpam/doc/man/pam_verror.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_VERROR 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_verror "const pam_handle_t *pamh" "const char *fmt" "va_list ap" .Sh DESCRIPTION The -.Nm +.Fn pam_verror function passes its arguments to .Xr pam_vprompt 3 with a @@ -59,7 +59,7 @@ and discards the response. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_verror function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -77,15 +77,15 @@ System error. .Xr pam_vprompt 3 .Sh STANDARDS The -.Nm +.Fn pam_verror function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_verror +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_vinfo.3 b/contrib/openpam/doc/man/pam_vinfo.3 index c2ac5b0c4d..3e10b508a9 100644 --- a/contrib/openpam/doc/man/pam_vinfo.3 +++ b/contrib/openpam/doc/man/pam_vinfo.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_VINFO 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_vinfo "const pam_handle_t *pamh" "const char *fmt" "va_list ap" .Sh DESCRIPTION The -.Nm +.Fn pam_vinfo function passes its arguments to .Xr pam_vprompt 3 with a @@ -59,7 +59,7 @@ and discards the response. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_vinfo function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -77,15 +77,15 @@ System error. .Xr pam_vprompt 3 .Sh STANDARDS The -.Nm +.Fn pam_vinfo function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_vinfo +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/doc/man/pam_vprompt.3 b/contrib/openpam/doc/man/pam_vprompt.3 index 381008d7a9..c3d8b32582 100644 --- a/contrib/openpam/doc/man/pam_vprompt.3 +++ b/contrib/openpam/doc/man/pam_vprompt.3 @@ -34,7 +34,7 @@ .\" .\" $Id$ .\" -.Dd December 18, 2011 +.Dd May 26, 2012 .Dt PAM_VPROMPT 3 .Os .Sh NAME @@ -49,7 +49,7 @@ .Fn pam_vprompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap" .Sh DESCRIPTION The -.Nm +.Fn pam_vprompt function constructs a string from the .Fa fmt and @@ -93,7 +93,7 @@ If they do, they may be truncated. .Pp .Sh RETURN VALUES The -.Nm +.Fn pam_vprompt function returns one of the following values: .Bl -tag -width 18n .It Bq Er PAM_BUF_ERR @@ -114,15 +114,15 @@ System error. .Xr vsnprintf 3 .Sh STANDARDS The -.Nm +.Fn pam_vprompt function is an OpenPAM extension. .Sh AUTHORS The -.Nm -function and this manual page were developed for the +.Fn pam_vprompt +function and this manual page were +developed for the .Fx -Project by -ThinkSec AS and Network Associates Laboratories, the +Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , diff --git a/contrib/openpam/include/security/openpam.h b/contrib/openpam/include/security/openpam.h index 0c896a480a..4ba8b95fa0 100644 --- a/contrib/openpam/include/security/openpam.h +++ b/contrib/openpam/include/security/openpam.h @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam.h 455 2011-10-29 18:31:11Z des $ + * $Id: openpam.h 605 2012-04-20 11:05:10Z des $ */ #ifndef SECURITY_OPENPAM_H_INCLUDED @@ -157,12 +157,49 @@ openpam_readline(FILE *_f, int *_lineno, size_t *_lenp) OPENPAM_NONNULL((1)); + +char ** +openpam_readlinev(FILE *_f, + int *_lineno, + int *_lenp) + OPENPAM_NONNULL((1)); + +char * +openpam_readword(FILE *_f, + int *_lineno, + size_t *_lenp) + OPENPAM_NONNULL((1)); #endif +int +openpam_straddch(char **_str, + size_t *_sizep, + size_t *_lenp, + int ch) + OPENPAM_NONNULL((1)); + +/* + * Enable / disable optional features + */ +enum { + OPENPAM_RESTRICT_SERVICE_NAME, + OPENPAM_VERIFY_POLICY_FILE, + OPENPAM_RESTRICT_MODULE_NAME, + OPENPAM_VERIFY_MODULE_FILE, + OPENPAM_NUM_FEATURES +}; + +int +openpam_set_feature(int _feature, int _onoff); + +int +openpam_get_feature(int _feature, int *_onoff); + /* * Log levels */ enum { + PAM_LOG_LIBDEBUG = -1, PAM_LOG_DEBUG, PAM_LOG_VERBOSE, PAM_LOG_NOTICE, @@ -196,8 +233,8 @@ _openpam_log(int _level, void openpam_log(int _level, const char *_format, - ...) - OPENPAM_FORMAT ((__printf__, 2, 3)) + ...) + OPENPAM_FORMAT ((__printf__, 2, 3)) OPENPAM_NONNULL((2)); #endif diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/include/security/openpam_version.h index ed1c1de69f..d50d913689 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/include/security/openpam_version.h @@ -32,14 +32,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $ + * $Id: openpam_version.h 609 2012-05-26 13:57:45Z des $ */ #ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED #define SECURITY_OPENPAM_VERSION_H_INCLUDED #define OPENPAM -#define OPENPAM_VERSION 20111218 -#define OPENPAM_RELEASE "Lycopsida" +#define OPENPAM_VERSION 20120526 +#define OPENPAM_RELEASE "Micrampelis" #endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ diff --git a/contrib/openpam/lib/openpam_check_owner_perms.c b/contrib/openpam/lib/openpam_check_owner_perms.c index 9d64ed6e8b..d3b2ca9859 100644 --- a/contrib/openpam/lib/openpam_check_owner_perms.c +++ b/contrib/openpam/lib/openpam_check_owner_perms.c @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_check_owner_perms.c 499 2011-11-22 11:51:50Z des $ + * $Id: openpam_check_owner_perms.c 543 2012-03-31 22:11:34Z des $ */ #ifdef HAVE_CONFIG_H @@ -67,6 +70,12 @@ openpam_check_desc_owner_perms(const char *name, int fd) errno = serrno; return (-1); } + if (!S_ISREG(sb.st_mode)) { + openpam_log(PAM_LOG_ERROR, + "%s: not a regular file", name); + errno = EINVAL; + return (-1); + } if ((sb.st_uid != root && sb.st_uid != arbitrator) || (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) { openpam_log(PAM_LOG_ERROR, @@ -84,7 +93,7 @@ openpam_check_desc_owner_perms(const char *name, int fd) * up to it are owned by either root or the arbitrator and that they are * not writable by group or other. * - * Note that openpam_check_file_owner_perms() should be used instead if + * Note that openpam_check_desc_owner_perms() should be used instead if * possible to avoid a race between the ownership / permission check and * the actual open(). */ @@ -95,8 +104,9 @@ openpam_check_path_owner_perms(const char *path) uid_t root, arbitrator; char pathbuf[PATH_MAX]; struct stat sb; - int len, serrno; + int len, serrno, tip; + tip = 1; root = 0; arbitrator = geteuid(); if (realpath(path, pathbuf) == NULL) @@ -111,6 +121,12 @@ openpam_check_path_owner_perms(const char *path) } return (-1); } + if (tip && !S_ISREG(sb.st_mode)) { + openpam_log(PAM_LOG_ERROR, + "%s: not a regular file", pathbuf); + errno = EINVAL; + return (-1); + } if ((sb.st_uid != root && sb.st_uid != arbitrator) || (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) { openpam_log(PAM_LOG_ERROR, @@ -120,6 +136,7 @@ openpam_check_path_owner_perms(const char *path) } while (--len > 0 && pathbuf[len] != '/') pathbuf[len] = '\0'; + tip = 0; } return (0); } diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c index d395565aef..8172a6fdf1 100644 --- a/contrib/openpam/lib/openpam_configure.c +++ b/contrib/openpam/lib/openpam_configure.c @@ -1,6 +1,6 @@ /*- * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * Copyright (c) 2004-2012 Dag-Erling Smørgrav * All rights reserved. * * This software was developed for the FreeBSD Project by ThinkSec AS and @@ -32,13 +32,15 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_configure.c 500 2011-11-22 12:07:03Z des $ + * $Id: openpam_configure.c 612 2012-05-26 23:02:55Z des $ */ #ifdef HAVE_CONFIG_H # include "config.h" #endif +#include + #include #include #include @@ -48,389 +50,183 @@ #include #include "openpam_impl.h" -#include "openpam_strlcmp.h" +#include "openpam_ctype.h" +#include "openpam_strlcat.h" +#include "openpam_strlcpy.h" static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t); /* - * Evaluates to non-zero if the argument is a linear whitespace character. - */ -#define is_lws(ch) \ - (ch == ' ' || ch == '\t') - -/* - * Evaluates to non-zero if the argument is a printable ASCII character. - * Assumes that the execution character set is a superset of ASCII. - */ -#define is_p(ch) \ - (ch >= '!' && ch <= '~') - -/* - * Returns non-zero if the argument belongs to the POSIX Portable Filename - * Character Set. Assumes that the execution character set is a superset - * of ASCII. - */ -#define is_pfcs(ch) \ - ((ch >= '0' && ch <= '9') || \ - (ch >= 'A' && ch <= 'Z') || \ - (ch >= 'a' && ch <= 'z') || \ - ch == '.' || ch == '_' || ch == '-') - -/* - * Parse the service name. - * - * Returns the length of the service name, or 0 if the end of the string - * was reached or a disallowed non-whitespace character was encountered. - * - * If parse_service_name() is successful, it updates *service to point to - * the first character of the service name and *line to point one - * character past the end. If it reaches the end of the string, it - * updates *line to point to the terminating NUL character and leaves - * *service unmodified. In all other cases, it leaves both *line and - * *service unmodified. + * Validate a service name. * - * Allowed characters are all characters in the POSIX portable filename - * character set. + * Returns a non-zero value if the argument points to a NUL-terminated + * string consisting entirely of characters in the POSIX portable filename + * character set, excluding the path separator character. */ static int -parse_service_name(char **line, char **service) +valid_service_name(const char *name) { - char *b, *e; + const char *p; - for (b = *line; *b && is_lws(*b); ++b) - /* nothing */ ; - if (!*b) { - *line = b; - return (0); + if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) { + /* path separator not allowed */ + for (p = name; *p != '\0'; ++p) + if (!is_pfcs(*p)) + return (0); + } else { + /* path separator allowed */ + for (p = name; *p != '\0'; ++p) + if (!is_pfcs(*p) && *p != '/') + return (0); } - for (e = b; *e && !is_lws(*e); ++e) - if (!is_pfcs(*e)) - return (0); - if (e == b) - return (0); - *line = e; - *service = b; - return (e - b); + return (1); } /* * Parse the facility name. * - * Returns the corresponding pam_facility_t value, or -1 if the end of the - * string was reached, a disallowed non-whitespace character was - * encountered, or the first word was not a recognized facility name. - * - * If parse_facility_name() is successful, it updates *line to point one - * character past the end of the facility name. If it reaches the end of - * the string, it updates *line to point to the terminating NUL character. - * In all other cases, it leaves *line unmodified. + * Returns the corresponding pam_facility_t value, or -1 if the argument + * is not a valid facility name. */ static pam_facility_t -parse_facility_name(char **line) +parse_facility_name(const char *name) { - char *b, *e; int i; - for (b = *line; *b && is_lws(*b); ++b) - /* nothing */ ; - if (!*b) { - *line = b; - return ((pam_facility_t)-1); - } - for (e = b; *e && !is_lws(*e); ++e) - /* nothing */ ; - if (e == b) - return ((pam_facility_t)-1); for (i = 0; i < PAM_NUM_FACILITIES; ++i) - if (strlcmp(pam_facility_name[i], b, e - b) == 0) - break; - if (i == PAM_NUM_FACILITIES) - return ((pam_facility_t)-1); - *line = e; - return (i); -} - -/* - * Parse the word "include". - * - * If the next word on the line is "include", parse_include() updates - * *line to point one character past "include" and returns 1. Otherwise, - * it leaves *line unmodified and returns 0. - */ -static int -parse_include(char **line) -{ - char *b, *e; - - for (b = *line; *b && is_lws(*b); ++b) - /* nothing */ ; - if (!*b) { - *line = b; - return (-1); - } - for (e = b; *e && !is_lws(*e); ++e) - /* nothing */ ; - if (e == b) - return (0); - if (strlcmp("include", b, e - b) != 0) - return (0); - *line = e; - return (1); + if (strcmp(pam_facility_name[i], name) == 0) + return (i); + return ((pam_facility_t)-1); } /* * Parse the control flag. * - * Returns the corresponding pam_control_t value, or -1 if the end of the - * string was reached, a disallowed non-whitespace character was - * encountered, or the first word was not a recognized control flag. - * - * If parse_control_flag() is successful, it updates *line to point one - * character past the end of the control flag. If it reaches the end of - * the string, it updates *line to point to the terminating NUL character. - * In all other cases, it leaves *line unmodified. + * Returns the corresponding pam_control_t value, or -1 if the argument is + * not a valid control flag name. */ static pam_control_t -parse_control_flag(char **line) +parse_control_flag(const char *name) { - char *b, *e; int i; - for (b = *line; *b && is_lws(*b); ++b) - /* nothing */ ; - if (!*b) { - *line = b; - return ((pam_control_t)-1); - } - for (e = b; *e && !is_lws(*e); ++e) - /* nothing */ ; - if (e == b) - return ((pam_control_t)-1); for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i) - if (strlcmp(pam_control_flag_name[i], b, e - b) == 0) - break; - if (i == PAM_NUM_CONTROL_FLAGS) - return ((pam_control_t)-1); - *line = e; - return (i); + if (strcmp(pam_control_flag_name[i], name) == 0) + return (i); + return ((pam_control_t)-1); } /* - * Parse a file name. + * Validate a file name. * - * Returns the length of the file name, or 0 if the end of the string was - * reached or a disallowed non-whitespace character was encountered. - * - * If parse_filename() is successful, it updates *filename to point to the - * first character of the filename and *line to point one character past - * the end. If it reaches the end of the string, it updates *line to - * point to the terminating NUL character and leaves *filename unmodified. - * In all other cases, it leaves both *line and *filename unmodified. - * - * Allowed characters are all characters in the POSIX portable filename - * character set, plus the path separator (forward slash). + * Returns a non-zero value if the argument points to a NUL-terminated + * string consisting entirely of characters in the POSIX portable filename + * character set, including the path separator character. */ static int -parse_filename(char **line, char **filename) +valid_module_name(const char *name) { - char *b, *e; - - for (b = *line; *b && is_lws(*b); ++b) - /* nothing */ ; - if (!*b) { - *line = b; - return (0); - } - for (e = b; *e && !is_lws(*e); ++e) - if (!is_pfcs(*e) && *e != '/') - return (0); - if (e == b) - return (0); - *line = e; - *filename = b; - return (e - b); -} + const char *p; -/* - * Parse an option. - * - * Returns a dynamically allocated string containing the next module - * option, or NULL if the end of the string was reached or a disallowed - * non-whitespace character was encountered. - * - * If parse_option() is successful, it updates *line to point one - * character past the end of the option. If it reaches the end of the - * string, it updates *line to point to the terminating NUL character. In - * all other cases, it leaves *line unmodified. - * - * If parse_option() fails to allocate memory, it will return NULL and set - * errno to a non-zero value. - * - * Allowed characters for option names are all characters in the POSIX - * portable filename character set. Allowed characters for option values - * are any printable non-whitespace characters. The option value may be - * quoted in either single or double quotes, in which case space - * characters and whichever quote character was not used are allowed. - * Note that the entire value must be quoted, not just part of it. - */ -static char * -parse_option(char **line) -{ - char *nb, *ne, *vb, *ve; - unsigned char q = 0; - char *option; - size_t size; - - errno = 0; - for (nb = *line; *nb && is_lws(*nb); ++nb) - /* nothing */ ; - if (!*nb) { - *line = nb; - return (NULL); - } - for (ne = nb; *ne && !is_lws(*ne) && *ne != '='; ++ne) - if (!is_pfcs(*ne)) - return (NULL); - if (ne == nb) - return (NULL); - if (*ne == '=') { - vb = ne + 1; - if (*vb == '"' || *vb == '\'') - q = *vb++; - for (ve = vb; - *ve && *ve != q && (is_p(*ve) || (q && is_lws(*ve))); - ++ve) - /* nothing */ ; - if (q && *ve != q) - /* non-printable character or missing endquote */ - return (NULL); - if (q && *(ve + 1) && !is_lws(*(ve + 1))) - /* garbage after value */ - return (NULL); + if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) { + /* path separator not allowed */ + for (p = name; *p != '\0'; ++p) + if (!is_pfcs(*p)) + return (0); } else { - vb = ve = ne; - } - size = (ne - nb) + 1; - if (ve > vb) - size += (ve - vb) + 1; - if ((option = malloc(size)) == NULL) - return (NULL); - strncpy(option, nb, ne - nb); - if (ve > vb) { - option[ne - nb] = '='; - strncpy(option + (ne - nb) + 1, vb, ve - vb); + /* path separator allowed */ + for (p = name; *p != '\0'; ++p) + if (!is_pfcs(*p) && *p != '/') + return (0); } - option[size - 1] = '\0'; - *line = q ? ve + 1 : ve; - return (option); -} - -/* - * Consume trailing whitespace. - * - * If there are no non-whitespace characters left on the line, parse_eol() - * updates *line to point at the terminating NUL character and returns 0. - * Otherwise, it leaves *line unmodified and returns a non-zero value. - */ -static int -parse_eol(char **line) -{ - char *p; - - for (p = *line; *p && is_lws(*p); ++p) - /* nothing */ ; - if (*p) - return ((unsigned char)*p); - *line = p; - return (0); + return (1); } typedef enum { pam_conf_style, pam_d_style } openpam_style_t; /* * Extracts given chains from a policy file. + * + * Returns the number of policy entries which were found for the specified + * service and facility, or -1 if a system error occurred or a syntax + * error was encountered. */ static int openpam_parse_chain(pam_handle_t *pamh, const char *service, pam_facility_t facility, + FILE *f, const char *filename, openpam_style_t style) { pam_chain_t *this, **next; pam_facility_t fclt; pam_control_t ctlf; - char *line, *str, *name; - char *option, **optv; - int len, lineno, ret; - FILE *f; + char *name, *servicename, *modulename; + int count, lineno, ret, serrno; + char **wordv, *word; + int i, wordc; - if ((f = fopen(filename, "r")) == NULL) { - openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE, - "%s: %m", filename); - return (PAM_SUCCESS); - } - if (openpam_check_desc_owner_perms(filename, fileno(f)) != 0) { - fclose(f); - return (PAM_SYSTEM_ERR); - } + count = 0; this = NULL; name = NULL; lineno = 0; - while ((line = openpam_readline(f, &lineno, NULL)) != NULL) { - /* get service name if necessary */ - if (style == pam_conf_style) { - if ((len = parse_service_name(&line, &str)) == 0) { - openpam_log(PAM_LOG_NOTICE, - "%s(%d): invalid service name (ignored)", - filename, lineno); - FREE(line); - continue; - } - if (strlcmp(service, str, len) != 0) { - FREE(line); - continue; - } + wordc = 0; + wordv = NULL; + while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) { + /* blank line? */ + if (wordc == 0) { + FREEV(wordc, wordv); + continue; } + i = 0; - /* get facility name */ - if ((fclt = parse_facility_name(&line)) == (pam_facility_t)-1) { + /* check service name if necessary */ + if (style == pam_conf_style && + strcmp(wordv[i++], service) != 0) { + FREEV(wordc, wordv); + continue; + } + + /* check facility name */ + if ((word = wordv[i++]) == NULL || + (fclt = parse_facility_name(word)) == (pam_facility_t)-1) { openpam_log(PAM_LOG_ERROR, "%s(%d): missing or invalid facility", filename, lineno); goto fail; } if (facility != fclt && facility != PAM_FACILITY_ANY) { - FREE(line); + FREEV(wordc, wordv); continue; } /* check for "include" */ - if (parse_include(&line)) { - if ((len = parse_service_name(&line, &str)) == 0) { + if ((word = wordv[i++]) != NULL && + strcmp(word, "include") == 0) { + if ((servicename = wordv[i++]) == NULL || + !valid_service_name(servicename)) { openpam_log(PAM_LOG_ERROR, - "%s(%d): missing or invalid filename", + "%s(%d): missing or invalid service name", filename, lineno); goto fail; } - if ((name = strndup(str, len)) == NULL) - goto syserr; - if (parse_eol(&line) != 0) { + if (wordv[i] != NULL) { openpam_log(PAM_LOG_ERROR, "%s(%d): garbage at end of line", filename, lineno); goto fail; } - ret = openpam_load_chain(pamh, name, fclt); - FREE(name); - if (ret != PAM_SUCCESS) + ret = openpam_load_chain(pamh, servicename, fclt); + FREEV(wordc, wordv); + if (ret < 0) goto fail; - FREE(line); continue; } /* get control flag */ - if ((ctlf = parse_control_flag(&line)) == (pam_control_t)-1) { + if (word == NULL || /* same word we compared to "include" */ + (ctlf = parse_control_flag(word)) == (pam_control_t)-1) { openpam_log(PAM_LOG_ERROR, "%s(%d): missing or invalid control flag", filename, lineno); @@ -438,73 +234,78 @@ openpam_parse_chain(pam_handle_t *pamh, } /* get module name */ - if ((len = parse_filename(&line, &str)) == 0) { + if ((modulename = wordv[i++]) == NULL || + !valid_module_name(modulename)) { openpam_log(PAM_LOG_ERROR, "%s(%d): missing or invalid module name", filename, lineno); goto fail; } - if ((name = strndup(str, len)) == NULL) - goto syserr; /* allocate new entry */ if ((this = calloc(1, sizeof *this)) == NULL) goto syserr; this->flag = ctlf; - /* get module options */ - if ((this->optv = malloc(sizeof *optv)) == NULL) - goto syserr; - this->optc = 0; - while ((option = parse_option(&line)) != NULL) { - optv = realloc(this->optv, - (this->optc + 2) * sizeof *optv); - if (optv == NULL) - goto syserr; - this->optv = optv; - this->optv[this->optc++] = option; - } - this->optv[this->optc] = NULL; - if (*line != '\0') { - openpam_log(PAM_LOG_ERROR, - "%s(%d): syntax error in module options", - filename, lineno); - goto fail; - } - /* load module */ - this->module = openpam_load_module(name); - FREE(name); - if (this->module == NULL) + if ((this->module = openpam_load_module(modulename)) == NULL) goto fail; + /* + * The remaining items in wordv are the module's + * arguments. We could set this->optv = wordv + i, but + * then free(this->optv) wouldn't work. Instead, we free + * the words we've already consumed, shift the rest up, + * and clear the tail end of the array. + */ + this->optc = wordc - i; + for (i = 0; i < wordc - this->optc; ++i) { + FREE(wordv[i]); + } + for (i = 0; i < this->optc; ++i) { + wordv[i] = wordv[wordc - this->optc + i]; + wordv[wordc - this->optc + i] = NULL; + } + this->optv = wordv; + wordv = NULL; + wordc = 0; + /* hook it up */ for (next = &pamh->chains[fclt]; *next != NULL; next = &(*next)->next) /* nothing */ ; *next = this; this = NULL; - - /* next please... */ - FREE(line); + ++count; } - if (!feof(f)) + /* + * The loop ended because openpam_readword() returned NULL, which + * can happen for four different reasons: an I/O error (ferror(f) + * is true), a memory allocation failure (ferror(f) is false, + * errno is non-zero) + */ + if (ferror(f) || errno != 0) goto syserr; + if (!feof(f)) + goto fail; fclose(f); - return (PAM_SUCCESS); + return (count); syserr: + serrno = errno; openpam_log(PAM_LOG_ERROR, "%s: %m", filename); + errno = serrno; + /* fall through */ fail: - if (this && this->optc) { - while (this->optc--) - FREE(this->optv[this->optc]); - FREE(this->optv); - } + serrno = errno; + if (this && this->optc && this->optv) + FREEV(this->optc, this->optv); FREE(this); - FREE(line); + FREEV(wordc, wordv); + FREE(wordv); FREE(name); fclose(f); - return (PAM_SYSTEM_ERR); + errno = serrno; + return (-1); } static const char *openpam_policy_path[] = { @@ -515,38 +316,111 @@ static const char *openpam_policy_path[] = { NULL }; +/* + * Read the specified chains from the specified file. + * + * Returns 0 if the file exists but does not contain any matching lines. + * + * Returns -1 and sets errno to ENOENT if the file does not exist. + * + * Returns -1 and sets errno to some other non-zero value if the file + * exists but is unsafe or unreadable, or an I/O error occurs. + */ +static int +openpam_load_file(pam_handle_t *pamh, + const char *service, + pam_facility_t facility, + const char *filename, + openpam_style_t style) +{ + FILE *f; + int ret, serrno; + + /* attempt to open the file */ + if ((f = fopen(filename, "r")) == NULL) { + serrno = errno; + openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR, + "%s: %m", filename); + errno = serrno; + RETURNN(-1); + } else { + openpam_log(PAM_LOG_DEBUG, "found %s", filename); + } + + /* verify type, ownership and permissions */ + if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) && + openpam_check_desc_owner_perms(filename, fileno(f)) != 0) { + /* already logged the cause */ + serrno = errno; + fclose(f); + errno = serrno; + RETURNN(-1); + } + + /* parse the file */ + ret = openpam_parse_chain(pamh, service, facility, + f, filename, style); + RETURNN(ret); +} + /* * Locates the policy file for a given service and reads the given chains * from it. + * + * Returns the number of policy entries which were found for the specified + * service and facility, or -1 if a system error occurred or a syntax + * error was encountered. */ static int openpam_load_chain(pam_handle_t *pamh, const char *service, pam_facility_t facility) { - const char **path; - char *filename; + const char *p, **path; + char filename[PATH_MAX]; size_t len; + openpam_style_t style; int ret; + ENTERS(facility < 0 ? "any" : pam_facility_name[facility]); + + /* either absolute or relative to cwd */ + if (strchr(service, '/') != NULL) { + if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0) + style = pam_conf_style; + else + style = pam_d_style; + ret = openpam_load_file(pamh, service, facility, + service, style); + RETURNN(ret); + } + + /* search standard locations */ for (path = openpam_policy_path; *path != NULL; ++path) { - len = strlen(*path); - if ((*path)[len - 1] == '/') { - if (asprintf(&filename, "%s%s", *path, service) < 0) { - openpam_log(PAM_LOG_ERROR, "asprintf(): %m"); - return (PAM_BUF_ERR); + /* construct filename */ + len = strlcpy(filename, *path, sizeof filename); + if (filename[len - 1] == '/') { + len = strlcat(filename, service, sizeof filename); + if (len >= sizeof filename) { + errno = ENAMETOOLONG; + RETURNN(-1); } - ret = openpam_parse_chain(pamh, service, facility, - filename, pam_d_style); - FREE(filename); + style = pam_d_style; } else { - ret = openpam_parse_chain(pamh, service, facility, - *path, pam_conf_style); + style = pam_conf_style; } - if (ret != PAM_SUCCESS) - return (ret); + ret = openpam_load_file(pamh, service, facility, + filename, style); + /* the file exists, but an error occurred */ + if (ret == -1 && errno != ENOENT) + RETURNN(ret); + /* in pam.d style, an empty file counts as a hit */ + if (ret == 0 && style == pam_d_style) + RETURNN(ret); } - return (PAM_SUCCESS); + + /* no hit */ + RETURNN(0); } /* @@ -560,25 +434,27 @@ openpam_configure(pam_handle_t *pamh, const char *service) { pam_facility_t fclt; - const char *p; + int serrno; - for (p = service; *p; ++p) - if (!is_pfcs(*p)) - return (PAM_SYSTEM_ERR); - - if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) != PAM_SUCCESS) + ENTERS(service); + if (!valid_service_name(service)) { + openpam_log(PAM_LOG_ERROR, "invalid service name"); + RETURNC(PAM_SYSTEM_ERR); + } + if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) goto load_err; - for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) { if (pamh->chains[fclt] != NULL) continue; - if (openpam_load_chain(pamh, PAM_OTHER, fclt) != PAM_SUCCESS) + if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0) goto load_err; } - return (PAM_SUCCESS); + RETURNC(PAM_SUCCESS); load_err: + serrno = errno; openpam_clear_chains(pamh->chains); - return (PAM_SYSTEM_ERR); + errno = serrno; + RETURNC(PAM_SYSTEM_ERR); } /* diff --git a/contrib/openpam/lib/openpam_constants.h b/contrib/openpam/lib/openpam_constants.h index b92317938c..a7d6ce8dd7 100644 --- a/contrib/openpam/lib/openpam_constants.h +++ b/contrib/openpam/lib/openpam_constants.h @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,11 +27,11 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_constants.h 491 2011-11-12 00:12:32Z des $ + * $Id: openpam_constants.h 606 2012-04-20 11:06:38Z des $ */ -#ifndef OPENPAM_CONSTANTS_INCLUDED -#define OPENPAM_CONSTANTS_INCLUDED +#ifndef OPENPAM_CONSTANTS_H_INCLUDED +#define OPENPAM_CONSTANTS_H_INCLUDED extern const char *pam_err_name[PAM_NUM_ERRORS]; extern const char *pam_item_name[PAM_NUM_ITEMS]; diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_ctype.h similarity index 55% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_ctype.h index ed1c1de69f..b3ec846899 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_ctype.h @@ -1,18 +1,13 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * Copyright (c) 2012 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. @@ -32,14 +27,42 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $ + * $Id: openpam_ctype.h 578 2012-04-06 00:45:59Z des $ + */ + +#ifndef OPENPAM_CTYPE_H_INCLUDED +#define OPENPAM_CTYPE_H_INCLUDED + +/* + * Evaluates to non-zero if the argument is a linear whitespace character. + * For the purposes of this macro, the definition of linear whitespace is + * extended to include the form feed and carraige return characters. */ +#define is_lws(ch) \ + (ch == ' ' || ch == '\t' || ch == '\f' || ch == '\r') -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +/* + * Evaluates to non-zero if the argument is a whitespace character. + */ +#define is_ws(ch) \ + (is_lws(ch) || ch == '\n') + +/* + * Evaluates to non-zero if the argument is a printable ASCII character. + * Assumes that the execution character set is a superset of ASCII. + */ +#define is_p(ch) \ + (ch >= '!' && ch <= '~') -#define OPENPAM -#define OPENPAM_VERSION 20111218 -#define OPENPAM_RELEASE "Lycopsida" +/* + * Returns non-zero if the argument belongs to the POSIX Portable Filename + * Character Set. Assumes that the execution character set is a superset + * of ASCII. + */ +#define is_pfcs(ch) \ + ((ch >= '0' && ch <= '9') || \ + (ch >= 'A' && ch <= 'Z') || \ + (ch >= 'a' && ch <= 'z') || \ + ch == '.' || ch == '_' || ch == '-') -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +#endif diff --git a/contrib/openpam/lib/openpam_debug.h b/contrib/openpam/lib/openpam_debug.h index ef2884d682..050783e493 100644 --- a/contrib/openpam/lib/openpam_debug.h +++ b/contrib/openpam/lib/openpam_debug.h @@ -32,60 +32,68 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_debug.h 491 2011-11-12 00:12:32Z des $ + * $Id: openpam_debug.h 606 2012-04-20 11:06:38Z des $ */ -#ifndef OPENPAM_DEBUG_INCLUDED -#define OPENPAM_DEBUG_INCLUDED +#ifndef OPENPAM_DEBUG_H_INCLUDED +#define OPENPAM_DEBUG_H_INCLUDED #ifdef OPENPAM_DEBUG -#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering") +#define ENTER() openpam_log(PAM_LOG_LIBDEBUG, "entering") #define ENTERI(i) do { \ int i_ = (i); \ if (i_ > 0 && i_ < PAM_NUM_ITEMS) \ - openpam_log(PAM_LOG_DEBUG, "entering: %s", pam_item_name[i_]); \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", pam_item_name[i_]); \ else \ - openpam_log(PAM_LOG_DEBUG, "entering: %d", i_); \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", i_); \ } while (0) #define ENTERN(n) do { \ int n_ = (n); \ - openpam_log(PAM_LOG_DEBUG, "entering: %d", n_); \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", n_); \ } while (0) #define ENTERS(s) do { \ const char *s_ = (s); \ if (s_ == NULL) \ - openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: NULL"); \ else \ - openpam_log(PAM_LOG_DEBUG, "entering: '%s'", s_); \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: '%s'", s_); \ } while (0) -#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning") +#define ENTERF(f) do { \ + int f_ = (f); \ + if (f_ >= 0 && f_ <= OPENPAM_NUM_FEATURES) \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", \ + openpam_features[f_].name); \ + else \ + openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", f_); \ +} while (0) +#define RETURNV() openpam_log(PAM_LOG_LIBDEBUG, "returning") #define RETURNC(c) do { \ int c_ = (c); \ if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \ - openpam_log(PAM_LOG_DEBUG, "returning %s", pam_err_name[c_]); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning %s", pam_err_name[c_]); \ else \ - openpam_log(PAM_LOG_DEBUG, "returning %d!", c_); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning %d!", c_); \ return (c_); \ } while (0) #define RETURNN(n) do { \ int n_ = (n); \ - openpam_log(PAM_LOG_DEBUG, "returning %d", n_); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning %d", n_); \ return (n_); \ } while (0) #define RETURNP(p) do { \ - const void *p_ = (p); \ + void *p_ = (p); \ if (p_ == NULL) \ - openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \ else \ - openpam_log(PAM_LOG_DEBUG, "returning %p", p_); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning %p", p_); \ return (p_); \ } while (0) #define RETURNS(s) do { \ const char *s_ = (s); \ if (s_ == NULL) \ - openpam_log(PAM_LOG_DEBUG, "returning NULL"); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \ else \ - openpam_log(PAM_LOG_DEBUG, "returning '%s'", s_); \ + openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", s_); \ return (s_); \ } while (0) #else @@ -93,6 +101,7 @@ #define ENTERI(i) #define ENTERN(n) #define ENTERS(s) +#define ENTERF(f) #define RETURNV() return #define RETURNC(c) return (c) #define RETURNN(n) return (n) diff --git a/contrib/openpam/lib/openpam_dynamic.c b/contrib/openpam/lib/openpam_dynamic.c index d44174fbe8..1dfc1ac43e 100644 --- a/contrib/openpam/lib/openpam_dynamic.c +++ b/contrib/openpam/lib/openpam_dynamic.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_dynamic.c 502 2011-12-18 13:59:22Z des $ + * $Id: openpam_dynamic.c 607 2012-04-20 11:09:37Z des $ */ #ifdef HAVE_CONFIG_H @@ -40,6 +40,7 @@ #endif #include +#include #include #include #include @@ -60,15 +61,50 @@ * Perform sanity checks and attempt to load a module */ +#ifdef HAVE_FDLOPEN static void * try_dlopen(const char *modfn) { + void *dlh; + int fd; - if (openpam_check_path_owner_perms(modfn) != 0) + if ((fd = open(modfn, O_RDONLY)) < 0) + return (NULL); + if (OPENPAM_FEATURE(VERIFY_MODULE_FILE) && + openpam_check_desc_owner_perms(modfn, fd) != 0) { + close(fd); + return (NULL); + } + if ((dlh = fdlopen(fd, RTLD_NOW)) == NULL) { + openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror()); + close(fd); + errno = 0; + return (NULL); + } + close(fd); + return (dlh); +} +#else +static void * +try_dlopen(const char *modfn) +{ + int check_module_file; + void *dlh; + + openpam_get_feature(OPENPAM_VERIFY_MODULE_FILE, + &check_module_file); + if (check_module_file && + openpam_check_path_owner_perms(modfn) != 0) + return (NULL); + if ((dlh = dlopen(modfn, RTLD_NOW)) == NULL) { + openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror()); + errno = 0; return (NULL); - return (dlopen(modfn, RTLD_NOW)); + } + return (dlh); } - +#endif + /* * OpenPAM internal * @@ -100,9 +136,6 @@ openpam_dynamic(const char *path) *strrchr(vpath, '.') = '\0'; dlh = try_dlopen(vpath); } - serrno = errno; - FREE(vpath); - errno = serrno; if (dlh == NULL) goto err; if ((module = calloc(1, sizeof *module)) == NULL) @@ -112,19 +145,41 @@ openpam_dynamic(const char *path) module->dlh = dlh; dlmodule = dlsym(dlh, "_pam_module"); for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) { - module->func[i] = dlmodule ? dlmodule->func[i] : - (pam_func_t)dlsym(dlh, pam_sm_func_name[i]); - if (module->func[i] == NULL) - openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", - path, pam_sm_func_name[i], dlerror()); + if (dlmodule) { + module->func[i] = dlmodule->func[i]; + } else { + module->func[i] = + (pam_func_t)dlsym(dlh, pam_sm_func_name[i]); + /* + * This openpam_log() call is a major source of + * log spam, and the cases that matter are caught + * and logged in openpam_dispatch(). This would + * be less problematic if dlerror() returned an + * error code so we could log an error only when + * dlsym() failed for a reason other than "no such + * symbol". + */ +#if 0 + if (module->func[i] == NULL) + openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", + path, pam_sm_func_name[i], dlerror()); +#endif + } } + FREE(vpath); return (module); buf_err: + serrno = errno; if (dlh != NULL) dlclose(dlh); FREE(module); + errno = serrno; err: - openpam_log(PAM_LOG_ERROR, "%m"); + serrno = errno; + if (errno != 0) + openpam_log(PAM_LOG_ERROR, "%s: %m", vpath); + FREE(vpath); + errno = serrno; return (NULL); } diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_features.c similarity index 61% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_features.c index ed1c1de69f..586fc2a573 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_features.c @@ -1,18 +1,13 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * Copyright (c) 2012 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. @@ -32,14 +27,43 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $ + * $Id: openpam_features.c 608 2012-05-17 16:00:13Z des $ */ -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "openpam_impl.h" -#define OPENPAM -#define OPENPAM_VERSION 20111218 -#define OPENPAM_RELEASE "Lycopsida" +#define STRUCT_OPENPAM_FEATURE(name, descr, dflt) \ + [OPENPAM_##name] = { \ + "OPENPAM_" #name, \ + descr, \ + dflt \ + } -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = { + STRUCT_OPENPAM_FEATURE( + RESTRICT_SERVICE_NAME, + "Disallow path separators in service names", + 1 + ), + STRUCT_OPENPAM_FEATURE( + VERIFY_POLICY_FILE, + "Verify ownership and permissions of policy files", + 1 + ), + STRUCT_OPENPAM_FEATURE( + RESTRICT_MODULE_NAME, + "Disallow path separators in module names", + 0 + ), + STRUCT_OPENPAM_FEATURE( + VERIFY_MODULE_FILE, + "Verify ownership and permissions of module files", + 1 + ), +}; diff --git a/contrib/openpam/lib/openpam_strlcpy.h b/contrib/openpam/lib/openpam_features.h similarity index 72% copy from contrib/openpam/lib/openpam_strlcpy.h copy to contrib/openpam/lib/openpam_features.h index 921653b6e9..227b1a9f72 100644 --- a/contrib/openpam/lib/openpam_strlcpy.h +++ b/contrib/openpam/lib/openpam_features.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2011 Dag-Erling Smørgrav + * Copyright (c) 2012 Dag-Erling Smørgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,26 +27,22 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $ + * $Id$ */ -#ifndef OPENPAM_STRLCPY_H_INCLUDED -#define OPENPAM_STRLCPY_H_INCLUDED +#ifndef OPENPAM_FEATURES_H_INCLUDED +#define OPENPAM_FEATURES_H_INCLUDED -#ifndef HAVE_STRLCPY -/* like strcpy(3), but always NUL-terminates; returns strlen(src) */ -size_t -strlcpy(char *dst, const char *src, size_t size) -{ - size_t len; +struct openpam_feature { + const char *name; + const char *desc; + int onoff; +}; - for (len = 0; *src && size > 1; ++len, --size) - *dst++ = *src++; - *dst = '\0'; - while (*src) - ++len, ++src; - return (len); -} -#endif +extern struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES]; + +/* shortcut for internal use */ +#define OPENPAM_FEATURE(f) \ + openpam_features[OPENPAM_##f].onoff #endif diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_feature.c similarity index 53% copy from contrib/openpam/lib/openpam_get_option.c copy to contrib/openpam/lib/openpam_get_feature.c index b5faa878fd..b552357c58 100644 --- a/contrib/openpam/lib/openpam_get_option.c +++ b/contrib/openpam/lib/openpam_get_feature.c @@ -1,18 +1,13 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * Copyright (c) 2012 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. @@ -32,17 +27,13 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_get_option.c 482 2011-11-03 16:33:02Z des $ + * $Id: openpam_get_feature.c 608 2012-05-17 16:00:13Z des $ */ #ifdef HAVE_CONFIG_H # include "config.h" #endif -#include - -#include - #include #include @@ -51,37 +42,58 @@ /* * OpenPAM extension * - * Returns the value of a module option + * Query the state of an optional feature. */ -const char * -openpam_get_option(pam_handle_t *pamh, - const char *option) +int +openpam_get_feature(int feature, int *onoff) { - pam_chain_t *cur; - size_t len; - int i; - ENTERS(option); - if (pamh == NULL || pamh->current == NULL || option == NULL) - RETURNS(NULL); - cur = pamh->current; - len = strlen(option); - for (i = 0; i < cur->optc; ++i) { - if (strncmp(cur->optv[i], option, len) == 0) { - if (cur->optv[i][len] == '\0') - RETURNS(&cur->optv[i][len]); - else if (cur->optv[i][len] == '=') - RETURNS(&cur->optv[i][len + 1]); - } - } - RETURNS(NULL); + ENTERF(feature); + if (feature < 0 || feature >= OPENPAM_NUM_FEATURES) + RETURNC(PAM_SYMBOL_ERR); + *onoff = openpam_features[feature].onoff; + RETURNC(PAM_SUCCESS); } +/* + * Error codes: + * + * PAM_SYMBOL_ERR + */ + /** - * The =openpam_get_option function returns the value of the specified - * option in the context of the currently executing service module, or - * =NULL if the option is not set or no module is currently executing. + * EXPERIMENTAL + * + * The =openpam_get_feature function stores the current state of the + * specified feature in the variable pointed to by its =onoff argument. + * + * The following features are recognized: + * + * =OPENPAM_RESTRICT_SERVICE_NAME: + * Disallow path separators in service names. + * This feature is enabled by default. + * Disabling it allows the application to specify the path to + * the desired policy file directly. + * + * =OPENPAM_VERIFY_POLICY_FILE: + * Verify the ownership and permissions of the policy file + * and the path leading up to it. + * This feature is enabled by default. + * + * =OPENPAM_RESTRICT_MODULE_NAME: + * Disallow path separators in module names. + * This feature is disabled by default. + * Enabling it prevents the use of modules in non-standard + * locations. + * + * =OPENPAM_VERIFY_MODULE_FILE: + * Verify the ownership and permissions of each loadable + * module and the path leading up to it. + * This feature is enabled by default. + * + * + * >openpam_set_feature * - * >openpam_set_option + * AUTHOR DES */ diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c index b5faa878fd..1f62d218eb 100644 --- a/contrib/openpam/lib/openpam_get_option.c +++ b/contrib/openpam/lib/openpam_get_option.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_get_option.c 482 2011-11-03 16:33:02Z des $ + * $Id: openpam_get_option.c 531 2012-03-31 14:24:37Z des $ */ #ifdef HAVE_CONFIG_H @@ -44,7 +44,6 @@ #include #include -#include #include "openpam_impl.h" diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h index ba4d45558a..9e8b45f6d5 100644 --- a/contrib/openpam/lib/openpam_impl.h +++ b/contrib/openpam/lib/openpam_impl.h @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_impl.h 499 2011-11-22 11:51:50Z des $ + * $Id: openpam_impl.h 594 2012-04-14 14:18:41Z des $ */ #ifndef OPENPAM_IMPL_H_INCLUDED @@ -157,9 +157,23 @@ pam_module_t *openpam_static(const char *); #endif pam_module_t *openpam_dynamic(const char *); -#define FREE(p) do { free((p)); (p) = NULL; } while (0) +#define FREE(p) \ + do { \ + free(p); \ + (p) = NULL; \ + } while (0) + +#define FREEV(c, v) \ + do { \ + while (c) { \ + --(c); \ + FREE((v)[(c)]); \ + } \ + FREE(v); \ + } while (0) #include "openpam_constants.h" #include "openpam_debug.h" +#include "openpam_features.h" #endif diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c index 0eb8ea7d9c..871d1a8c05 100644 --- a/contrib/openpam/lib/openpam_load.c +++ b/contrib/openpam/lib/openpam_load.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_load.c 491 2011-11-12 00:12:32Z des $ + * $Id: openpam_load.c 547 2012-04-01 15:01:21Z des $ */ #ifdef HAVE_CONFIG_H @@ -108,9 +108,7 @@ openpam_destroy_chain(pam_chain_t *chain) return; openpam_destroy_chain(chain->next); chain->next = NULL; - while (chain->optc--) - FREE(chain->optv[chain->optc]); - FREE(chain->optv); + FREEV(chain->optc, chain->optv); openpam_release_module(chain->module); chain->module = NULL; FREE(chain); diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c index 9e3d28b5b4..2b89f6c6d7 100644 --- a/contrib/openpam/lib/openpam_log.c +++ b/contrib/openpam/lib/openpam_log.c @@ -32,18 +32,17 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_log.c 437 2011-09-13 12:00:13Z des $ + * $Id: openpam_log.c 544 2012-03-31 22:47:15Z des $ */ #ifdef HAVE_CONFIG_H # include "config.h" #endif -#include +#include #include #include #include -#include #include #include @@ -71,6 +70,7 @@ openpam_log(int level, const char *fmt, ...) int priority; switch (level) { + case PAM_LOG_LIBDEBUG: case PAM_LOG_DEBUG: if (!openpam_debug) return; @@ -100,8 +100,10 @@ _openpam_log(int level, const char *func, const char *fmt, ...) va_list ap; char *format; int priority; + int serrno; switch (level) { + case PAM_LOG_LIBDEBUG: case PAM_LOG_DEBUG: if (!openpam_debug) return; @@ -119,10 +121,13 @@ _openpam_log(int level, const char *func, const char *fmt, ...) break; } va_start(ap, fmt); + serrno = errno; if (asprintf(&format, "in %s(): %s", func, fmt) > 0) { + errno = serrno; vsyslog(priority, format, ap); FREE(format); } else { + errno = serrno; vsyslog(priority, fmt, ap); } va_end(ap); @@ -137,6 +142,9 @@ _openpam_log(int level, const char *func, const char *fmt, ...) * The =level argument indicates the importance of the message. * The following levels are defined: * + * =PAM_LOG_LIBDEBUG: + * Debugging messages. + * For internal use only. * =PAM_LOG_DEBUG: * Debugging messages. * These messages are normally not logged unless the global diff --git a/contrib/openpam/lib/openpam_readline.c b/contrib/openpam/lib/openpam_readline.c index 9cc8cc107c..014acfb2c1 100644 --- a/contrib/openpam/lib/openpam_readline.c +++ b/contrib/openpam/lib/openpam_readline.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_readline.c 473 2011-11-03 10:48:25Z des $ + * $Id: openpam_readline.c 596 2012-04-14 14:52:40Z des $ */ #ifdef HAVE_CONFIG_H @@ -44,6 +44,7 @@ #include #include + #include "openpam_impl.h" #define MIN_LINE_LENGTH 128 @@ -61,22 +62,11 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp) size_t len, size; int ch; - if ((line = malloc(MIN_LINE_LENGTH)) == NULL) + if ((line = malloc(size = MIN_LINE_LENGTH)) == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); return (NULL); - size = MIN_LINE_LENGTH; + } len = 0; - -#define line_putch(ch) do { \ - if (len >= size - 1) { \ - char *tmp = realloc(line, size *= 2); \ - if (tmp == NULL) \ - goto fail; \ - line = tmp; \ - } \ - line[len++] = ch; \ - line[len] = '\0'; \ -} while (0) - for (;;) { ch = fgetc(f); /* strip comment */ @@ -105,26 +95,15 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp) /* done */ break; } - /* whitespace */ - if (isspace(ch)) { - /* ignore leading whitespace */ - /* collapse linear whitespace */ - if (len > 0 && line[len - 1] != ' ') - line_putch(' '); - continue; - } /* anything else */ - line_putch(ch); + if (openpam_straddch(&line, &size, &len, ch) != 0) + goto fail; } - - /* remove trailing whitespace */ - while (len > 0 && isspace((unsigned char)line[len - 1])) - --len; - line[len] = '\0'; if (len == 0) goto fail; if (lenp != NULL) *lenp = len; + openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", line); return (line); fail: FREE(line); @@ -132,16 +111,18 @@ fail: } /** + * DEPRECATED openpam_readlinev + * * The =openpam_readline function reads a line from a file, and returns it - * in a NUL-terminated buffer allocated with =malloc. + * in a NUL-terminated buffer allocated with =!malloc. * * The =openpam_readline function performs a certain amount of processing * on the data it reads: * - * - Comments (introduced by a hash sign) are stripped, as is leading and - * trailing whitespace. - * - Any amount of linear whitespace is collapsed to a single space. + * - Comments (introduced by a hash sign) are stripped. + * * - Blank lines are ignored. + * * - If a line ends in a backslash, the backslash is stripped and the * next line is appended. * @@ -152,5 +133,8 @@ fail: * terminating NUL character) is stored in the variable it points to. * * The caller is responsible for releasing the returned buffer by passing - * it to =free. + * it to =!free. + * + * >openpam_readlinev + * >openpam_readword */ diff --git a/contrib/openpam/lib/openpam_readlinev.c b/contrib/openpam/lib/openpam_readlinev.c new file mode 100644 index 0000000000..5a43b61f36 --- /dev/null +++ b/contrib/openpam/lib/openpam_readlinev.c @@ -0,0 +1,156 @@ +/*- + * Copyright (c) 2012 Dag-Erling Smørgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_readlinev.c 588 2012-04-08 11:52:25Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include + +#include "openpam_impl.h" + +#define MIN_WORDV_SIZE 32 + +/* + * OpenPAM extension + * + * Read a line from a file and split it into words. + */ + +char ** +openpam_readlinev(FILE *f, int *lineno, int *lenp) +{ + char *word, **wordv, **tmp; + size_t wordlen, wordvsize; + int ch, serrno, wordvlen; + + wordvsize = MIN_WORDV_SIZE; + wordvlen = 0; + if ((wordv = malloc(wordvsize * sizeof *wordv)) == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + errno = ENOMEM; + return (NULL); + } + wordv[wordvlen] = NULL; + while ((word = openpam_readword(f, lineno, &wordlen)) != NULL) { + if ((unsigned int)wordvlen + 1 >= wordvsize) { + /* need to expand the array */ + wordvsize *= 2; + tmp = realloc(wordv, wordvsize * sizeof *wordv); + if (tmp == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + errno = ENOMEM; + break; + } + wordv = tmp; + } + /* insert our word */ + wordv[wordvlen++] = word; + wordv[wordvlen] = NULL; + } + if (errno != 0) { + /* I/O error or out of memory */ + serrno = errno; + while (wordvlen--) + free(wordv[wordvlen]); + free(wordv); + errno = serrno; + return (NULL); + } + /* assert(!ferror(f)) */ + ch = fgetc(f); + /* assert(ch == EOF || ch == '\n') */ + if (ch == EOF && wordvlen == 0) { + free(wordv); + return (NULL); + } + if (ch == '\n' && lineno != NULL) + ++*lineno; + if (lenp != NULL) + *lenp = wordvlen; + return (wordv); +} + +/** + * The =openpam_readlinev function reads a line from a file, splits it + * into words according to the rules described in the =openpam_readword + * manual page, and returns a list of those words. + * + * If =lineno is not =NULL, the integer variable it points to is + * incremented every time a newline character is read. + * This includes quoted or escaped newline characters and the newline + * character at the end of the line. + * + * If =lenp is not =NULL, the number of words on the line is stored in the + * variable to which it points. + * + * RETURN VALUES + * + * If successful, the =openpam_readlinev function returns a pointer to a + * dynamically allocated array of pointers to individual dynamically + * allocated NUL-terminated strings, each containing a single word, in the + * order in which they were encountered on the line. + * The array is terminated by a =NULL pointer. + * + * The caller is responsible for freeing both the array and the individual + * strings by passing each of them to =!free. + * + * If the end of the line was reached before any words were read, + * =openpam_readlinev returns a pointer to a dynamically allocated array + * containing a single =NULL pointer. + * + * The =openpam_readlinev function can fail and return =NULL for one of + * four reasons: + * + * - The end of the file was reached before any words were read; :errno is + * zero, =!ferror returns zero, and =!feof returns a non-zero value. + * + * - The end of the file was reached while a quote or backslash escape + * was in effect; :errno is set to =EINVAL, =!ferror returns zero, and + * =!feof returns a non-zero value. + * + * - An error occurred while reading from the file; :errno is non-zero, + * =!ferror returns a non-zero value and =!feof returns zero. + * + * - A =!malloc or =!realloc call failed; :errno is set to =ENOMEM, + * =!ferror returns a non-zero value, and =!feof may or may not return + * a non-zero value. + * + * >openpam_readline + * >openpam_readword + * + * AUTHOR DES + */ diff --git a/contrib/openpam/lib/openpam_readword.c b/contrib/openpam/lib/openpam_readword.c new file mode 100644 index 0000000000..74a4d462ce --- /dev/null +++ b/contrib/openpam/lib/openpam_readword.c @@ -0,0 +1,207 @@ +/*- + * Copyright (c) 2012 Dag-Erling Smørgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_readword.c 588 2012-04-08 11:52:25Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include + +#include "openpam_impl.h" +#include "openpam_ctype.h" + +#define MIN_WORD_SIZE 32 + +/* + * OpenPAM extension + * + * Read a word from a file, respecting shell quoting rules. + */ + +char * +openpam_readword(FILE *f, int *lineno, size_t *lenp) +{ + char *word; + size_t size, len; + int ch, comment, escape, quote; + int serrno; + + errno = 0; + + /* skip initial whitespace */ + comment = 0; + while ((ch = getc(f)) != EOF && ch != '\n') { + if (ch == '#') + comment = 1; + if (!is_lws(ch) && !comment) + break; + } + if (ch == EOF) + return (NULL); + ungetc(ch, f); + if (ch == '\n') + return (NULL); + + word = NULL; + size = len = 0; + escape = quote = 0; + while ((ch = fgetc(f)) != EOF && (!is_ws(ch) || quote || escape)) { + if (ch == '\\' && !escape && quote != '\'') { + /* escape next character */ + escape = ch; + } else if ((ch == '\'' || ch == '"') && !quote && !escape) { + /* begin quote */ + quote = ch; + /* edge case: empty quoted string */ + if (word == NULL && (word = malloc(1)) == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + errno = ENOMEM; + return (NULL); + } + *word = '\0'; + size = 1; + } else if (ch == quote && !escape) { + /* end quote */ + quote = 0; + } else if (ch == '\n' && escape && quote != '\'') { + /* line continuation */ + escape = 0; + } else { + if (escape && quote && ch != '\\' && ch != quote && + openpam_straddch(&word, &size, &len, '\\') != 0) { + free(word); + errno = ENOMEM; + return (NULL); + } + if (openpam_straddch(&word, &size, &len, ch) != 0) { + free(word); + errno = ENOMEM; + return (NULL); + } + escape = 0; + } + if (lineno != NULL && ch == '\n') + ++*lineno; + } + if (ch == EOF && ferror(f)) { + serrno = errno; + free(word); + errno = serrno; + return (NULL); + } + if (ch == EOF && (escape || quote)) { + /* Missing escaped character or closing quote. */ + openpam_log(PAM_LOG_ERROR, "unexpected end of file"); + free(word); + errno = EINVAL; + return (NULL); + } + ungetc(ch, f); + if (lenp != NULL) + *lenp = len; + return (word); +} + +/** + * The =openpam_readword function reads the next word from a file, and + * returns it in a NUL-terminated buffer allocated with =!malloc. + * + * A word is a sequence of non-whitespace characters. + * However, whitespace characters can be included in a word if quoted or + * escaped according to the following rules: + * + * - An unescaped single or double quote introduces a quoted string, + * which ends when the same quote character is encountered a second + * time. + * The quotes themselves are stripped. + * + * - Within a single- or double-quoted string, all whitespace characters, + * including the newline character, are preserved as-is. + * + * - Outside a quoted string, a backslash escapes the next character, + * which is preserved as-is, unless that character is a newline, in + * which case it is discarded and reading continues at the beginning of + * the next line as if the backslash and newline had not been there. + * In all cases, the backslash itself is discarded. + * + * - Within a single-quoted string, double quotes and backslashes are + * preserved as-is. + * + * - Within a double-quoted string, a single quote is preserved as-is, + * and a backslash is preserved as-is unless used to escape a double + * quote. + * + * In addition, if the first non-whitespace character on the line is a + * hash character (#), the rest of the line is discarded. + * If a hash character occurs within a word, however, it is preserved + * as-is. + * A backslash at the end of a comment does cause line continuation. + * + * If =lineno is not =NULL, the integer variable it points to is + * incremented every time a quoted or escaped newline character is read. + * + * If =lenp is not =NULL, the length of the word (after quotes and + * backslashes have been removed) is stored in the variable it points to. + * + * RETURN VALUES + * + * If successful, the =openpam_readword function returns a pointer to a + * dynamically allocated NUL-terminated string containing the first word + * encountered on the line. + * + * The caller is responsible for releasing the returned buffer by passing + * it to =!free. + * + * If =openpam_readword reaches the end of the line or file before any + * characters are copied to the word, it returns =NULL. In the former + * case, the newline is pushed back to the file. + * + * If =openpam_readword reaches the end of the file while a quote or + * backslash escape is in effect, it sets :errno to =EINVAL and returns + * =NULL. + * + * IMPLEMENTATION NOTES + * + * The parsing rules are intended to be equivalent to the normal POSIX + * shell quoting rules. + * Any discrepancy is a bug and should be reported to the author along + * with sample input that can be used to reproduce the error. + * + * >openpam_readline + * >openpam_readlinev + * + * AUTHOR DES + */ diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/lib/openpam_set_feature.c similarity index 62% copy from contrib/openpam/include/security/openpam_version.h copy to contrib/openpam/lib/openpam_set_feature.c index ed1c1de69f..4f6a4a5c92 100644 --- a/contrib/openpam/include/security/openpam_version.h +++ b/contrib/openpam/lib/openpam_set_feature.c @@ -1,18 +1,13 @@ /*- - * Copyright (c) 2002-2003 Networks Associates Technology, Inc. - * Copyright (c) 2004-2011 Dag-Erling Smørgrav + * Copyright (c) 2012 Dag-Erling Smørgrav * All rights reserved. * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. @@ -32,14 +27,49 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $ + * $Id: openpam_set_feature.c 608 2012-05-17 16:00:13Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "openpam_impl.h" + +/* + * OpenPAM extension + * + * Enable or disable an optional feature. */ -#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED -#define SECURITY_OPENPAM_VERSION_H_INCLUDED +int +openpam_set_feature(int feature, int onoff) +{ -#define OPENPAM -#define OPENPAM_VERSION 20111218 -#define OPENPAM_RELEASE "Lycopsida" + ENTERF(feature); + if (feature < 0 || feature >= OPENPAM_NUM_FEATURES) + RETURNC(PAM_SYMBOL_ERR); + openpam_features[feature].onoff = onoff; + RETURNC(PAM_SUCCESS); +} -#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */ +/* + * Error codes: + * + * PAM_SYMBOL_ERR + */ + +/** + * EXPERIMENTAL + * + * The =openpam_set_feature function sets the state of the specified + * feature to the value specified by the =onoff argument. + * See =openpam_get_feature for a list of recognized features. + * + * >openpam_get_feature + * + * AUTHOR DES + */ diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c index c7cb1c7c41..1712a718ec 100644 --- a/contrib/openpam/lib/openpam_set_option.c +++ b/contrib/openpam/lib/openpam_set_option.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_set_option.c 482 2011-11-03 16:33:02Z des $ + * $Id: openpam_set_option.c 532 2012-03-31 14:24:53Z des $ */ #ifdef HAVE_CONFIG_H @@ -46,7 +46,6 @@ #include #include -#include #include "openpam_impl.h" diff --git a/contrib/openpam/lib/openpam_straddch.c b/contrib/openpam/lib/openpam_straddch.c new file mode 100644 index 0000000000..9845cc610a --- /dev/null +++ b/contrib/openpam/lib/openpam_straddch.c @@ -0,0 +1,111 @@ +/*- + * Copyright (c) 2012 Dag-Erling Smørgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: openpam_straddch.c 568 2012-04-05 14:35:53Z des $ + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include + +#include "openpam_impl.h" + +#define MIN_STR_SIZE 32 + +/* + * OpenPAM extension + * + * Add a character to a string, expanding the buffer if needed. + */ + +int +openpam_straddch(char **str, size_t *size, size_t *len, int ch) +{ + size_t tmpsize; + char *tmpstr; + + if (*str == NULL) { + /* initial allocation */ + tmpsize = MIN_STR_SIZE; + if ((tmpstr = malloc(tmpsize)) == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + errno = ENOMEM; + return (-1); + } + *str = tmpstr; + *size = tmpsize; + *len = 0; + } else if (*len + 1 >= *size) { + /* additional space required */ + tmpsize = *size * 2; + if ((tmpstr = realloc(*str, tmpsize)) == NULL) { + openpam_log(PAM_LOG_ERROR, "realloc(): %m"); + errno = ENOMEM; + return (-1); + } + *size = tmpsize; + *str = tmpstr; + } + (*str)[*len] = ch; + ++*len; + (*str)[*len] = '\0'; + return (0); +} + +/** + * The =openpam_straddch function appends a character to a dynamically + * allocated NUL-terminated buffer, reallocating the buffer as needed. + * + * The =str argument points to a variable containing either a pointer to + * an existing buffer or =NULL. + * If the value of the variable pointed to by =str is =NULL, a new buffer + * is allocated. + * + * The =size and =len argument point to variables used to hold the size + * of the buffer and the length of the string it contains, respectively. + * + * If a new buffer is allocated or an existing buffer is reallocated to + * make room for the additional character, =str and =size are updated + * accordingly. + * + * The =openpam_straddch function ensures that the buffer is always + * NUL-terminated. + * + * If the =openpam_straddch function is successful, it increments the + * integer variable pointed to by =len and returns 0. + * Otherwise, it leaves the variables pointed to by =str, =size and =len + * unmodified, sets :errno to =ENOMEM and returns -1. + * + * AUTHOR DES + */ diff --git a/contrib/openpam/lib/openpam_strlcpy.h b/contrib/openpam/lib/openpam_strlcat.h similarity index 74% copy from contrib/openpam/lib/openpam_strlcpy.h copy to contrib/openpam/lib/openpam_strlcat.h index 921653b6e9..1f266936be 100644 --- a/contrib/openpam/lib/openpam_strlcpy.h +++ b/contrib/openpam/lib/openpam_strlcat.h @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,20 +27,22 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $ + * $Id: openpam_strlcat.h 578 2012-04-06 00:45:59Z des $ */ -#ifndef OPENPAM_STRLCPY_H_INCLUDED -#define OPENPAM_STRLCPY_H_INCLUDED +#ifndef OPENPAM_STRLCAT_H_INCLUDED +#define OPENPAM_STRLCAT_H_INCLUDED -#ifndef HAVE_STRLCPY -/* like strcpy(3), but always NUL-terminates; returns strlen(src) */ -size_t -strlcpy(char *dst, const char *src, size_t size) +#ifndef HAVE_STRLCAT +/* like strcat(3), but always NUL-terminates; returns strlen(src) */ +static size_t +strlcat(char *dst, const char *src, size_t size) { size_t len; - for (len = 0; *src && size > 1; ++len, --size) + for (len = 0; *dst && size > 1; ++len, --size) + dst++; + for (; *src && size > 1; ++len, --size) *dst++ = *src++; *dst = '\0'; while (*src) diff --git a/contrib/openpam/lib/openpam_strlcmp.h b/contrib/openpam/lib/openpam_strlcmp.h index c692225d7f..2a78e0f676 100644 --- a/contrib/openpam/lib/openpam_strlcmp.h +++ b/contrib/openpam/lib/openpam_strlcmp.h @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_strlcmp.h 475 2011-11-03 15:29:24Z des $ + * $Id: openpam_strlcmp.h 578 2012-04-06 00:45:59Z des $ */ #ifndef OPENPAM_STRLCMP_H_INCLUDED diff --git a/contrib/openpam/lib/openpam_strlcpy.h b/contrib/openpam/lib/openpam_strlcpy.h index 921653b6e9..9c65548348 100644 --- a/contrib/openpam/lib/openpam_strlcpy.h +++ b/contrib/openpam/lib/openpam_strlcpy.h @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $ + * $Id: openpam_strlcpy.h 578 2012-04-06 00:45:59Z des $ */ #ifndef OPENPAM_STRLCPY_H_INCLUDED @@ -32,7 +35,7 @@ #ifndef HAVE_STRLCPY /* like strcpy(3), but always NUL-terminates; returns strlen(src) */ -size_t +static size_t strlcpy(char *dst, const char *src, size_t size) { size_t len; diff --git a/contrib/openpam/lib/openpam_subst.c b/contrib/openpam/lib/openpam_subst.c index d54b8270da..bab7a785fa 100644 --- a/contrib/openpam/lib/openpam_subst.c +++ b/contrib/openpam/lib/openpam_subst.c @@ -11,6 +11,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_subst.c 461 2011-11-02 14:00:38Z des $ + * $Id: openpam_subst.c 543 2012-03-31 22:11:34Z des $ */ #ifdef HAVE_CONFIG_H diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c index ec078f4180..14a324d59e 100644 --- a/contrib/openpam/lib/openpam_ttyconv.c +++ b/contrib/openpam/lib/openpam_ttyconv.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: openpam_ttyconv.c 437 2011-09-13 12:00:13Z des $ + * $Id: openpam_ttyconv.c 527 2012-02-26 03:23:59Z des $ */ #ifdef HAVE_CONFIG_H @@ -69,17 +69,17 @@ prompt(const char *msg) { char buf[PAM_MAX_RESP_SIZE]; struct sigaction action, saved_action; - sigset_t saved_sigset, sigset; + sigset_t saved_sigset, the_sigset; unsigned int saved_alarm; int eof, error, fd; size_t len; char *retval; char ch; - sigemptyset(&sigset); - sigaddset(&sigset, SIGINT); - sigaddset(&sigset, SIGTSTP); - sigprocmask(SIG_SETMASK, &sigset, &saved_sigset); + sigemptyset(&the_sigset); + sigaddset(&the_sigset, SIGINT); + sigaddset(&the_sigset, SIGTSTP); + sigprocmask(SIG_SETMASK, &the_sigset, &saved_sigset); action.sa_handler = &timeout; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c index a0613eff9c..1a3aebc810 100644 --- a/contrib/openpam/lib/pam_get_authtok.c +++ b/contrib/openpam/lib/pam_get_authtok.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_get_authtok.c 455 2011-10-29 18:31:11Z des $ + * $Id: pam_get_authtok.c 510 2011-12-31 13:14:23Z des $ */ #ifdef HAVE_CONFIG_H @@ -50,6 +50,7 @@ #include "openpam_impl.h" static const char authtok_prompt[] = "Password:"; +static const char authtok_prompt_remote[] = "Password for %u@%h:"; static const char oldauthtok_prompt[] = "Old Password:"; static const char newauthtok_prompt[] = "New Password:"; @@ -69,6 +70,7 @@ pam_get_authtok(pam_handle_t *pamh, size_t prompt_size; const void *oldauthtok, *prevauthtok, *promptp; const char *prompt_option, *default_prompt; + const void *lhost, *rhost; char *resp, *resp2; int pitem, r, style, twice; @@ -82,6 +84,14 @@ pam_get_authtok(pam_handle_t *pamh, pitem = PAM_AUTHTOK_PROMPT; prompt_option = "authtok_prompt"; default_prompt = authtok_prompt; + r = pam_get_item(pamh, PAM_RHOST, &rhost); + if (r == PAM_SUCCESS && rhost != NULL) { + r = pam_get_item(pamh, PAM_HOST, &lhost); + if (r == PAM_SUCCESS && lhost != NULL) { + if (strcmp(rhost, lhost) != 0) + default_prompt = authtok_prompt_remote; + } + } r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); if (r == PAM_SUCCESS && oldauthtok != NULL) { default_prompt = newauthtok_prompt; diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c index 369066d8ea..e1f0bc35e2 100644 --- a/contrib/openpam/lib/pam_putenv.c +++ b/contrib/openpam/lib/pam_putenv.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_putenv.c 437 2011-09-13 12:00:13Z des $ + * $Id: pam_putenv.c 539 2012-03-31 20:53:22Z des $ */ #ifdef HAVE_CONFIG_H @@ -102,7 +102,7 @@ pam_putenv(pam_handle_t *pamh, */ /** - * The =pam_putenv function sets a environment variable. + * The =pam_putenv function sets an environment variable. * Its semantics are similar to those of =putenv, but it modifies the PAM * context's environment list instead of the application's. * diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c index fbe6a8f1b6..6fd4c1001e 100644 --- a/contrib/openpam/lib/pam_setenv.c +++ b/contrib/openpam/lib/pam_setenv.c @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_setenv.c 437 2011-09-13 12:00:13Z des $ + * $Id: pam_setenv.c 539 2012-03-31 20:53:22Z des $ */ #ifdef HAVE_CONFIG_H @@ -92,7 +92,7 @@ pam_setenv(pam_handle_t *pamh, */ /** - * The =pam_setenv function sets a environment variable. + * The =pam_setenv function sets an environment variable. * Its semantics are similar to those of =setenv, but it modifies the PAM * context's environment list instead of the application's. * -- 2.41.0