diff --git a/libs/libpam/Makefile b/libs/libpam/Makefile index 5c0952cd0..d5a51b2b1 100644 --- a/libs/libpam/Makefile +++ b/libs/libpam/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libpam -PKG_VERSION:=1.3.1 +PKG_VERSION:=1.4.0 PKG_RELEASE:=1 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam/releases/download/v$(PKG_VERSION) -PKG_HASH:=eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db +PKG_HASH:=cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034 PKG_BUILD_DIR:=$(BUILD_DIR)/Linux-PAM-$(PKG_VERSION) PKG_MAINTAINER:=Nikos Mavrogiannopoulos @@ -45,12 +45,16 @@ CONFIGURE_ARGS += \ --disable-audit \ --disable-cracklib \ --disable-db \ - --disable-prelude \ + --disable-debug \ + --disable-doc \ + --disable-econf \ --disable-lckpwdf \ --disable-nis \ + --disable-prelude \ --disable-regenerate-docu \ --disable-rpath \ --disable-selinux \ + --disable-Werror \ --with-gnu-ld \ --without-mailspool \ --without-xauth diff --git a/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch b/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch deleted file mode 100644 index cfa9a3c39..000000000 --- a/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 1a2e6c979118dce5e79604e88c008c7879d1e4e6 Mon Sep 17 00:00:00 2001 -From: Yousong Zhou -Date: Wed, 17 Jun 2015 18:19:23 +0800 -Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor - ruserok_af is available. - -* configure.ac: check for ruserok and ruserok_af -* modules/Makefile.am: ignore pam_rhosts/ if it's disabled -* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free - -Signed-off-by: Yousong Zhou ---- - configure.ac | 5 ++++- - modules/Makefile.am | 11 ++++++++--- - modules/pam_rhosts/pam_rhosts.c | 1 + - 3 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 306b6e2..084071a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -524,7 +524,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec - AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) - AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) - AC_CHECK_FUNCS(getgrouplist getline getdelim) --AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) -+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr) -+AC_CHECK_FUNCS([ruserok_af ruserok], [break]) -+ -+AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes]) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) -diff --git a/modules/Makefile.am b/modules/Makefile.am -index 0c80cea..9ad26a9 100644 ---- a/modules/Makefile.am -+++ b/modules/Makefile.am -@@ -2,16 +2,21 @@ - # Copyright (c) 2005, 2006, 2008 Thorsten Kukuk - # - --SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -+if COND_BUILD_PAM_RHOSTS -+ MAYBE_PAM_RHOSTS = pam_rhosts -+endif -+ -+SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ -- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ -+ pam_permit pam_pwhistory pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ -- pam_unix pam_userdb pam_warn pam_wheel pam_xauth -+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \ -+ $(MAYBE_PAM_RHOSTS) - - CLEANFILES = *~ - -diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c -index bc9e76f..51ef13e 100644 ---- a/modules/pam_rhosts/pam_rhosts.c -+++ b/modules/pam_rhosts/pam_rhosts.c -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - #include - - #define PAM_SM_AUTH /* only defines this management group */ --- -1.7.10.4 - diff --git a/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch b/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch deleted file mode 100644 index 21ebf94f5..000000000 --- a/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bac1ee3033cf22e31730fe3e77ca82bd5ebba692 Mon Sep 17 00:00:00 2001 -From: Yousong Zhou -Date: Wed, 17 Jun 2015 21:18:05 +0800 -Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available. - -* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG -* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG - -Signed-off-by: Yousong Zhou ---- - configure.ac | 2 ++ - modules/Makefile.am | 8 ++++++-- - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 084071a..ca4bf5b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -526,8 +526,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r - AC_CHECK_FUNCS(getgrouplist getline getdelim) - AC_CHECK_FUNCS(inet_ntop inet_pton innetgr) - AC_CHECK_FUNCS([ruserok_af ruserok], [break]) -+AC_CHECK_FUNCS([logwtmp]) - - AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes]) -+AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes]) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) -diff --git a/modules/Makefile.am b/modules/Makefile.am -index 9ad26a9..b98dc5c 100644 ---- a/modules/Makefile.am -+++ b/modules/Makefile.am -@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS - MAYBE_PAM_RHOSTS = pam_rhosts - endif - -+if COND_BUILD_PAM_LASTLOG -+ MAYBE_PAM_LASTLOG = pam_lastlog -+endif -+ - SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ -- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ -+ pam_group pam_issue pam_keyinit pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rootok pam_securetty \ -@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth \ -- $(MAYBE_PAM_RHOSTS) -+ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG) - - CLEANFILES = *~ - --- -1.7.10.4 - diff --git a/libs/libpam/patches/0005-build-fix-doc-build.patch b/libs/libpam/patches/0005-build-fix-doc-build.patch deleted file mode 100644 index 6d56f8c04..000000000 --- a/libs/libpam/patches/0005-build-fix-doc-build.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 1563e57ea8ab9d123f765129a6840929ef58ff7a Mon Sep 17 00:00:00 2001 -From: Yousong Zhou -Date: Wed, 17 Jun 2015 20:38:41 +0800 -Subject: [PATCH 5/7] build: fix doc build. - -* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN -* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN -* doc/man/Makefile.am: ditto -* doc/mwg/Makefile.am: ditto -* doc/sag/Makefile.am: ditto -* doc/specs/Makefile.am: ignore CC from command line - -Signed-off-by: Yousong Zhou ---- - Makefile.am | 5 ++++- - doc/adg/Makefile.am | 3 --- - doc/man/Makefile.am | 2 -- - doc/mwg/Makefile.am | 3 --- - doc/sag/Makefile.am | 2 -- - doc/specs/Makefile.am | 2 +- - 6 files changed, 5 insertions(+), 12 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 3db4e37..5e6592a 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -4,7 +4,10 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+if ENABLE_REGENERATE_MAN -+ MAYBE_DOC = doc -+endif -+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC) - - CLEANFILES = *~ - -diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am -index 77bd7a9..bec5edc 100644 ---- a/doc/adg/Makefile.am -+++ b/doc/adg/Makefile.am -@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS) - XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml) - DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) - --if ENABLE_REGENERATE_MAN - MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html - - all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf -@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS) - distclean-local: - -rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf - --endif -- - install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) - $(mkinstalldirs) $(DESTDIR)$(pdfdir) -diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am -index 78c891d..b1dc421 100644 ---- a/doc/man/Makefile.am -+++ b/doc/man/Makefile.am -@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \ - misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ - pam_misc_setenv.3.xml - --if ENABLE_REGENERATE_MAN - PAM.8: pam.8 - pam_get_authtok_noverify.3: pam_get_authtok.3 - pam_get_authtok_verify.3: pam_get_authtok.3 -@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml - pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml - pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml - -include $(top_srcdir)/Make.xml.rules --endif -diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am -index 2bbb2d0..f57e297 100644 ---- a/doc/mwg/Makefile.am -+++ b/doc/mwg/Makefile.am -@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS) - XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml) - DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) - --if ENABLE_REGENERATE_MAN - MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html - - all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf -@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS) - distclean-local: - -rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf - --endif -- - install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) - $(mkinstalldirs) $(DESTDIR)$(pdfdir) -diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am -index 31816aa..a8b655f 100644 ---- a/doc/sag/Makefile.am -+++ b/doc/sag/Makefile.am -@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml) - - DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml) - --if ENABLE_REGENERATE_MAN - MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html - - all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf -@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS) - - distclean-local: - -rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf --endif - - install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) -diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am -index 99ecc70..39c850f 100644 ---- a/doc/specs/Makefile.am -+++ b/doc/specs/Makefile.am -@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw - - AM_YFLAGS = -d - --CC = @CC_FOR_BUILD@ -+override CC = @CC_FOR_BUILD@ - CPPFLAGS = @BUILD_CPPFLAGS@ - CFLAGS = @BUILD_CFLAGS@ - LDFLAGS = @BUILD_LDFLAGS@ --- -1.7.10.4 - diff --git a/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch b/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch deleted file mode 100644 index 3fd0a1b4e..000000000 --- a/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 2e3ed4c6fb09f84fede589047d37d11783202d34 Mon Sep 17 00:00:00 2001 -From: Yousong Zhou -Date: Wed, 17 Jun 2015 18:16:18 +0800 -Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing. - -* modules/pam_unix/pam_unix_passwd.c: conditional compile on the - availability of rpc/rpc.h - -Signed-off-by: Yousong Zhou ---- - modules/pam_unix/pam_unix_passwd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 2d330e5..970724a 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -410,7 +410,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, - } - - if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { --#ifdef HAVE_NIS -+#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H) - if ((master=getNISserver(pamh, ctrl)) != NULL) { - struct timeval timeout; - struct yppasswd yppwd; --- -1.7.10.4 - diff --git a/libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch b/libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch deleted file mode 100644 index 11a97246a..000000000 --- a/libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 9f23ba5a40b42acf4463b593bffd73caee8b527c Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Sun, 15 Jul 2018 20:43:44 -0700 -Subject: [PATCH] Replace strndupa with strcpy - -glibc only. A static string is better. - -Signed-off-by: Rosen Penev ---- - modules/pam_exec/pam_exec.c | 31 +++++++++++-------------------- - 1 file changed, 11 insertions(+), 20 deletions(-) - -diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c -index 0ab6548..2fbab4f 100644 ---- a/modules/pam_exec/pam_exec.c -+++ b/modules/pam_exec/pam_exec.c -@@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, - int use_stdout = 0; - int optargc; - const char *logfile = NULL; -- const char *authtok = NULL; -+ char authtok[PAM_MAX_RESP_SIZE]; - pid_t pid; - int fds[2]; - int stdout_fds[2]; -@@ -180,12 +180,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh, - if (resp) - { - pam_set_item (pamh, PAM_AUTHTOK, resp); -- authtok = strndupa (resp, PAM_MAX_RESP_SIZE); -+ strcpy (authtok, resp); - _pam_drop (resp); - } - } - else -- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); -+ strcpy (authtok, void_pass); - - if (pipe(fds) != 0) - { -@@ -225,23 +225,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh, - - if (expose_authtok) /* send the password to the child */ - { -- if (authtok != NULL) -- { /* send the password to the child */ -- if (debug) -- pam_syslog (pamh, LOG_DEBUG, "send password to child"); -- if (write(fds[1], authtok, strlen(authtok)+1) == -1) -- pam_syslog (pamh, LOG_ERR, -- "sending password to child failed: %m"); -- authtok = NULL; -- } -- else -- { -- if (write(fds[1], "", 1) == -1) /* blank password */ -- pam_syslog (pamh, LOG_ERR, -- "sending password to child failed: %m"); -- } -- close(fds[0]); /* close here to avoid possible SIGPIPE above */ -- close(fds[1]); -+ if (debug) -+ pam_syslog (pamh, LOG_DEBUG, "send password to child"); -+ if (write(fds[1], authtok, strlen(authtok)) == -1) -+ pam_syslog (pamh, LOG_ERR, -+ "sending password to child failed: %m"); -+ -+ close(fds[0]); /* close here to avoid possible SIGPIPE above */ -+ close(fds[1]); - } - - if (use_stdout) --- -2.19.1 - diff --git a/libs/libpam/patches/010-crypt.patch b/libs/libpam/patches/010-crypt.patch new file mode 100644 index 000000000..705e80991 --- /dev/null +++ b/libs/libpam/patches/010-crypt.patch @@ -0,0 +1,35 @@ +From aef363c7e8e942224e6cffc4398366c6e5d31749 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Thu, 11 Jun 2020 00:04:32 +0200 +Subject: [PATCH] configure.ac: fix build failure when crypt() does not require + libcrypt + +Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails +if "none required" is returned by AC_SEARCH_LIBS for libcrypt. + +Resolves: https://github.com/linux-pam/linux-pam/pull/235 +Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e +Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly") + +Signed-off-by: Fabrice Fontaine +--- + configure.ac | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index ea08a7a3..c1862ea7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -428,7 +428,11 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], + [crypt_libs="crypt"]) + + BACKUP_LIBS=$LIBS +-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_cv_search_crypt}", LIBCRYPT="") ++AC_SEARCH_LIBS([crypt],[$crypt_libs]) ++case "$ac_cv_search_crypt" in ++ -l*) LIBCRYPT="$ac_cv_search_crypt" ;; ++ *) LIBCRYPT="" ;; ++esac + AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) + LIBS=$BACKUP_LIBS + AC_SUBST(LIBCRYPT) diff --git a/libs/libpam/patches/020-fgetpwent_r.patch b/libs/libpam/patches/020-fgetpwent_r.patch new file mode 100644 index 000000000..cc8042997 --- /dev/null +++ b/libs/libpam/patches/020-fgetpwent_r.patch @@ -0,0 +1,110 @@ +--- a/modules/pam_faillock/pam_faillock.c ++++ b/modules/pam_faillock/pam_faillock.c +@@ -348,42 +348,81 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c + static int + check_local_user (pam_handle_t *pamh, const char *user) + { +- struct passwd pw, *pwp; +- char buf[16384]; +- int found = 0; ++ int rc; ++ size_t user_len; + FILE *fp; +- int errn; ++ char line[BUFSIZ]; + +- fp = fopen(PATH_PASSWD, "r"); +- if (fp == NULL) { +- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", +- PATH_PASSWD); +- return -1; ++ /* Validate the user name. */ ++ if ((user_len = strlen(user)) == 0) { ++ pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (user_len > sizeof(line) - sizeof(":")) { ++ pam_syslog(pamh, LOG_NOTICE, "user name is too long"); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (strchr(user, ':') != NULL) { ++ /* ++ * "root:x" is not a local user name even if the passwd file ++ * contains a line starting with "root:x:". ++ */ ++ return PAM_PERM_DENIED; + } + +- for (;;) { +- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp); +- if (errn == ERANGE) { +- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?", +- PATH_PASSWD); ++ /* Open the passwd file. */ ++ FILE *file_name = "/etc/passwd"; ++ if ((fp = fopen(file_name, "r")) == NULL) { ++ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); ++ return PAM_SERVICE_ERR; ++ } ++ ++ /* ++ * Scan the file using fgets() instead of fgetpwent_r() because ++ * the latter is not flexible enough in handling long lines ++ * in passwd files. ++ */ ++ rc = PAM_PERM_DENIED; ++ while (fgets(line, sizeof(line), fp) != NULL) { ++ size_t line_len; ++ const char *str; ++ ++ /* ++ * Does this line start with the user name ++ * followed by a colon? ++ */ ++ if (strncmp(user, line, user_len) == 0 && ++ line[user_len] == ':') { ++ rc = PAM_SUCCESS; + break; + } +- if (errn != 0) +- break; +- if (strcmp(pwp->pw_name, user) == 0) { +- found = 1; ++ /* Has a newline been read? */ ++ line_len = strlen(line); ++ if (line_len < sizeof(line) - 1 || ++ line[line_len - 1] == '\n') { ++ /* Yes, continue with the next line. */ ++ continue; ++ } ++ ++ /* No, read till the end of this line first. */ ++ while ((str = fgets(line, sizeof(line), fp)) != NULL) { ++ line_len = strlen(line); ++ if (line_len == 0 || ++ line[line_len - 1] == '\n') { ++ break; ++ } ++ } ++ if (str == NULL) { ++ /* fgets returned NULL, we are done. */ + break; + } ++ /* Continue with the next line. */ + } + +- fclose (fp); +- +- if (errn != 0 && errn != ENOENT) { +- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m"); +- return -1; +- } else { +- return found; +- } ++ fclose(fp); ++ return rc; + } + + static int