Browse Source

Merge pull request #12601 from neheb/pam2

libpam: update to 1.4.0
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 4 years ago
committed by GitHub
parent
commit
ae9e9d8bbd
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 152 additions and 377 deletions
  1. +7
    -3
      libs/libpam/Makefile
  2. +0
    -77
      libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
  3. +0
    -60
      libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
  4. +0
    -133
      libs/libpam/patches/0005-build-fix-doc-build.patch
  5. +0
    -29
      libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
  6. +0
    -75
      libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch
  7. +35
    -0
      libs/libpam/patches/010-crypt.patch
  8. +110
    -0
      libs/libpam/patches/020-fgetpwent_r.patch

+ 7
- 3
libs/libpam/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=libpam PKG_NAME:=libpam
PKG_VERSION:=1.3.1
PKG_VERSION:=1.4.0
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.xz PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam/releases/download/v$(PKG_VERSION) PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam/releases/download/v$(PKG_VERSION)
PKG_HASH:=eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
PKG_HASH:=cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
PKG_BUILD_DIR:=$(BUILD_DIR)/Linux-PAM-$(PKG_VERSION) PKG_BUILD_DIR:=$(BUILD_DIR)/Linux-PAM-$(PKG_VERSION)
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
@ -45,12 +45,16 @@ CONFIGURE_ARGS += \
--disable-audit \ --disable-audit \
--disable-cracklib \ --disable-cracklib \
--disable-db \ --disable-db \
--disable-prelude \
--disable-debug \
--disable-doc \
--disable-econf \
--disable-lckpwdf \ --disable-lckpwdf \
--disable-nis \ --disable-nis \
--disable-prelude \
--disable-regenerate-docu \ --disable-regenerate-docu \
--disable-rpath \ --disable-rpath \
--disable-selinux \ --disable-selinux \
--disable-Werror \
--with-gnu-ld \ --with-gnu-ld \
--without-mailspool \ --without-mailspool \
--without-xauth --without-xauth


+ 0
- 77
libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch View File

@ -1,77 +0,0 @@
From 1a2e6c979118dce5e79604e88c008c7879d1e4e6 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:19:23 +0800
Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor
ruserok_af is available.
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 5 ++++-
modules/Makefile.am | 11 ++++++++---
modules/pam_rhosts/pam_rhosts.c | 1 +
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 306b6e2..084071a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -524,7 +524,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+
+AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 0c80cea..9ad26a9 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -2,16 +2,21 @@
# Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de>
#
-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+if COND_BUILD_PAM_RHOSTS
+ MAYBE_PAM_RHOSTS = pam_rhosts
+endif
+
+SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ pam_permit pam_pwhistory pam_rootok pam_securetty \
pam_selinux pam_sepermit pam_shells pam_stress \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
+ $(MAYBE_PAM_RHOSTS)
CLEANFILES = *~
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
index bc9e76f..51ef13e 100644
--- a/modules/pam_rhosts/pam_rhosts.c
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -35,6 +35,7 @@
#include <pwd.h>
#include <netdb.h>
#include <string.h>
+#include <stdlib.h>
#include <syslog.h>
#define PAM_SM_AUTH /* only defines this management group */
--
1.7.10.4

+ 0
- 60
libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch View File

@ -1,60 +0,0 @@
From bac1ee3033cf22e31730fe3e77ca82bd5ebba692 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 21:18:05 +0800
Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available.
* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 ++
modules/Makefile.am | 8 ++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 084071a..ca4bf5b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -526,8 +526,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
AC_CHECK_FUNCS(getgrouplist getline getdelim)
AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+AC_CHECK_FUNCS([logwtmp])
AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
+AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes])
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 9ad26a9..b98dc5c 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS
MAYBE_PAM_RHOSTS = pam_rhosts
endif
+if COND_BUILD_PAM_LASTLOG
+ MAYBE_PAM_LASTLOG = pam_lastlog
+endif
+
SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_group pam_issue pam_keyinit pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
pam_mkhomedir pam_motd pam_namespace pam_nologin \
pam_permit pam_pwhistory pam_rootok pam_securetty \
@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
pam_tty_audit pam_umask \
pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
- $(MAYBE_PAM_RHOSTS)
+ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG)
CLEANFILES = *~
--
1.7.10.4

+ 0
- 133
libs/libpam/patches/0005-build-fix-doc-build.patch View File

@ -1,133 +0,0 @@
From 1563e57ea8ab9d123f765129a6840929ef58ff7a Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 20:38:41 +0800
Subject: [PATCH 5/7] build: fix doc build.
* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN
* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN
* doc/man/Makefile.am: ditto
* doc/mwg/Makefile.am: ditto
* doc/sag/Makefile.am: ditto
* doc/specs/Makefile.am: ignore CC from command line
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
Makefile.am | 5 ++++-
doc/adg/Makefile.am | 3 ---
doc/man/Makefile.am | 2 --
doc/mwg/Makefile.am | 3 ---
doc/sag/Makefile.am | 2 --
doc/specs/Makefile.am | 2 +-
6 files changed, 5 insertions(+), 12 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 3db4e37..5e6592a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,10 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+if ENABLE_REGENERATE_MAN
+ MAYBE_DOC = doc
+endif
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC)
CLEANFILES = *~
diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am
index 77bd7a9..bec5edc 100644
--- a/doc/adg/Makefile.am
+++ b/doc/adg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index 78c891d..b1dc421 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
pam_misc_setenv.3.xml
-if ENABLE_REGENERATE_MAN
PAM.8: pam.8
pam_get_authtok_noverify.3: pam_get_authtok.3
pam_get_authtok_verify.3: pam_get_authtok.3
@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
-include $(top_srcdir)/Make.xml.rules
-endif
diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am
index 2bbb2d0..f57e297 100644
--- a/doc/mwg/Makefile.am
+++ b/doc/mwg/Makefile.am
@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
-endif
-
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
$(mkinstalldirs) $(DESTDIR)$(pdfdir)
diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am
index 31816aa..a8b655f 100644
--- a/doc/sag/Makefile.am
+++ b/doc/sag/Makefile.am
@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
-if ENABLE_REGENERATE_MAN
MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
distclean-local:
-rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
-endif
install-data-local:
$(mkinstalldirs) $(DESTDIR)$(docdir)
diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
index 99ecc70..39c850f 100644
--- a/doc/specs/Makefile.am
+++ b/doc/specs/Makefile.am
@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
AM_YFLAGS = -d
-CC = @CC_FOR_BUILD@
+override CC = @CC_FOR_BUILD@
CPPFLAGS = @BUILD_CPPFLAGS@
CFLAGS = @BUILD_CFLAGS@
LDFLAGS = @BUILD_LDFLAGS@
--
1.7.10.4

+ 0
- 29
libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch View File

@ -1,29 +0,0 @@
From 2e3ed4c6fb09f84fede589047d37d11783202d34 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:16:18 +0800
Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing.
* modules/pam_unix/pam_unix_passwd.c: conditional compile on the
availability of rpc/rpc.h
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
modules/pam_unix/pam_unix_passwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 2d330e5..970724a 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -410,7 +410,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
-#ifdef HAVE_NIS
+#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H)
if ((master=getNISserver(pamh, ctrl)) != NULL) {
struct timeval timeout;
struct yppasswd yppwd;
--
1.7.10.4

+ 0
- 75
libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch View File

@ -1,75 +0,0 @@
From 9f23ba5a40b42acf4463b593bffd73caee8b527c Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Sun, 15 Jul 2018 20:43:44 -0700
Subject: [PATCH] Replace strndupa with strcpy
glibc only. A static string is better.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
modules/pam_exec/pam_exec.c | 31 +++++++++++--------------------
1 file changed, 11 insertions(+), 20 deletions(-)
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 0ab6548..2fbab4f 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
int use_stdout = 0;
int optargc;
const char *logfile = NULL;
- const char *authtok = NULL;
+ char authtok[PAM_MAX_RESP_SIZE];
pid_t pid;
int fds[2];
int stdout_fds[2];
@@ -180,12 +180,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (resp)
{
pam_set_item (pamh, PAM_AUTHTOK, resp);
- authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ strcpy (authtok, resp);
_pam_drop (resp);
}
}
else
- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+ strcpy (authtok, void_pass);
if (pipe(fds) != 0)
{
@@ -225,23 +225,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (expose_authtok) /* send the password to the child */
{
- if (authtok != NULL)
- { /* send the password to the child */
- if (debug)
- pam_syslog (pamh, LOG_DEBUG, "send password to child");
- if (write(fds[1], authtok, strlen(authtok)+1) == -1)
- pam_syslog (pamh, LOG_ERR,
- "sending password to child failed: %m");
- authtok = NULL;
- }
- else
- {
- if (write(fds[1], "", 1) == -1) /* blank password */
- pam_syslog (pamh, LOG_ERR,
- "sending password to child failed: %m");
- }
- close(fds[0]); /* close here to avoid possible SIGPIPE above */
- close(fds[1]);
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "send password to child");
+ if (write(fds[1], authtok, strlen(authtok)) == -1)
+ pam_syslog (pamh, LOG_ERR,
+ "sending password to child failed: %m");
+
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
+ close(fds[1]);
}
if (use_stdout)
--
2.19.1

+ 35
- 0
libs/libpam/patches/010-crypt.patch View File

@ -0,0 +1,35 @@
From aef363c7e8e942224e6cffc4398366c6e5d31749 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Thu, 11 Jun 2020 00:04:32 +0200
Subject: [PATCH] configure.ac: fix build failure when crypt() does not require
libcrypt
Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
Resolves: https://github.com/linux-pam/linux-pam/pull/235
Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
configure.ac | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index ea08a7a3..c1862ea7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -428,7 +428,11 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_cv_search_crypt}", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs])
+case "$ac_cv_search_crypt" in
+ -l*) LIBCRYPT="$ac_cv_search_crypt" ;;
+ *) LIBCRYPT="" ;;
+esac
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)

+ 110
- 0
libs/libpam/patches/020-fgetpwent_r.patch View File

@ -0,0 +1,110 @@
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -348,42 +348,81 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c
static int
check_local_user (pam_handle_t *pamh, const char *user)
{
- struct passwd pw, *pwp;
- char buf[16384];
- int found = 0;
+ int rc;
+ size_t user_len;
FILE *fp;
- int errn;
+ char line[BUFSIZ];
- fp = fopen(PATH_PASSWD, "r");
- if (fp == NULL) {
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
- PATH_PASSWD);
- return -1;
+ /* Validate the user name. */
+ if ((user_len = strlen(user)) == 0) {
+ pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
+ return PAM_SERVICE_ERR;
+ }
+
+ if (user_len > sizeof(line) - sizeof(":")) {
+ pam_syslog(pamh, LOG_NOTICE, "user name is too long");
+ return PAM_SERVICE_ERR;
+ }
+
+ if (strchr(user, ':') != NULL) {
+ /*
+ * "root:x" is not a local user name even if the passwd file
+ * contains a line starting with "root:x:".
+ */
+ return PAM_PERM_DENIED;
}
- for (;;) {
- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
- if (errn == ERANGE) {
- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
- PATH_PASSWD);
+ /* Open the passwd file. */
+ FILE *file_name = "/etc/passwd";
+ if ((fp = fopen(file_name, "r")) == NULL) {
+ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
+ return PAM_SERVICE_ERR;
+ }
+
+ /*
+ * Scan the file using fgets() instead of fgetpwent_r() because
+ * the latter is not flexible enough in handling long lines
+ * in passwd files.
+ */
+ rc = PAM_PERM_DENIED;
+ while (fgets(line, sizeof(line), fp) != NULL) {
+ size_t line_len;
+ const char *str;
+
+ /*
+ * Does this line start with the user name
+ * followed by a colon?
+ */
+ if (strncmp(user, line, user_len) == 0 &&
+ line[user_len] == ':') {
+ rc = PAM_SUCCESS;
break;
}
- if (errn != 0)
- break;
- if (strcmp(pwp->pw_name, user) == 0) {
- found = 1;
+ /* Has a newline been read? */
+ line_len = strlen(line);
+ if (line_len < sizeof(line) - 1 ||
+ line[line_len - 1] == '\n') {
+ /* Yes, continue with the next line. */
+ continue;
+ }
+
+ /* No, read till the end of this line first. */
+ while ((str = fgets(line, sizeof(line), fp)) != NULL) {
+ line_len = strlen(line);
+ if (line_len == 0 ||
+ line[line_len - 1] == '\n') {
+ break;
+ }
+ }
+ if (str == NULL) {
+ /* fgets returned NULL, we are done. */
break;
}
+ /* Continue with the next line. */
}
- fclose (fp);
-
- if (errn != 0 && errn != ENOENT) {
- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
- return -1;
- } else {
- return found;
- }
+ fclose(fp);
+ return rc;
}
static int

Loading…
Cancel
Save