PAM

~roguescholar/pam/+git/upstream:ldv/pam_dynamic

  1. Git
  2. lp:~roguescholar/pam/+git/upstream
  3. ldv/pam_dynamic
Last commit made on 2023-01-24
Get this branch:
git clone -b ldv/pam_dynamic https://git.launchpad.net/~roguescholar/pam/+git/upstream

Branch merges

Branch information

Name:
ldv/pam_dynamic
Repository:
lp:~roguescholar/pam/+git/upstream

Recent commits

d71321e... by "Dmitry V. Levin" <email address hidden>

libpam: remove dead code in pam_dynamic.c

Apparently, the PAM_SHL variant cannot be compiled since the very first
commit back in 2005 when it was introduced, and another variant uses
PAM_DYLD which is virtually unknown to search engines.

* libpam/pam_dynamic.c [PAM_SHL || PAM_DYLD]: Remove.

Resolves: https://github.com/linux-pam/linux-pam/issues/477

f98a070... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden>

pam_selinux: treat getenforce failures as enforcing

security_getenforce(3) can return -1 on error; either because the
selinuxfs is not mounted or reading from /sys/fs/selinux/enforce failed.

Since security_getenforce(3) is either called after an approving call to
is_selinux_enabled(3) in create_context() or with populated module
data in restore_context(), which requires a previous pass of
create_context(), the selinuxfs should be mounted.
Reading from /sys/fs/selinux/enforce should never fail (except being
prohibited by the SElinux policy itself) since it is a public interface.

In the unlikely case of security_getenforce(3) nevertheless failing
continue execution as if the result was enforcing (likewise to
pam_sepermit and pam_rootok).

9ae4fb5... by "Dmitry V. Levin" <email address hidden>

.github: add gcc-12, clang-13, and clang-14 jobs

* .github/workflows/ci.yml (gcc12-x86_64, clang14-x86_64,
clang13-x86_64): New jobs.
(gcc11-x86_64-vendordir): Rename to gcc12-x86_64-vendordir,
replace gcc-11 with gcc-12.
(clang12-x86_64-vendordir): Rename to clang14-x86_64-vendordir,
replace clang-12 with clang-14.

4c25bcc... by "Dmitry V. Levin" <email address hidden>

.github: switch from ubuntu-20.04 to ubuntu-latest

Switch runners to the latest Ubuntu LTS available, which is currently
Ubuntu 22.04. Also, remove old compiler versions from the ci matrix.

* .github/workflows/ci.yml (gcc8-x86_64, clang10-x86_64, clang9-x86_64,
clang8-x86_64): Remove.
(gcc11-x86_64-vendordir, gcc11-x86_64, gcc10-x86_64, gcc9-x86_64,
clang12-x86_64-vendordir, clang12-x86_64, clang11-x86_64): Replace
ubuntu-20.04 with ubuntu-latest.

Link: https://github.blog/changelog/2022-11-09-github-actions-ubuntu-latest-workflows-will-use-ubuntu-22-04/

be25a6d... by "Dmitry V. Levin" <email address hidden>

pam_unix: silence compiler warning in md5.c

clang-14 insists on issuing the following warning:

  In file included from md5_good.c:4:
  md5.c:92:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
                  byteReverse(ctx->in.c, 16);
                              ^
  md5.c:101:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
                  byteReverse(ctx->in.c, 16);
                              ^
  md5.c:136:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
                  byteReverse(ctx->in.c, 16);
                              ^
  md5.c:145:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
          byteReverse(ctx->in.c, 14);
                      ^
  md5.c:151:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
          byteReverse(ctx->buf.c, 4);
                      ^

* modules/pam_unix/md5.c (byteReverse): Use uint32 instead of
uint8_aligned, update all users.
(uint8_aligned): Remove unused type.

cc3f670... by "Dmitry V. Levin" <email address hidden>

pam_client.h: silence compiler warning

gcc-12 insists on issuing the following warning:

  In file included from libpamc.h:13,
                   from pamc_converse.c:9:
  pamc_converse.c: In function 'pamc_converse':
  include/security/pam_client.h:129:27: error: array subscript 'struct <anonymous>[0]' is partly outside array bounds of 'unsigned char[6]' [-Werror=array-bounds]
    129 | (*(old_p))->control = cntrl; \
        | ^~
  pamc_converse.c:209:5: note: in expansion of macro 'PAM_BP_RENEW'
    209 | PAM_BP_RENEW(prompt_p, PAM_BPC_FAIL, 0);
        | ^~~~~~~~~~~~
  include/security/pam_client.h:87:29: note: object of size 6 allocated by 'calloc'
     87 | # define PAM_BP_CALLOC calloc
        | ^
  include/security/pam_client.h:124:29: note: in expansion of macro 'PAM_BP_CALLOC'
    124 | if ((*(old_p) = PAM_BP_CALLOC(1, 1+__size))) { \
        | ^~~~~~~~~~~~~
  pamc_converse.c:209:5: note: in expansion of macro 'PAM_BP_RENEW'
    209 | PAM_BP_RENEW(prompt_p, PAM_BPC_FAIL, 0);
        | ^~~~~~~~~~~~

* libpamc/include/security/pam_client.h (pamc_bp_t): Decorate the
structure pointed by pamc_bp_t pointer as packed. Despite being a part
of the API, the structure is not supposed to be used directly, and all
the interface macros were assuming from the very beginning that this
structure is packed.

2aae166... by "Dmitry V. Levin" <email address hidden>

pam_limits: silence compiler warning

gcc-12 insists on issuing the following warning:

  In file included from /usr/include/string.h:535,
                   from pam_limits.c:24:
  In function 'strncat',
      inlined from 'check_logins' at pam_limits.c:287:6,
      inlined from 'setup_limits' at pam_limits.c:1066:13,
      inlined from 'pam_sm_open_session' at pam_limits.c:1267:14:
  /usr/include/x86_64-linux-gnu/bits/string_fortified.h:138:10: error: '__builtin___strncat_chk' argument 2 declared attribute 'nonstring' [-Werror=stringop-overread]
    138 | return __builtin___strncat_chk (__dest, __src, __len,
        | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    139 | __glibc_objsize (__dest));
        | ~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from /usr/include/utmp.h:29,
                   from pam_limits.c:37:
  /usr/include/x86_64-linux-gnu/bits/utmp.h: In function 'pam_sm_open_session':
  /usr/include/x86_64-linux-gnu/bits/utmp.h:66:8: note: argument 'ut_user' declared here
     66 | char ut_user[UT_NAMESIZE]
        | ^~~~~~~

* modules/pam_limits/pam_limits.c (check_logins): Use memcpy instead of
strncat to pacify the compiler.

5b203b0... by Dmitry V. Levin

.github: remove x86 and x32 jobs

These types of jobs were implemented using the old version of the OS
that is currently being deprecated by github actions.

* .github/workflows/ci.yml (gcc11-x86-vendordir, gcc11-x86, gcc10-x86,
gcc9-x86, gcc8-x86, clang10-x86, clang9-x86, clang8-x86, gcc11-x32,
gcc10-x32, gcc9-x32, gcc8-x32): Remove.

Link: https://github.com/actions/runner-images/issues/6002

58cb830... by Cyril Duval <email address hidden>

pam_listfile: fix pointer misuse leading to data corruption

pam_listfile assumes the group being tested will be written at the end
of the argument list by carrying only a pointer to the value being
examined in 'myval'.

Therefore example

'''
auth required pam_listfile.so \
        onerr=succeed apply=ftp item=user sense=deny file=/etc/ftpusers
'''

modified from https://linux.die.net/man/8/pam_listfile is not working because
'apply_val' will point to the latest value of 'myval', which in this case will
be "/etc/ftpusers" instead of "ftp".

Fix this issue by copying the value of 'myval' instead of just taking
a reference pointer.

Signed-off-by: Cyril Duval <email address hidden>

cf2fc5f... by Stefan Schubert <email address hidden>

doc: Update PAM documentation from DockBook 4 to DocBook 5

Changed files
--------------

Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.

doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.

configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment

*.xml:
Update from DockBook 4 to DocBook 5