From 9748c8ad8f0ceda6353bcb5e9b70d576fdbe7509 Mon Sep 17 00:00:00 2001 From: John Polstra Date: Wed, 25 Nov 1998 19:46:10 +0000 Subject: [PATCH] Remove files that we don't use and are unlikely to use. You can still get them with "cvs upd -r pam_unpruned" if you want to look at them. --- contrib/libpam/bin/README | 39 - contrib/libpam/conf/Makefile | 60 - contrib/libpam/conf/install | 178 -- contrib/libpam/conf/install_conf | 36 - contrib/libpam/conf/md5itall | 45 - contrib/libpam/conf/mkdirp | 50 - contrib/libpam/conf/pam.conf | 126 -- contrib/libpam/conf/pam_conv1/Makefile | 41 - contrib/libpam/conf/pam_conv1/README | 10 - contrib/libpam/conf/pam_conv1/lex.yy.c | 1553 ----------------- contrib/libpam/conf/pam_conv1/pam_conv.lex | 42 - contrib/libpam/conf/pam_conv1/pam_conv.tab.c | 1019 ----------- contrib/libpam/conf/pam_conv1/pam_conv.y | 203 --- contrib/libpam/defs/hpux.defs | 36 - contrib/libpam/defs/linux.defs | 32 - contrib/libpam/defs/morgan.defs | 35 - contrib/libpam/defs/redhat.defs | 34 - contrib/libpam/defs/solaris.defs | 48 - contrib/libpam/defs/sunos.defs | 37 - contrib/libpam/doc/modules/README | 13 - .../libpam/doc/modules/module.sgml-template | 170 -- contrib/libpam/doc/modules/pam_chroot.sgml | 86 - contrib/libpam/doc/modules/pam_cracklib.sgml | 254 --- contrib/libpam/doc/modules/pam_deny.sgml | 179 -- contrib/libpam/doc/modules/pam_env.sgml | 125 -- contrib/libpam/doc/modules/pam_filter.sgml | 150 -- contrib/libpam/doc/modules/pam_ftp.sgml | 93 - contrib/libpam/doc/modules/pam_group.sgml | 108 -- contrib/libpam/doc/modules/pam_krb4.sgml | 126 -- contrib/libpam/doc/modules/pam_lastlog.sgml | 119 -- contrib/libpam/doc/modules/pam_limits.sgml | 196 --- contrib/libpam/doc/modules/pam_listfile.sgml | 138 -- contrib/libpam/doc/modules/pam_mail.sgml | 124 -- contrib/libpam/doc/modules/pam_nologin.sgml | 75 - contrib/libpam/doc/modules/pam_permit.sgml | 83 - contrib/libpam/doc/modules/pam_pwdb.sgml | 245 --- contrib/libpam/doc/modules/pam_radius.sgml | 117 -- contrib/libpam/doc/modules/pam_rhosts.sgml | 157 -- contrib/libpam/doc/modules/pam_rootok.sgml | 85 - contrib/libpam/doc/modules/pam_securetty.sgml | 72 - contrib/libpam/doc/modules/pam_time.sgml | 166 -- contrib/libpam/doc/modules/pam_warn.sgml | 67 - contrib/libpam/doc/modules/pam_wheel.sgml | 124 -- contrib/libpam/doc/ps/README | 3 - .../libpam/doc/specs/draft-morgan-pam-00.raw | 270 --- contrib/libpam/doc/specs/formatter/Makefile | 16 - contrib/libpam/doc/specs/formatter/parse.lex | 11 - contrib/libpam/doc/specs/formatter/parse.y | 293 ---- contrib/libpam/doc/txts/README | 3 - contrib/libpam/examples/Makefile | 42 - contrib/libpam/examples/blank.c | 173 -- contrib/libpam/examples/check_user.c | 65 - contrib/libpam/examples/test.c | 99 -- contrib/libpam/examples/vpass.c | 47 - contrib/libpam/examples/xsh.c | 139 -- contrib/libpam/modules/Makefile | 132 -- contrib/libpam/modules/README | 55 - contrib/libpam/modules/dont_makefile | 19 - contrib/libpam/modules/pam_access/Makefile | 111 -- contrib/libpam/modules/pam_access/README | 40 - contrib/libpam/modules/pam_access/access.conf | 52 - .../libpam/modules/pam_access/install_conf | 46 - .../libpam/modules/pam_access/pam_access.c | 424 ----- contrib/libpam/modules/pam_cracklib/Makefile | 110 -- contrib/libpam/modules/pam_cracklib/README | 21 - .../modules/pam_cracklib/pam_cracklib.c | 687 -------- contrib/libpam/modules/pam_deny/Makefile | 125 -- contrib/libpam/modules/pam_deny/README | 4 - contrib/libpam/modules/pam_deny/pam_deny.c | 94 - contrib/libpam/modules/pam_env/Makefile | 107 -- contrib/libpam/modules/pam_env/README | 72 - contrib/libpam/modules/pam_env/install_conf | 46 - contrib/libpam/modules/pam_env/pam_env.c | 779 --------- .../modules/pam_env/pam_env.conf-example | 72 - contrib/libpam/modules/pam_filter/Makefile | 150 -- contrib/libpam/modules/pam_filter/README | 94 - .../modules/pam_filter/include/pam_filter.h | 32 - .../libpam/modules/pam_filter/pam_filter.c | 747 -------- .../modules/pam_filter/upperLOWER/Makefile | 58 - .../pam_filter/upperLOWER/upperLOWER.c | 160 -- contrib/libpam/modules/pam_ftp/Makefile | 96 - contrib/libpam/modules/pam_ftp/README | 20 - contrib/libpam/modules/pam_ftp/pam_ftp.c | 295 ---- contrib/libpam/modules/pam_group/Makefile | 114 -- contrib/libpam/modules/pam_group/group.conf | 60 - contrib/libpam/modules/pam_group/install_conf | 46 - contrib/libpam/modules/pam_group/pam_group.c | 862 --------- contrib/libpam/modules/pam_lastlog/Makefile | 106 -- .../libpam/modules/pam_lastlog/pam_lastlog.c | 469 ----- contrib/libpam/modules/pam_limits/Makefile | 102 -- contrib/libpam/modules/pam_limits/README | 87 - .../libpam/modules/pam_limits/install_conf | 46 - contrib/libpam/modules/pam_limits/limits.skel | 41 - .../libpam/modules/pam_limits/pam_limits.c | 592 ------- contrib/libpam/modules/pam_listfile/Makefile | 84 - contrib/libpam/modules/pam_listfile/README | 25 - .../modules/pam_listfile/pam_listfile.c | 436 ----- contrib/libpam/modules/pam_mail/Makefile | 107 -- contrib/libpam/modules/pam_mail/pam_mail.c | 401 ----- contrib/libpam/modules/pam_nologin/README | 12 - .../libpam/modules/pam_nologin/pam_nologin.c | 124 -- contrib/libpam/modules/pam_permit/Makefile | 126 -- contrib/libpam/modules/pam_permit/README | 4 - .../libpam/modules/pam_permit/pam_permit.c | 122 -- contrib/libpam/modules/pam_pwdb/BUGS | 8 - contrib/libpam/modules/pam_pwdb/CHANGELOG | 10 - contrib/libpam/modules/pam_pwdb/Makefile | 155 -- contrib/libpam/modules/pam_pwdb/README | 41 - contrib/libpam/modules/pam_pwdb/TODO | 34 - contrib/libpam/modules/pam_pwdb/bigcrypt.-c | 114 -- contrib/libpam/modules/pam_pwdb/md5.c | 259 --- contrib/libpam/modules/pam_pwdb/md5.h | 30 - contrib/libpam/modules/pam_pwdb/md5_crypt.c | 164 -- contrib/libpam/modules/pam_pwdb/pam_pwdb.c | 257 --- .../libpam/modules/pam_pwdb/pam_unix_acct.-c | 292 ---- .../libpam/modules/pam_pwdb/pam_unix_auth.-c | 129 -- .../libpam/modules/pam_pwdb/pam_unix_md.-c | 55 - .../modules/pam_pwdb/pam_unix_passwd.-c | 371 ---- .../libpam/modules/pam_pwdb/pam_unix_pwupd.-c | 272 --- .../libpam/modules/pam_pwdb/pam_unix_sess.-c | 112 -- contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c | 208 --- contrib/libpam/modules/pam_pwdb/support.-c | 910 ---------- contrib/libpam/modules/pam_radius/Makefile | 99 -- contrib/libpam/modules/pam_radius/README | 58 - .../libpam/modules/pam_radius/pam_radius.c | 193 -- .../libpam/modules/pam_radius/pam_radius.h | 35 - contrib/libpam/modules/pam_rhosts/Makefile | 94 - contrib/libpam/modules/pam_rhosts/README | 57 - .../modules/pam_rhosts/pam_rhosts_auth.c | 788 --------- contrib/libpam/modules/pam_rootok/Makefile | 111 -- contrib/libpam/modules/pam_rootok/README | 18 - .../libpam/modules/pam_rootok/pam_rootok.c | 118 -- contrib/libpam/modules/pam_securetty/Makefile | 83 - contrib/libpam/modules/pam_securetty/README | 9 - .../modules/pam_securetty/pam_securetty.c | 204 --- contrib/libpam/modules/pam_shells/Makefile | 84 - contrib/libpam/modules/pam_shells/README | 10 - .../libpam/modules/pam_shells/pam_shells.c | 131 -- contrib/libpam/modules/pam_stress/Makefile | 109 -- contrib/libpam/modules/pam_stress/README | 66 - .../libpam/modules/pam_stress/pam_stress.c | 581 ------ contrib/libpam/modules/pam_tally/Makefile | 93 - contrib/libpam/modules/pam_tally/README | 51 - contrib/libpam/modules/pam_tally/pam_tally.c | 634 ------- contrib/libpam/modules/pam_time/Makefile | 121 -- contrib/libpam/modules/pam_time/README | 37 - contrib/libpam/modules/pam_time/install_conf | 46 - contrib/libpam/modules/pam_time/pam_time.c | 614 ------- contrib/libpam/modules/pam_time/time.conf | 64 - contrib/libpam/modules/pam_unix/CHANGELOG | 6 - contrib/libpam/modules/pam_unix/Makefile | 155 -- contrib/libpam/modules/pam_unix/README | 39 - .../libpam/modules/pam_unix/pam_unix_acct.c | 117 -- .../libpam/modules/pam_unix/pam_unix_auth.c | 309 ---- .../libpam/modules/pam_unix/pam_unix_passwd.c | 813 --------- .../libpam/modules/pam_unix/pam_unix_sess.c | 181 -- contrib/libpam/modules/pam_unix/support.c | 152 -- contrib/libpam/modules/pam_warn/Makefile | 96 - contrib/libpam/modules/pam_warn/README | 23 - contrib/libpam/modules/pam_warn/pam_warn.c | 112 -- contrib/libpam/modules/pam_wheel/Makefile | 94 - contrib/libpam/modules/pam_wheel/README | 33 - contrib/libpam/modules/pam_wheel/pam_wheel.c | 277 --- 163 files changed, 26807 deletions(-) delete mode 100644 contrib/libpam/bin/README delete mode 100644 contrib/libpam/conf/Makefile delete mode 100755 contrib/libpam/conf/install delete mode 100755 contrib/libpam/conf/install_conf delete mode 100755 contrib/libpam/conf/md5itall delete mode 100755 contrib/libpam/conf/mkdirp delete mode 100644 contrib/libpam/conf/pam.conf delete mode 100644 contrib/libpam/conf/pam_conv1/Makefile delete mode 100644 contrib/libpam/conf/pam_conv1/README delete mode 100644 contrib/libpam/conf/pam_conv1/lex.yy.c delete mode 100644 contrib/libpam/conf/pam_conv1/pam_conv.lex delete mode 100644 contrib/libpam/conf/pam_conv1/pam_conv.tab.c delete mode 100644 contrib/libpam/conf/pam_conv1/pam_conv.y delete mode 100644 contrib/libpam/defs/hpux.defs delete mode 100644 contrib/libpam/defs/linux.defs delete mode 100644 contrib/libpam/defs/morgan.defs delete mode 100644 contrib/libpam/defs/redhat.defs delete mode 100644 contrib/libpam/defs/solaris.defs delete mode 100644 contrib/libpam/defs/sunos.defs delete mode 100644 contrib/libpam/doc/modules/README delete mode 100644 contrib/libpam/doc/modules/module.sgml-template delete mode 100644 contrib/libpam/doc/modules/pam_chroot.sgml delete mode 100644 contrib/libpam/doc/modules/pam_cracklib.sgml delete mode 100644 contrib/libpam/doc/modules/pam_deny.sgml delete mode 100644 contrib/libpam/doc/modules/pam_env.sgml delete mode 100644 contrib/libpam/doc/modules/pam_filter.sgml delete mode 100644 contrib/libpam/doc/modules/pam_ftp.sgml delete mode 100644 contrib/libpam/doc/modules/pam_group.sgml delete mode 100644 contrib/libpam/doc/modules/pam_krb4.sgml delete mode 100644 contrib/libpam/doc/modules/pam_lastlog.sgml delete mode 100644 contrib/libpam/doc/modules/pam_limits.sgml delete mode 100644 contrib/libpam/doc/modules/pam_listfile.sgml delete mode 100644 contrib/libpam/doc/modules/pam_mail.sgml delete mode 100644 contrib/libpam/doc/modules/pam_nologin.sgml delete mode 100644 contrib/libpam/doc/modules/pam_permit.sgml delete mode 100644 contrib/libpam/doc/modules/pam_pwdb.sgml delete mode 100644 contrib/libpam/doc/modules/pam_radius.sgml delete mode 100644 contrib/libpam/doc/modules/pam_rhosts.sgml delete mode 100644 contrib/libpam/doc/modules/pam_rootok.sgml delete mode 100644 contrib/libpam/doc/modules/pam_securetty.sgml delete mode 100644 contrib/libpam/doc/modules/pam_time.sgml delete mode 100644 contrib/libpam/doc/modules/pam_warn.sgml delete mode 100644 contrib/libpam/doc/modules/pam_wheel.sgml delete mode 100644 contrib/libpam/doc/ps/README delete mode 100644 contrib/libpam/doc/specs/draft-morgan-pam-00.raw delete mode 100644 contrib/libpam/doc/specs/formatter/Makefile delete mode 100644 contrib/libpam/doc/specs/formatter/parse.lex delete mode 100644 contrib/libpam/doc/specs/formatter/parse.y delete mode 100644 contrib/libpam/doc/txts/README delete mode 100644 contrib/libpam/examples/Makefile delete mode 100644 contrib/libpam/examples/blank.c delete mode 100644 contrib/libpam/examples/check_user.c delete mode 100644 contrib/libpam/examples/test.c delete mode 100644 contrib/libpam/examples/vpass.c delete mode 100644 contrib/libpam/examples/xsh.c delete mode 100644 contrib/libpam/modules/Makefile delete mode 100644 contrib/libpam/modules/README delete mode 100644 contrib/libpam/modules/dont_makefile delete mode 100644 contrib/libpam/modules/pam_access/Makefile delete mode 100644 contrib/libpam/modules/pam_access/README delete mode 100644 contrib/libpam/modules/pam_access/access.conf delete mode 100755 contrib/libpam/modules/pam_access/install_conf delete mode 100644 contrib/libpam/modules/pam_access/pam_access.c delete mode 100644 contrib/libpam/modules/pam_cracklib/Makefile delete mode 100644 contrib/libpam/modules/pam_cracklib/README delete mode 100644 contrib/libpam/modules/pam_cracklib/pam_cracklib.c delete mode 100644 contrib/libpam/modules/pam_deny/Makefile delete mode 100644 contrib/libpam/modules/pam_deny/README delete mode 100644 contrib/libpam/modules/pam_deny/pam_deny.c delete mode 100644 contrib/libpam/modules/pam_env/Makefile delete mode 100644 contrib/libpam/modules/pam_env/README delete mode 100755 contrib/libpam/modules/pam_env/install_conf delete mode 100644 contrib/libpam/modules/pam_env/pam_env.c delete mode 100644 contrib/libpam/modules/pam_env/pam_env.conf-example delete mode 100644 contrib/libpam/modules/pam_filter/Makefile delete mode 100644 contrib/libpam/modules/pam_filter/README delete mode 100644 contrib/libpam/modules/pam_filter/include/pam_filter.h delete mode 100644 contrib/libpam/modules/pam_filter/pam_filter.c delete mode 100644 contrib/libpam/modules/pam_filter/upperLOWER/Makefile delete mode 100644 contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c delete mode 100644 contrib/libpam/modules/pam_ftp/Makefile delete mode 100644 contrib/libpam/modules/pam_ftp/README delete mode 100644 contrib/libpam/modules/pam_ftp/pam_ftp.c delete mode 100644 contrib/libpam/modules/pam_group/Makefile delete mode 100644 contrib/libpam/modules/pam_group/group.conf delete mode 100755 contrib/libpam/modules/pam_group/install_conf delete mode 100644 contrib/libpam/modules/pam_group/pam_group.c delete mode 100644 contrib/libpam/modules/pam_lastlog/Makefile delete mode 100644 contrib/libpam/modules/pam_lastlog/pam_lastlog.c delete mode 100644 contrib/libpam/modules/pam_limits/Makefile delete mode 100644 contrib/libpam/modules/pam_limits/README delete mode 100755 contrib/libpam/modules/pam_limits/install_conf delete mode 100644 contrib/libpam/modules/pam_limits/limits.skel delete mode 100644 contrib/libpam/modules/pam_limits/pam_limits.c delete mode 100644 contrib/libpam/modules/pam_listfile/Makefile delete mode 100644 contrib/libpam/modules/pam_listfile/README delete mode 100644 contrib/libpam/modules/pam_listfile/pam_listfile.c delete mode 100644 contrib/libpam/modules/pam_mail/Makefile delete mode 100644 contrib/libpam/modules/pam_mail/pam_mail.c delete mode 100644 contrib/libpam/modules/pam_nologin/README delete mode 100644 contrib/libpam/modules/pam_nologin/pam_nologin.c delete mode 100644 contrib/libpam/modules/pam_permit/Makefile delete mode 100644 contrib/libpam/modules/pam_permit/README delete mode 100644 contrib/libpam/modules/pam_permit/pam_permit.c delete mode 100644 contrib/libpam/modules/pam_pwdb/BUGS delete mode 100644 contrib/libpam/modules/pam_pwdb/CHANGELOG delete mode 100644 contrib/libpam/modules/pam_pwdb/Makefile delete mode 100644 contrib/libpam/modules/pam_pwdb/README delete mode 100644 contrib/libpam/modules/pam_pwdb/TODO delete mode 100644 contrib/libpam/modules/pam_pwdb/bigcrypt.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/md5.c delete mode 100644 contrib/libpam/modules/pam_pwdb/md5.h delete mode 100644 contrib/libpam/modules/pam_pwdb/md5_crypt.c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_pwdb.c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_md.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c delete mode 100644 contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c delete mode 100644 contrib/libpam/modules/pam_pwdb/support.-c delete mode 100644 contrib/libpam/modules/pam_radius/Makefile delete mode 100644 contrib/libpam/modules/pam_radius/README delete mode 100644 contrib/libpam/modules/pam_radius/pam_radius.c delete mode 100644 contrib/libpam/modules/pam_radius/pam_radius.h delete mode 100644 contrib/libpam/modules/pam_rhosts/Makefile delete mode 100644 contrib/libpam/modules/pam_rhosts/README delete mode 100644 contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c delete mode 100644 contrib/libpam/modules/pam_rootok/Makefile delete mode 100644 contrib/libpam/modules/pam_rootok/README delete mode 100644 contrib/libpam/modules/pam_rootok/pam_rootok.c delete mode 100644 contrib/libpam/modules/pam_securetty/Makefile delete mode 100644 contrib/libpam/modules/pam_securetty/README delete mode 100644 contrib/libpam/modules/pam_securetty/pam_securetty.c delete mode 100644 contrib/libpam/modules/pam_shells/Makefile delete mode 100644 contrib/libpam/modules/pam_shells/README delete mode 100644 contrib/libpam/modules/pam_shells/pam_shells.c delete mode 100644 contrib/libpam/modules/pam_stress/Makefile delete mode 100644 contrib/libpam/modules/pam_stress/README delete mode 100644 contrib/libpam/modules/pam_stress/pam_stress.c delete mode 100644 contrib/libpam/modules/pam_tally/Makefile delete mode 100644 contrib/libpam/modules/pam_tally/README delete mode 100644 contrib/libpam/modules/pam_tally/pam_tally.c delete mode 100644 contrib/libpam/modules/pam_time/Makefile delete mode 100644 contrib/libpam/modules/pam_time/README delete mode 100755 contrib/libpam/modules/pam_time/install_conf delete mode 100644 contrib/libpam/modules/pam_time/pam_time.c delete mode 100644 contrib/libpam/modules/pam_time/time.conf delete mode 100644 contrib/libpam/modules/pam_unix/CHANGELOG delete mode 100644 contrib/libpam/modules/pam_unix/Makefile delete mode 100644 contrib/libpam/modules/pam_unix/README delete mode 100644 contrib/libpam/modules/pam_unix/pam_unix_acct.c delete mode 100644 contrib/libpam/modules/pam_unix/pam_unix_auth.c delete mode 100644 contrib/libpam/modules/pam_unix/pam_unix_passwd.c delete mode 100644 contrib/libpam/modules/pam_unix/pam_unix_sess.c delete mode 100644 contrib/libpam/modules/pam_unix/support.c delete mode 100644 contrib/libpam/modules/pam_warn/Makefile delete mode 100644 contrib/libpam/modules/pam_warn/README delete mode 100644 contrib/libpam/modules/pam_warn/pam_warn.c delete mode 100644 contrib/libpam/modules/pam_wheel/Makefile delete mode 100644 contrib/libpam/modules/pam_wheel/README delete mode 100644 contrib/libpam/modules/pam_wheel/pam_wheel.c diff --git a/contrib/libpam/bin/README b/contrib/libpam/bin/README deleted file mode 100644 index 92ab5253faa9..000000000000 --- a/contrib/libpam/bin/README +++ /dev/null @@ -1,39 +0,0 @@ -## -# $Id: README,v 1.6 1997/02/15 19:21:08 morgan Exp $ -## -# $Log: README,v $ -# Revision 1.6 1997/02/15 19:21:08 morgan -# fixed email -# -# Revision 1.5 1996/08/09 05:29:43 morgan -# trimmed in line with the removal of applications from the distribution -# -# -## - -(now we are getting networked apps, be careful to try and test on a -securely isolated system!) - -N=2 <-- blank xsh - -Following a 'make install' (which should be done as root) in the -parent directory this directory will contain $N binaries. The source -for these programs is in ../examples. They are various short programs -to use and otherwise test-drive the Linux-PAM libraries/modules with. - -These programs grant no privileges, but they give an idea of how well -the modules are working. - -blank is new as of Linux-PAM-0.21. If you are writing/modifying an -application it might be a place to start... - -xsh is new as of Linux-PAM-0.31, it is identical to blank, but invokes -/bin/sh if the user is authenticated. - -[other apps are to be found in SimplePAMApps and many more on Red -Hat's server.. http://www.redhat.com/] - -Best wishes - -Andrew -(morgan@parc.power.net) diff --git a/contrib/libpam/conf/Makefile b/contrib/libpam/conf/Makefile deleted file mode 100644 index 4fb9f7c40c60..000000000000 --- a/contrib/libpam/conf/Makefile +++ /dev/null @@ -1,60 +0,0 @@ -# -# $Id: Makefile,v 1.8 1997/04/05 06:59:33 morgan Exp $ -# -# $Log: Makefile,v $ -# Revision 1.8 1997/04/05 06:59:33 morgan -# fakeroot and $(MAKE) -# -# Revision 1.7 1997/02/15 15:53:51 morgan -# added lines to make pam_conv1 -# -# Revision 1.6 1996/11/10 19:48:09 morgan -# fix for systems that have not installed bash in /bin/ -# -# Revision 1.5 1996/03/16 22:21:26 morgan -# added 'make remove' option -# -# Revision 1.4 1996/03/10 21:01:47 morgan -# added .ignore_age flag file -# -# Revision 1.3 1996/03/10 17:41:28 morgan -# make RCScheck check for the presence of the executable before running -# it! -# -# Revision 1.2 1996/03/10 17:16:42 morgan -# added md5RCS/ RCScheck entry -# -# - -dummy: - @echo "*** This is not a top level Makefile!" - -########################################################## - -all: - $(MAKE) -C pam_conv1 all - -install: $(FAKEROOT)$(CONFIGED)/pam.conf - $(MAKE) -C pam_conv1 install - -$(FAKEROOT)$(CONFIGED)/pam.conf: ./pam.conf - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(CONFIGED)/pam.conf - $(MAKE) -C pam_conv1 remove - -check: - bash -f ./md5itall - -RCScheck: - if [ -x ./md5RCS ]; then bash -f ./md5RCS ; fi - -lclean: - rm -f core *~ .ignore_age - -clean: lclean - $(MAKE) -C pam_conv1 clean - -extraclean: lclean - $(MAKE) -C pam_conv1 extraclean diff --git a/contrib/libpam/conf/install b/contrib/libpam/conf/install deleted file mode 100755 index 2eae36715b70..000000000000 --- a/contrib/libpam/conf/install +++ /dev/null @@ -1,178 +0,0 @@ -#!/bin/sh -# -# [This file was lifted from an X distribution. There was no explicit -# copyright in the file, but the following text was associated with it. -# should anyone from the X Consortium wish to alter the following -# text. Please email Thanks. ] -# -# -------------------------- -# The X Consortium maintains and distributes the X Window System and -# related software and documentation in coordinated releases. A release -# consists of two distinct parts: -# -# 1) Specifications and Sample implementations of X Consortium -# standards, and -# -# 2) software and documentation contributed by the general X Consortium -# community. -# -# The timing and contents of a release are determined by the Consortium -# staff based on the needs and desires of the Members and the advice of -# the Advisory Board, tempered by the resource constraints of the -# Consortium. -# -# Members have access to all X Consortium produced software and -# documentation prior to release to the public. Each Member can receive -# pre-releases and public releases at no charge. In addition, Members -# have access to software and documentation while it is under -# development, and can periodically request snapshots of the development -# system at no charge. -# -# The X Consortium also maintains an electronic mail system for -# reporting problems with X Consortium produced software and -# documentation. Members have access to all bug reports, as well as all -# software patches as they are incrementally developed by the Consortium -# staff between releases. -# -# In general, all materials included in X Consortium releases are -# copyrighted and contain permission notices granting unrestricted use, -# sales and redistribution rights provided that the copyrights and the -# permission notices are left intact. All materials are provided "as -# is," without express or implied warranty. -# -------------------------- -# -# This accepts bsd-style install arguments and makes the appropriate calls -# to the System V install. -# - -flags="" -dst="" -src="" -dostrip="" -owner="" -mode="" - -while [ x$1 != x ]; do - case $1 in - -c) shift - continue;; - - -m) flags="$flags $1 $2 " - mode="$2" - shift - shift - continue;; - - -o) flags="$flags -u $2 " - owner="$2" - shift - shift - continue;; - - -g) flags="$flags $1 $2 " - shift - shift - continue;; - - -s) dostrip="strip" - shift - continue;; - - *) if [ x$src = x ] - then - src=$1 - else - dst=$1 - fi - shift - continue;; - esac -done - -case "$mode" in -"") - ;; -*) - case "$owner" in - "") - flags="$flags -u root" - ;; - esac - ;; -esac - -if [ x$src = x ] -then - echo "$0: no input file specified" - exit 1 -fi - -if [ x$dst = x ] -then - echo "$0: no destination specified" - exit 1 -fi - - -# set up some variable to be used later - -rmcmd="" -srcdir="." - -# if the destination isn't a directory we'll need to copy it first - -if [ ! -d $dst ] -then - dstbase=`basename $dst` - cp $src /tmp/$dstbase - rmcmd="rm -f /tmp/$dstbase" - src=$dstbase - srcdir=/tmp - dst="`echo $dst | sed 's,^\(.*\)/.*$,\1,'`" - if [ x$dst = x ] - then - dst="." - fi -fi - - -# If the src file has a directory, copy it to /tmp to make install happy - -srcbase=`basename $src` - -if [ "$src" != "$srcbase" -a "$src" != "./$srcbase" ] -then - cp $src /tmp/$srcbase - src=$srcbase - srcdir=/tmp - rmcmd="rm -f /tmp/$srcbase" -fi - -# do the actual install - -if [ -f /usr/sbin/install ] -then - installcmd=/usr/sbin/install -elif [ -f /etc/install ] -then - installcmd=/etc/install -else - installcmd=install -fi - -# This rm is commented out because some people want to be able to -# install through symbolic links. Uncomment it if it offends you. -rm -f $dst/$srcbase -(cd $srcdir ; $installcmd -f $dst $flags $src) - -if [ x$dostrip = xstrip ] -then - strip $dst/$srcbase -fi - -# and clean up - -$rmcmd - -exit - diff --git a/contrib/libpam/conf/install_conf b/contrib/libpam/conf/install_conf deleted file mode 100755 index db650a05cfd2..000000000000 --- a/contrib/libpam/conf/install_conf +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -CONFILE="$FAKEROOT"$CONFIGED/pam.conf -IGNORE_AGE=./.ignore_age -CONF=./pam.conf - -echo - -if [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "\ -An older Linux-PAM configuration file already exists ($CONFILE)" - WRITE=overwrite - fi - echo -n "\ -Do you wish to copy the $CONF file in this distribution -to $CONFILE ? (y/n) [n] " - read yes -else - yes=n -fi - -if [ "$yes" = "y" ]; then - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - touch "$IGNORE_AGE" - echo " Skipping $CONF installation" -fi - -echo - -exit 0 diff --git a/contrib/libpam/conf/md5itall b/contrib/libpam/conf/md5itall deleted file mode 100755 index 6328a4f6fc5a..000000000000 --- a/contrib/libpam/conf/md5itall +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# -# $Id$ -# -# $Log$ -# -# Created by Andrew G. Morgan (morgan@parc.power.net) -# - -MD5SUM=md5sum -CHKFILE1=./.md5sum -CHKFILE2=./.md5sum-new - -which $MD5SUM > /dev/null -result=$? - -if [ -x "$MD5SUM" ] || [ $result -eq 0 ]; then - rm -f $CHKFILE2 - echo -n "computing md5 checksums." - for x in `cat ../.filelist` ; do - (cd ../.. ; $MD5SUM $x) >> $CHKFILE2 - echo -n "." - done - echo - if [ -f "$CHKFILE1" ]; then - echo "\ ----> Note, since the last \`make check', the following file(s) have changed: -===========================================================================" - diff $CHKFILE1 $CHKFILE2 - if [ $? -eq 0 ]; then - echo "\ ---------------------------- Nothing has changed ---------------------------" - fi - echo "\ -===========================================================================" - fi - rm -f "$CHKFILE1" - mv "$CHKFILE2" "$CHKFILE1" - chmod 400 "$CHKFILE1" -else - echo "\ -Please install \`$MD5SUM'. -[It is used to check the integrity of this distribution] ----> no check done." -fi diff --git a/contrib/libpam/conf/mkdirp b/contrib/libpam/conf/mkdirp deleted file mode 100755 index b0e04b05d042..000000000000 --- a/contrib/libpam/conf/mkdirp +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/sh -# -# this is a wrapper for difficult mkdir programs... -# - -for d in $* -do - if [ ! -d $d ]; then - mkdir -p $d - if [ $? -ne 0 ]; then exit $? ; fi - fi -done - -exit 0 - -########################################################################## -# if your mkdir does not support the -p option delete the above lines and -# use what follows: --------------------- -#!/bin/sh - -#VERBOSE=yes -Cwd=`pwd` - -for d in $* -do - if [ "`echo $d|cut -c1`" != "/" ]; then - x=`pwd`/$d - else - x=$d - fi - x="`echo $x|sed -e 'yX/X X'`" - cd / - for s in $x - do - if [ -d $s ]; then - if [ -n "$VERBOSE" ]; then echo -n "[$s/]"; fi - cd $s - else - mkdir $s - if [ $? -ne 0 ]; then exit $? ; fi - if [ -n "$VERBOSE" ]; then echo -n "$s/"; fi - cd $s - fi - done - if [ -n "$VERBOSE" ]; then echo ; fi - cd $Cwd -done - -exit 0 diff --git a/contrib/libpam/conf/pam.conf b/contrib/libpam/conf/pam.conf deleted file mode 100644 index 2e4f0342189a..000000000000 --- a/contrib/libpam/conf/pam.conf +++ /dev/null @@ -1,126 +0,0 @@ -# ---------------------------------------------------------------------------# -# /etc/pam.conf # -# # -# Last modified by Andrew G. Morgan # -# ---------------------------------------------------------------------------# -# $Id: pam.conf,v 1.18 1997/02/15 20:20:20 morgan Exp morgan $ -# ---------------------------------------------------------------------------# -# serv. module ctrl module [path] ...[args..] # -# name type flag # -# ---------------------------------------------------------------------------# -# -# The PAM configuration file for the `chfn' service -# -chfn auth required pam_pwdb.so -chfn account required pam_pwdb.so -chfn password required pam_cracklib.so retry=3 -chfn password required pam_pwdb.so shadow md5 use_authtok -# -# The PAM configuration file for the `chsh' service -# -chsh auth required pam_pwdb.so -chsh account required pam_pwdb.so -chsh password required pam_cracklib.so retry=3 -chsh password required pam_pwdb.so shadow md5 use_authtok -# -# The PAM configuration file for the `ftp' service -# -ftp auth requisite pam_listfile.so \ - item=user sense=deny file=/etc/ftpusers onerr=succeed -ftp auth requisite pam_shells.so -ftp auth required pam_pwdb.so -ftp account required pam_pwdb.so -# -# The PAM configuration file for the `imap' service -# -imap auth required pam_pwdb.so -imap account required pam_pwdb.so -# -# The PAM configuration file for the `login' service -# -login auth requisite pam_securetty.so -login auth required pam_pwdb.so -login auth optional pam_group.so -login account requisite pam_time.so -login account required pam_pwdb.so -login password required pam_cracklib.so retry=3 -login password required pam_pwdb.so shadow md5 use_authtok -login session required pam_pwdb.so -# -# The PAM configuration file for the `netatalk' service -# -netatalk auth required pam_pwdb.so -netatalk account required pam_pwdb.so -# -# The PAM configuration file for the `other' service -# -other auth required pam_deny.so -other auth required pam_warn.so -other account required pam_deny.so -other password required pam_deny.so -other password required pam_warn.so -other session required pam_deny.so -# -# The PAM configuration file for the `passwd' service -# -passwd password requisite pam_cracklib.so retry=3 -passwd password required pam_pwdb.so shadow md5 use_authtok -# -# The PAM configuration file for the `rexec' service -# -rexec auth requisite pam_securetty.so -rexec auth requisite pam_nologin.so -rexec auth sufficient pam_rhosts_auth.so -rexec auth required pam_pwdb.so -rexec account required pam_pwdb.so -rexec session required pam_pwdb.so -rexec session required pam_limits.so -# -# The PAM configuration file for the `rlogin' service -# this application passes control to `login' if it fails -# -rlogin auth requisite pam_securetty.so -rlogin auth requisite pam_nologin.so -rlogin auth required pam_rhosts_auth.so -rlogin account required pam_pwdb.so -rlogin password required pam_cracklib.so retry=3 -rlogin password required pam_pwdb.so shadow md5 use_authtok -rlogin session required pam_pwdb.so -rlogin session required pam_limits.so -# -# The PAM configuration file for the `rsh' service -# -rsh auth requisite pam_securetty.so -rsh auth requisite pam_nologin.so -rsh auth sufficient pam_rhosts_auth.so -rsh auth required pam_pwdb.so -rsh account required pam_pwdb.so -rsh session required pam_pwdb.so -rsh session required pam_limits.so -# -# The PAM configuration file for the `samba' service -# -samba auth required pam_pwdb.so -samba account required pam_pwdb.so -# -# The PAM configuration file for the `su' service -# -su auth required pam_wheel.so -su auth sufficient pam_rootok.so -su auth required pam_pwdb.so -su account required pam_pwdb.so -su session required pam_pwdb.so -# -# The PAM configuration file for the `vlock' service -# -vlock auth required pam_pwdb.so -# -# The PAM configuration file for the `xdm' service -# -xdm auth required pam_pwdb.so -xdm account required pam_pwdb.so -# -# The PAM configuration file for the `xlock' service -# -xlock auth required pam_pwdb.so - diff --git a/contrib/libpam/conf/pam_conv1/Makefile b/contrib/libpam/conf/pam_conv1/Makefile deleted file mode 100644 index 7691dc31222d..000000000000 --- a/contrib/libpam/conf/pam_conv1/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# -# -ifeq ($(OS),solaris) - -clean: - @echo not available in Solaris - -all: - @echo not available in Solaris - -install: - @echo not available in Solaris - -else - -all: pam_conv1 - -pam_conv1: pam_conv.tab.c lex.yy.c - $(CC) -o pam_conv1 pam_conv.tab.c -lfl - -pam_conv.tab.c: pam_conv.y lex.yy.c - bison pam_conv.y - -lex.yy.c: pam_conv.lex - flex pam_conv.lex - -lclean: - rm -f core pam_conv1 lex.yy.c pam_conv.tab.c *.o *~ - rm -rf ./pam.d pam_conv.output - -clean: lclean - -install: pam_conv1 - cp -f ./pam_conv1 ../../bin - -endif - -remove: - rm -f ../../bin/pam_conv1 - -extraclean: remove clean diff --git a/contrib/libpam/conf/pam_conv1/README b/contrib/libpam/conf/pam_conv1/README deleted file mode 100644 index d3344bb34ff0..000000000000 --- a/contrib/libpam/conf/pam_conv1/README +++ /dev/null @@ -1,10 +0,0 @@ -$Id: README,v 1.1 1997/02/15 15:50:50 morgan Exp $ - -This directory contains a untility to convert pam.conf files to a pam.d/ -tree. The conversion program takes pam.conf from the standard input and -creates the pam.d/ directory in the current directory. - -The program will fail if ./pam.d/ already exists. - -Andrew Morgan, February 1997 - diff --git a/contrib/libpam/conf/pam_conv1/lex.yy.c b/contrib/libpam/conf/pam_conv1/lex.yy.c deleted file mode 100644 index 5843e58d6c96..000000000000 --- a/contrib/libpam/conf/pam_conv1/lex.yy.c +++ /dev/null @@ -1,1553 +0,0 @@ -/* A lexical scanner generated by flex */ - -/* Scanner skeleton version: - * $Header: /home/daffy/u0/vern/flex/RCS/flex.skl,v 2.91 96/09/10 16:58:48 vern Exp $ - */ - -#define FLEX_SCANNER -#define YY_FLEX_MAJOR_VERSION 2 -#define YY_FLEX_MINOR_VERSION 5 - -#include - - -/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */ -#ifdef c_plusplus -#ifndef __cplusplus -#define __cplusplus -#endif -#endif - - -#ifdef __cplusplus - -#include -#include - -/* Use prototypes in function declarations. */ -#define YY_USE_PROTOS - -/* The "const" storage-class-modifier is valid. */ -#define YY_USE_CONST - -#else /* ! __cplusplus */ - -#if __STDC__ - -#define YY_USE_PROTOS -#define YY_USE_CONST - -#endif /* __STDC__ */ -#endif /* ! __cplusplus */ - -#ifdef __TURBOC__ - #pragma warn -rch - #pragma warn -use -#include -#include -#define YY_USE_CONST -#define YY_USE_PROTOS -#endif - -#ifdef YY_USE_CONST -#define yyconst const -#else -#define yyconst -#endif - - -#ifdef YY_USE_PROTOS -#define YY_PROTO(proto) proto -#else -#define YY_PROTO(proto) () -#endif - -/* Returned upon end-of-file. */ -#define YY_NULL 0 - -/* Promotes a possibly negative, possibly signed char to an unsigned - * integer for use as an array index. If the signed char is negative, - * we want to instead treat it as an 8-bit unsigned char, hence the - * double cast. - */ -#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c) - -/* Enter a start condition. This macro really ought to take a parameter, - * but we do it the disgusting crufty way forced on us by the ()-less - * definition of BEGIN. - */ -#define BEGIN yy_start = 1 + 2 * - -/* Translate the current start state into a value that can be later handed - * to BEGIN to return to the state. The YYSTATE alias is for lex - * compatibility. - */ -#define YY_START ((yy_start - 1) / 2) -#define YYSTATE YY_START - -/* Action number for EOF rule of a given start state. */ -#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1) - -/* Special action meaning "start processing a new file". */ -#define YY_NEW_FILE yyrestart( yyin ) - -#define YY_END_OF_BUFFER_CHAR 0 - -/* Size of default input buffer. */ -#define YY_BUF_SIZE 16384 - -typedef struct yy_buffer_state *YY_BUFFER_STATE; - -extern int yyleng; -extern FILE *yyin, *yyout; - -#define EOB_ACT_CONTINUE_SCAN 0 -#define EOB_ACT_END_OF_FILE 1 -#define EOB_ACT_LAST_MATCH 2 - -/* The funky do-while in the following #define is used to turn the definition - * int a single C statement (which needs a semi-colon terminator). This - * avoids problems with code like: - * - * if ( condition_holds ) - * yyless( 5 ); - * else - * do_something_else(); - * - * Prior to using the do-while the compiler would get upset at the - * "else" because it interpreted the "if" statement as being all - * done when it reached the ';' after the yyless() call. - */ - -/* Return all but the first 'n' matched characters back to the input stream. */ - -#define yyless(n) \ - do \ - { \ - /* Undo effects of setting up yytext. */ \ - *yy_cp = yy_hold_char; \ - YY_RESTORE_YY_MORE_OFFSET \ - yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \ - YY_DO_BEFORE_ACTION; /* set up yytext again */ \ - } \ - while ( 0 ) - -#define unput(c) yyunput( c, yytext_ptr ) - -/* The following is because we cannot portably get our hands on size_t - * (without autoconf's help, which isn't available because we want - * flex-generated scanners to compile on their own). - */ -typedef unsigned int yy_size_t; - - -struct yy_buffer_state - { - FILE *yy_input_file; - - char *yy_ch_buf; /* input buffer */ - char *yy_buf_pos; /* current position in input buffer */ - - /* Size of input buffer in bytes, not including room for EOB - * characters. - */ - yy_size_t yy_buf_size; - - /* Number of characters read into yy_ch_buf, not including EOB - * characters. - */ - int yy_n_chars; - - /* Whether we "own" the buffer - i.e., we know we created it, - * and can realloc() it to grow it, and should free() it to - * delete it. - */ - int yy_is_our_buffer; - - /* Whether this is an "interactive" input source; if so, and - * if we're using stdio for input, then we want to use getc() - * instead of fread(), to make sure we stop fetching input after - * each newline. - */ - int yy_is_interactive; - - /* Whether we're considered to be at the beginning of a line. - * If so, '^' rules will be active on the next match, otherwise - * not. - */ - int yy_at_bol; - - /* Whether to try to fill the input buffer when we reach the - * end of it. - */ - int yy_fill_buffer; - - int yy_buffer_status; -#define YY_BUFFER_NEW 0 -#define YY_BUFFER_NORMAL 1 - /* When an EOF's been seen but there's still some text to process - * then we mark the buffer as YY_EOF_PENDING, to indicate that we - * shouldn't try reading from the input source any more. We might - * still have a bunch of tokens to match, though, because of - * possible backing-up. - * - * When we actually see the EOF, we change the status to "new" - * (via yyrestart()), so that the user can continue scanning by - * just pointing yyin at a new input file. - */ -#define YY_BUFFER_EOF_PENDING 2 - }; - -static YY_BUFFER_STATE yy_current_buffer = 0; - -/* We provide macros for accessing buffer states in case in the - * future we want to put the buffer states in a more general - * "scanner state". - */ -#define YY_CURRENT_BUFFER yy_current_buffer - - -/* yy_hold_char holds the character lost when yytext is formed. */ -static char yy_hold_char; - -static int yy_n_chars; /* number of characters read into yy_ch_buf */ - - -int yyleng; - -/* Points to current character in buffer. */ -static char *yy_c_buf_p = (char *) 0; -static int yy_init = 1; /* whether we need to initialize */ -static int yy_start = 0; /* start state number */ - -/* Flag which is used to allow yywrap()'s to do buffer switches - * instead of setting up a fresh yyin. A bit of a hack ... - */ -static int yy_did_buffer_switch_on_eof; - -void yyrestart YY_PROTO(( FILE *input_file )); - -void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer )); -void yy_load_buffer_state YY_PROTO(( void )); -YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size )); -void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b )); -void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file )); -void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b )); -#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer ) - -YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size )); -YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str )); -YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len )); - -static void *yy_flex_alloc YY_PROTO(( yy_size_t )); -static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t )); -static void yy_flex_free YY_PROTO(( void * )); - -#define yy_new_buffer yy_create_buffer - -#define yy_set_interactive(is_interactive) \ - { \ - if ( ! yy_current_buffer ) \ - yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ - yy_current_buffer->yy_is_interactive = is_interactive; \ - } - -#define yy_set_bol(at_bol) \ - { \ - if ( ! yy_current_buffer ) \ - yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \ - yy_current_buffer->yy_at_bol = at_bol; \ - } - -#define YY_AT_BOL() (yy_current_buffer->yy_at_bol) - -typedef unsigned char YY_CHAR; -FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0; -typedef int yy_state_type; -extern char *yytext; -#define yytext_ptr yytext - -static yy_state_type yy_get_previous_state YY_PROTO(( void )); -static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state )); -static int yy_get_next_buffer YY_PROTO(( void )); -static void yy_fatal_error YY_PROTO(( yyconst char msg[] )); - -/* Done after the current pattern has been matched and before the - * corresponding action - sets up yytext. - */ -#define YY_DO_BEFORE_ACTION \ - yytext_ptr = yy_bp; \ - yyleng = (int) (yy_cp - yy_bp); \ - yy_hold_char = *yy_cp; \ - *yy_cp = '\0'; \ - yy_c_buf_p = yy_cp; - -#define YY_NUM_RULES 6 -#define YY_END_OF_BUFFER 7 -static yyconst short int yy_accept[21] = - { 0, - 0, 0, 7, 3, 4, 5, 1, 3, 3, 3, - 4, 1, 1, 1, 3, 2, 3, 1, 1, 0 - } ; - -static yyconst int yy_ec[256] = - { 0, - 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 2, 1, 1, 4, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 5, 1, 1, 1, 1, 1, 1, 1, 1, - - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1 - } ; - -static yyconst int yy_meta[6] = - { 0, - 1, 2, 3, 1, 1 - } ; - -static yyconst short int yy_base[24] = - { 0, - 0, 0, 26, 20, 0, 27, 5, 10, 19, 20, - 0, 0, 0, 15, 0, 27, 0, 0, 0, 27, - 17, 6, 20 - } ; - -static yyconst short int yy_def[24] = - { 0, - 20, 1, 20, 21, 22, 20, 20, 20, 21, 8, - 22, 7, 23, 20, 9, 20, 10, 7, 14, 0, - 20, 20, 20 - } ; - -static yyconst short int yy_nxt[33] = - { 0, - 4, 5, 6, 7, 8, 12, 13, 11, 12, 14, - 15, 9, 16, 15, 17, 18, 12, 9, 18, 19, - 13, 13, 20, 10, 10, 20, 3, 20, 20, 20, - 20, 20 - } ; - -static yyconst short int yy_chk[33] = - { 0, - 1, 1, 1, 1, 1, 7, 7, 22, 7, 7, - 8, 8, 8, 8, 8, 14, 14, 21, 14, 14, - 23, 23, 10, 9, 4, 3, 20, 20, 20, 20, - 20, 20 - } ; - -static yy_state_type yy_last_accepting_state; -static char *yy_last_accepting_cpos; - -/* The intent behind this definition is that it'll catch - * any uses of REJECT which flex missed. - */ -#define REJECT reject_used_but_not_detected -#define yymore() yymore_used_but_not_detected -#define YY_MORE_ADJ 0 -#define YY_RESTORE_YY_MORE_OFFSET -char *yytext; -#line 1 "pam_conv.lex" -#define INITIAL 0 -#line 3 "pam_conv.lex" -/* - * $Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $ - * - * Copyright (c) Andrew G. Morgan 1997 - * - * This file is covered by the Linux-PAM License (which should be - * distributed with this file.) - */ - - const static char lexid[]= - "$Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $\n" - "Copyright (c) Andrew G. Morgan 1997 \n"; - - extern int current_line; -#line 389 "lex.yy.c" - -/* Macros after this point can all be overridden by user definitions in - * section 1. - */ - -#ifndef YY_SKIP_YYWRAP -#ifdef __cplusplus -extern "C" int yywrap YY_PROTO(( void )); -#else -extern int yywrap YY_PROTO(( void )); -#endif -#endif - -#ifndef YY_NO_UNPUT -static void yyunput YY_PROTO(( int c, char *buf_ptr )); -#endif - -#ifndef yytext_ptr -static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int )); -#endif - -#ifdef YY_NEED_STRLEN -static int yy_flex_strlen YY_PROTO(( yyconst char * )); -#endif - -#ifndef YY_NO_INPUT -#ifdef __cplusplus -static int yyinput YY_PROTO(( void )); -#else -static int input YY_PROTO(( void )); -#endif -#endif - -#if YY_STACK_USED -static int yy_start_stack_ptr = 0; -static int yy_start_stack_depth = 0; -static int *yy_start_stack = 0; -#ifndef YY_NO_PUSH_STATE -static void yy_push_state YY_PROTO(( int new_state )); -#endif -#ifndef YY_NO_POP_STATE -static void yy_pop_state YY_PROTO(( void )); -#endif -#ifndef YY_NO_TOP_STATE -static int yy_top_state YY_PROTO(( void )); -#endif - -#else -#define YY_NO_PUSH_STATE 1 -#define YY_NO_POP_STATE 1 -#define YY_NO_TOP_STATE 1 -#endif - -#ifdef YY_MALLOC_DECL -YY_MALLOC_DECL -#else -#if __STDC__ -#ifndef __cplusplus -#include -#endif -#else -/* Just try to get by without declaring the routines. This will fail - * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int) - * or sizeof(void*) != sizeof(int). - */ -#endif -#endif - -/* Amount of stuff to slurp up with each read. */ -#ifndef YY_READ_BUF_SIZE -#define YY_READ_BUF_SIZE 8192 -#endif - -/* Copy whatever the last rule matched to the standard output. */ - -#ifndef ECHO -/* This used to be an fputs(), but since the string might contain NUL's, - * we now use fwrite(). - */ -#define ECHO (void) fwrite( yytext, yyleng, 1, yyout ) -#endif - -/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL, - * is returned in "result". - */ -#ifndef YY_INPUT -#define YY_INPUT(buf,result,max_size) \ - if ( yy_current_buffer->yy_is_interactive ) \ - { \ - int c = '*', n; \ - for ( n = 0; n < max_size && \ - (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ - buf[n] = (char) c; \ - if ( c == '\n' ) \ - buf[n++] = (char) c; \ - if ( c == EOF && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); \ - result = n; \ - } \ - else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \ - && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); -#endif - -/* No semi-colon after return; correct usage is to write "yyterminate();" - - * we don't want an extra ';' after the "return" because that will cause - * some compilers to complain about unreachable statements. - */ -#ifndef yyterminate -#define yyterminate() return YY_NULL -#endif - -/* Number of entries by which start-condition stack grows. */ -#ifndef YY_START_STACK_INCR -#define YY_START_STACK_INCR 25 -#endif - -/* Report a fatal error. */ -#ifndef YY_FATAL_ERROR -#define YY_FATAL_ERROR(msg) yy_fatal_error( msg ) -#endif - -/* Default declaration of generated scanner - a define so the user can - * easily add parameters. - */ -#ifndef YY_DECL -#define YY_DECL int yylex YY_PROTO(( void )) -#endif - -/* Code executed at the beginning of each rule, after yytext and yyleng - * have been set up. - */ -#ifndef YY_USER_ACTION -#define YY_USER_ACTION -#endif - -/* Code executed at the end of each rule. */ -#ifndef YY_BREAK -#define YY_BREAK break; -#endif - -#define YY_RULE_SETUP \ - YY_USER_ACTION - -YY_DECL - { - register yy_state_type yy_current_state; - register char *yy_cp, *yy_bp; - register int yy_act; - -#line 19 "pam_conv.lex" - - -#line 543 "lex.yy.c" - - if ( yy_init ) - { - yy_init = 0; - -#ifdef YY_USER_INIT - YY_USER_INIT; -#endif - - if ( ! yy_start ) - yy_start = 1; /* first start state */ - - if ( ! yyin ) - yyin = stdin; - - if ( ! yyout ) - yyout = stdout; - - if ( ! yy_current_buffer ) - yy_current_buffer = - yy_create_buffer( yyin, YY_BUF_SIZE ); - - yy_load_buffer_state(); - } - - while ( 1 ) /* loops until end-of-file is reached */ - { - yy_cp = yy_c_buf_p; - - /* Support of yytext. */ - *yy_cp = yy_hold_char; - - /* yy_bp points to the position in yy_ch_buf of the start of - * the current run. - */ - yy_bp = yy_cp; - - yy_current_state = yy_start; -yy_match: - do - { - register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)]; - if ( yy_accept[yy_current_state] ) - { - yy_last_accepting_state = yy_current_state; - yy_last_accepting_cpos = yy_cp; - } - while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) - { - yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 21 ) - yy_c = yy_meta[(unsigned int) yy_c]; - } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - ++yy_cp; - } - while ( yy_base[yy_current_state] != 27 ); - -yy_find_action: - yy_act = yy_accept[yy_current_state]; - if ( yy_act == 0 ) - { /* have to back up */ - yy_cp = yy_last_accepting_cpos; - yy_current_state = yy_last_accepting_state; - yy_act = yy_accept[yy_current_state]; - } - - YY_DO_BEFORE_ACTION; - - -do_action: /* This label is used only to access EOF actions. */ - - - switch ( yy_act ) - { /* beginning of action switch */ - case 0: /* must back up */ - /* undo the effects of YY_DO_BEFORE_ACTION */ - *yy_cp = yy_hold_char; - yy_cp = yy_last_accepting_cpos; - yy_current_state = yy_last_accepting_state; - goto yy_find_action; - -case 1: -YY_RULE_SETUP -#line 21 "pam_conv.lex" -; /* skip comments (sorry) */ - YY_BREAK -case 2: -YY_RULE_SETUP -#line 23 "pam_conv.lex" -{ - ++current_line; -} - YY_BREAK -case 3: -YY_RULE_SETUP -#line 27 "pam_conv.lex" -{ - return TOK; -} - YY_BREAK -case 4: -YY_RULE_SETUP -#line 31 "pam_conv.lex" -; /* Ignore */ - YY_BREAK -case YY_STATE_EOF(INITIAL): -#line 33 "pam_conv.lex" -{ - return EOFILE; -} - YY_BREAK -case 5: -YY_RULE_SETUP -#line 37 "pam_conv.lex" -{ - ++current_line; - return NL; -} - YY_BREAK -case 6: -YY_RULE_SETUP -#line 42 "pam_conv.lex" -ECHO; - YY_BREAK -#line 669 "lex.yy.c" - - case YY_END_OF_BUFFER: - { - /* Amount of text matched not including the EOB char. */ - int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1; - - /* Undo the effects of YY_DO_BEFORE_ACTION. */ - *yy_cp = yy_hold_char; - YY_RESTORE_YY_MORE_OFFSET - - if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW ) - { - /* We're scanning a new file or input source. It's - * possible that this happened because the user - * just pointed yyin at a new source and called - * yylex(). If so, then we have to assure - * consistency between yy_current_buffer and our - * globals. Here is the right place to do so, because - * this is the first action (other than possibly a - * back-up) that will match for the new input source. - */ - yy_n_chars = yy_current_buffer->yy_n_chars; - yy_current_buffer->yy_input_file = yyin; - yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL; - } - - /* Note that here we test for yy_c_buf_p "<=" to the position - * of the first EOB in the buffer, since yy_c_buf_p will - * already have been incremented past the NUL character - * (since all states make transitions on EOB to the - * end-of-buffer state). Contrast this with the test - * in input(). - */ - if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] ) - { /* This was really a NUL. */ - yy_state_type yy_next_state; - - yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text; - - yy_current_state = yy_get_previous_state(); - - /* Okay, we're now positioned to make the NUL - * transition. We couldn't have - * yy_get_previous_state() go ahead and do it - * for us because it doesn't know how to deal - * with the possibility of jamming (and we don't - * want to build jamming into it because then it - * will run more slowly). - */ - - yy_next_state = yy_try_NUL_trans( yy_current_state ); - - yy_bp = yytext_ptr + YY_MORE_ADJ; - - if ( yy_next_state ) - { - /* Consume the NUL. */ - yy_cp = ++yy_c_buf_p; - yy_current_state = yy_next_state; - goto yy_match; - } - - else - { - yy_cp = yy_c_buf_p; - goto yy_find_action; - } - } - - else switch ( yy_get_next_buffer() ) - { - case EOB_ACT_END_OF_FILE: - { - yy_did_buffer_switch_on_eof = 0; - - if ( yywrap() ) - { - /* Note: because we've taken care in - * yy_get_next_buffer() to have set up - * yytext, we can now set up - * yy_c_buf_p so that if some total - * hoser (like flex itself) wants to - * call the scanner after we return the - * YY_NULL, it'll still work - another - * YY_NULL will get returned. - */ - yy_c_buf_p = yytext_ptr + YY_MORE_ADJ; - - yy_act = YY_STATE_EOF(YY_START); - goto do_action; - } - - else - { - if ( ! yy_did_buffer_switch_on_eof ) - YY_NEW_FILE; - } - break; - } - - case EOB_ACT_CONTINUE_SCAN: - yy_c_buf_p = - yytext_ptr + yy_amount_of_matched_text; - - yy_current_state = yy_get_previous_state(); - - yy_cp = yy_c_buf_p; - yy_bp = yytext_ptr + YY_MORE_ADJ; - goto yy_match; - - case EOB_ACT_LAST_MATCH: - yy_c_buf_p = - &yy_current_buffer->yy_ch_buf[yy_n_chars]; - - yy_current_state = yy_get_previous_state(); - - yy_cp = yy_c_buf_p; - yy_bp = yytext_ptr + YY_MORE_ADJ; - goto yy_find_action; - } - break; - } - - default: - YY_FATAL_ERROR( - "fatal flex scanner internal error--no action found" ); - } /* end of action switch */ - } /* end of scanning one token */ - } /* end of yylex */ - - -/* yy_get_next_buffer - try to read in a new buffer - * - * Returns a code representing an action: - * EOB_ACT_LAST_MATCH - - * EOB_ACT_CONTINUE_SCAN - continue scanning from current position - * EOB_ACT_END_OF_FILE - end of file - */ - -static int yy_get_next_buffer() - { - register char *dest = yy_current_buffer->yy_ch_buf; - register char *source = yytext_ptr; - register int number_to_move, i; - int ret_val; - - if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] ) - YY_FATAL_ERROR( - "fatal flex scanner internal error--end of buffer missed" ); - - if ( yy_current_buffer->yy_fill_buffer == 0 ) - { /* Don't try to fill the buffer, so this is an EOF. */ - if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 ) - { - /* We matched a single character, the EOB, so - * treat this as a final EOF. - */ - return EOB_ACT_END_OF_FILE; - } - - else - { - /* We matched some text prior to the EOB, first - * process it. - */ - return EOB_ACT_LAST_MATCH; - } - } - - /* Try to read more data. */ - - /* First move last chars to start of buffer. */ - number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1; - - for ( i = 0; i < number_to_move; ++i ) - *(dest++) = *(source++); - - if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING ) - /* don't do the read, it's not guaranteed to return an EOF, - * just force an EOF - */ - yy_current_buffer->yy_n_chars = yy_n_chars = 0; - - else - { - int num_to_read = - yy_current_buffer->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) - { /* Not enough room in the buffer - grow it. */ -#ifdef YY_USES_REJECT - YY_FATAL_ERROR( -"input buffer overflow, can't enlarge buffer because scanner uses REJECT" ); -#else - - /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = yy_current_buffer; - - int yy_c_buf_p_offset = - (int) (yy_c_buf_p - b->yy_ch_buf); - - if ( b->yy_is_our_buffer ) - { - int new_size = b->yy_buf_size * 2; - - if ( new_size <= 0 ) - b->yy_buf_size += b->yy_buf_size / 8; - else - b->yy_buf_size *= 2; - - b->yy_ch_buf = (char *) - /* Include room in for 2 EOB chars. */ - yy_flex_realloc( (void *) b->yy_ch_buf, - b->yy_buf_size + 2 ); - } - else - /* Can't grow it, we don't own it. */ - b->yy_ch_buf = 0; - - if ( ! b->yy_ch_buf ) - YY_FATAL_ERROR( - "fatal error - scanner input buffer overflow" ); - - yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset]; - - num_to_read = yy_current_buffer->yy_buf_size - - number_to_move - 1; -#endif - } - - if ( num_to_read > YY_READ_BUF_SIZE ) - num_to_read = YY_READ_BUF_SIZE; - - /* Read in more data. */ - YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]), - yy_n_chars, num_to_read ); - - yy_current_buffer->yy_n_chars = yy_n_chars; - } - - if ( yy_n_chars == 0 ) - { - if ( number_to_move == YY_MORE_ADJ ) - { - ret_val = EOB_ACT_END_OF_FILE; - yyrestart( yyin ); - } - - else - { - ret_val = EOB_ACT_LAST_MATCH; - yy_current_buffer->yy_buffer_status = - YY_BUFFER_EOF_PENDING; - } - } - - else - ret_val = EOB_ACT_CONTINUE_SCAN; - - yy_n_chars += number_to_move; - yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR; - yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR; - - yytext_ptr = &yy_current_buffer->yy_ch_buf[0]; - - return ret_val; - } - - -/* yy_get_previous_state - get the state just before the EOB char was reached */ - -static yy_state_type yy_get_previous_state() - { - register yy_state_type yy_current_state; - register char *yy_cp; - - yy_current_state = yy_start; - - for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp ) - { - register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1); - if ( yy_accept[yy_current_state] ) - { - yy_last_accepting_state = yy_current_state; - yy_last_accepting_cpos = yy_cp; - } - while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) - { - yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 21 ) - yy_c = yy_meta[(unsigned int) yy_c]; - } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - } - - return yy_current_state; - } - - -/* yy_try_NUL_trans - try to make a transition on the NUL character - * - * synopsis - * next_state = yy_try_NUL_trans( current_state ); - */ - -#ifdef YY_USE_PROTOS -static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state ) -#else -static yy_state_type yy_try_NUL_trans( yy_current_state ) -yy_state_type yy_current_state; -#endif - { - register int yy_is_jam; - register char *yy_cp = yy_c_buf_p; - - register YY_CHAR yy_c = 1; - if ( yy_accept[yy_current_state] ) - { - yy_last_accepting_state = yy_current_state; - yy_last_accepting_cpos = yy_cp; - } - while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) - { - yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 21 ) - yy_c = yy_meta[(unsigned int) yy_c]; - } - yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - yy_is_jam = (yy_current_state == 20); - - return yy_is_jam ? 0 : yy_current_state; - } - - -#ifndef YY_NO_UNPUT -#ifdef YY_USE_PROTOS -static void yyunput( int c, register char *yy_bp ) -#else -static void yyunput( c, yy_bp ) -int c; -register char *yy_bp; -#endif - { - register char *yy_cp = yy_c_buf_p; - - /* undo effects of setting up yytext */ - *yy_cp = yy_hold_char; - - if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) - { /* need to shift things up to make room */ - /* +2 for EOB chars. */ - register int number_to_move = yy_n_chars + 2; - register char *dest = &yy_current_buffer->yy_ch_buf[ - yy_current_buffer->yy_buf_size + 2]; - register char *source = - &yy_current_buffer->yy_ch_buf[number_to_move]; - - while ( source > yy_current_buffer->yy_ch_buf ) - *--dest = *--source; - - yy_cp += (int) (dest - source); - yy_bp += (int) (dest - source); - yy_current_buffer->yy_n_chars = - yy_n_chars = yy_current_buffer->yy_buf_size; - - if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 ) - YY_FATAL_ERROR( "flex scanner push-back overflow" ); - } - - *--yy_cp = (char) c; - - - yytext_ptr = yy_bp; - yy_hold_char = *yy_cp; - yy_c_buf_p = yy_cp; - } -#endif /* ifndef YY_NO_UNPUT */ - - -#ifdef __cplusplus -static int yyinput() -#else -static int input() -#endif - { - int c; - - *yy_c_buf_p = yy_hold_char; - - if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR ) - { - /* yy_c_buf_p now points to the character we want to return. - * If this occurs *before* the EOB characters, then it's a - * valid NUL; if not, then we've hit the end of the buffer. - */ - if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] ) - /* This was really a NUL. */ - *yy_c_buf_p = '\0'; - - else - { /* need more input */ - int offset = yy_c_buf_p - yytext_ptr; - ++yy_c_buf_p; - - switch ( yy_get_next_buffer() ) - { - case EOB_ACT_LAST_MATCH: - /* This happens because yy_g_n_b() - * sees that we've accumulated a - * token and flags that we need to - * try matching the token before - * proceeding. But for input(), - * there's no matching to consider. - * So convert the EOB_ACT_LAST_MATCH - * to EOB_ACT_END_OF_FILE. - */ - - /* Reset buffer status. */ - yyrestart( yyin ); - - /* fall through */ - - case EOB_ACT_END_OF_FILE: - { - if ( yywrap() ) - return EOF; - - if ( ! yy_did_buffer_switch_on_eof ) - YY_NEW_FILE; -#ifdef __cplusplus - return yyinput(); -#else - return input(); -#endif - } - - case EOB_ACT_CONTINUE_SCAN: - yy_c_buf_p = yytext_ptr + offset; - break; - } - } - } - - c = *(unsigned char *) yy_c_buf_p; /* cast for 8-bit char's */ - *yy_c_buf_p = '\0'; /* preserve yytext */ - yy_hold_char = *++yy_c_buf_p; - - - return c; - } - - -#ifdef YY_USE_PROTOS -void yyrestart( FILE *input_file ) -#else -void yyrestart( input_file ) -FILE *input_file; -#endif - { - if ( ! yy_current_buffer ) - yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); - - yy_init_buffer( yy_current_buffer, input_file ); - yy_load_buffer_state(); - } - - -#ifdef YY_USE_PROTOS -void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer ) -#else -void yy_switch_to_buffer( new_buffer ) -YY_BUFFER_STATE new_buffer; -#endif - { - if ( yy_current_buffer == new_buffer ) - return; - - if ( yy_current_buffer ) - { - /* Flush out information for old buffer. */ - *yy_c_buf_p = yy_hold_char; - yy_current_buffer->yy_buf_pos = yy_c_buf_p; - yy_current_buffer->yy_n_chars = yy_n_chars; - } - - yy_current_buffer = new_buffer; - yy_load_buffer_state(); - - /* We don't actually know whether we did this switch during - * EOF (yywrap()) processing, but the only time this flag - * is looked at is after yywrap() is called, so it's safe - * to go ahead and always set it. - */ - yy_did_buffer_switch_on_eof = 1; - } - - -#ifdef YY_USE_PROTOS -void yy_load_buffer_state( void ) -#else -void yy_load_buffer_state() -#endif - { - yy_n_chars = yy_current_buffer->yy_n_chars; - yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos; - yyin = yy_current_buffer->yy_input_file; - yy_hold_char = *yy_c_buf_p; - } - - -#ifdef YY_USE_PROTOS -YY_BUFFER_STATE yy_create_buffer( FILE *file, int size ) -#else -YY_BUFFER_STATE yy_create_buffer( file, size ) -FILE *file; -int size; -#endif - { - YY_BUFFER_STATE b; - - b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); - if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); - - b->yy_buf_size = size; - - /* yy_ch_buf has to be 2 characters longer than the size given because - * we need to put in 2 end-of-buffer characters. - */ - b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 ); - if ( ! b->yy_ch_buf ) - YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" ); - - b->yy_is_our_buffer = 1; - - yy_init_buffer( b, file ); - - return b; - } - - -#ifdef YY_USE_PROTOS -void yy_delete_buffer( YY_BUFFER_STATE b ) -#else -void yy_delete_buffer( b ) -YY_BUFFER_STATE b; -#endif - { - if ( ! b ) - return; - - if ( b == yy_current_buffer ) - yy_current_buffer = (YY_BUFFER_STATE) 0; - - if ( b->yy_is_our_buffer ) - yy_flex_free( (void *) b->yy_ch_buf ); - - yy_flex_free( (void *) b ); - } - - -#ifndef YY_ALWAYS_INTERACTIVE -#ifndef YY_NEVER_INTERACTIVE -extern int isatty YY_PROTO(( int )); -#endif -#endif - -#ifdef YY_USE_PROTOS -void yy_init_buffer( YY_BUFFER_STATE b, FILE *file ) -#else -void yy_init_buffer( b, file ) -YY_BUFFER_STATE b; -FILE *file; -#endif - - - { - yy_flush_buffer( b ); - - b->yy_input_file = file; - b->yy_fill_buffer = 1; - -#if YY_ALWAYS_INTERACTIVE - b->yy_is_interactive = 1; -#else -#if YY_NEVER_INTERACTIVE - b->yy_is_interactive = 0; -#else - b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0; -#endif -#endif - } - - -#ifdef YY_USE_PROTOS -void yy_flush_buffer( YY_BUFFER_STATE b ) -#else -void yy_flush_buffer( b ) -YY_BUFFER_STATE b; -#endif - - { - if ( ! b ) - return; - - b->yy_n_chars = 0; - - /* We always need two end-of-buffer characters. The first causes - * a transition to the end-of-buffer state. The second causes - * a jam in that state. - */ - b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR; - b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR; - - b->yy_buf_pos = &b->yy_ch_buf[0]; - - b->yy_at_bol = 1; - b->yy_buffer_status = YY_BUFFER_NEW; - - if ( b == yy_current_buffer ) - yy_load_buffer_state(); - } - - -#ifndef YY_NO_SCAN_BUFFER -#ifdef YY_USE_PROTOS -YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size ) -#else -YY_BUFFER_STATE yy_scan_buffer( base, size ) -char *base; -yy_size_t size; -#endif - { - YY_BUFFER_STATE b; - - if ( size < 2 || - base[size-2] != YY_END_OF_BUFFER_CHAR || - base[size-1] != YY_END_OF_BUFFER_CHAR ) - /* They forgot to leave room for the EOB's. */ - return 0; - - b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) ); - if ( ! b ) - YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" ); - - b->yy_buf_size = size - 2; /* "- 2" to take care of EOB's */ - b->yy_buf_pos = b->yy_ch_buf = base; - b->yy_is_our_buffer = 0; - b->yy_input_file = 0; - b->yy_n_chars = b->yy_buf_size; - b->yy_is_interactive = 0; - b->yy_at_bol = 1; - b->yy_fill_buffer = 0; - b->yy_buffer_status = YY_BUFFER_NEW; - - yy_switch_to_buffer( b ); - - return b; - } -#endif - - -#ifndef YY_NO_SCAN_STRING -#ifdef YY_USE_PROTOS -YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str ) -#else -YY_BUFFER_STATE yy_scan_string( yy_str ) -yyconst char *yy_str; -#endif - { - int len; - for ( len = 0; yy_str[len]; ++len ) - ; - - return yy_scan_bytes( yy_str, len ); - } -#endif - - -#ifndef YY_NO_SCAN_BYTES -#ifdef YY_USE_PROTOS -YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len ) -#else -YY_BUFFER_STATE yy_scan_bytes( bytes, len ) -yyconst char *bytes; -int len; -#endif - { - YY_BUFFER_STATE b; - char *buf; - yy_size_t n; - int i; - - /* Get memory for full buffer, including space for trailing EOB's. */ - n = len + 2; - buf = (char *) yy_flex_alloc( n ); - if ( ! buf ) - YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" ); - - for ( i = 0; i < len; ++i ) - buf[i] = bytes[i]; - - buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR; - - b = yy_scan_buffer( buf, n ); - if ( ! b ) - YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" ); - - /* It's okay to grow etc. this buffer, and we should throw it - * away when we're done. - */ - b->yy_is_our_buffer = 1; - - return b; - } -#endif - - -#ifndef YY_NO_PUSH_STATE -#ifdef YY_USE_PROTOS -static void yy_push_state( int new_state ) -#else -static void yy_push_state( new_state ) -int new_state; -#endif - { - if ( yy_start_stack_ptr >= yy_start_stack_depth ) - { - yy_size_t new_size; - - yy_start_stack_depth += YY_START_STACK_INCR; - new_size = yy_start_stack_depth * sizeof( int ); - - if ( ! yy_start_stack ) - yy_start_stack = (int *) yy_flex_alloc( new_size ); - - else - yy_start_stack = (int *) yy_flex_realloc( - (void *) yy_start_stack, new_size ); - - if ( ! yy_start_stack ) - YY_FATAL_ERROR( - "out of memory expanding start-condition stack" ); - } - - yy_start_stack[yy_start_stack_ptr++] = YY_START; - - BEGIN(new_state); - } -#endif - - -#ifndef YY_NO_POP_STATE -static void yy_pop_state() - { - if ( --yy_start_stack_ptr < 0 ) - YY_FATAL_ERROR( "start-condition stack underflow" ); - - BEGIN(yy_start_stack[yy_start_stack_ptr]); - } -#endif - - -#ifndef YY_NO_TOP_STATE -static int yy_top_state() - { - return yy_start_stack[yy_start_stack_ptr - 1]; - } -#endif - -#ifndef YY_EXIT_FAILURE -#define YY_EXIT_FAILURE 2 -#endif - -#ifdef YY_USE_PROTOS -static void yy_fatal_error( yyconst char msg[] ) -#else -static void yy_fatal_error( msg ) -char msg[]; -#endif - { - (void) fprintf( stderr, "%s\n", msg ); - exit( YY_EXIT_FAILURE ); - } - - - -/* Redefine yyless() so it works in section 3 code. */ - -#undef yyless -#define yyless(n) \ - do \ - { \ - /* Undo effects of setting up yytext. */ \ - yytext[yyleng] = yy_hold_char; \ - yy_c_buf_p = yytext + n; \ - yy_hold_char = *yy_c_buf_p; \ - *yy_c_buf_p = '\0'; \ - yyleng = n; \ - } \ - while ( 0 ) - - -/* Internal utility routines. */ - -#ifndef yytext_ptr -#ifdef YY_USE_PROTOS -static void yy_flex_strncpy( char *s1, yyconst char *s2, int n ) -#else -static void yy_flex_strncpy( s1, s2, n ) -char *s1; -yyconst char *s2; -int n; -#endif - { - register int i; - for ( i = 0; i < n; ++i ) - s1[i] = s2[i]; - } -#endif - -#ifdef YY_NEED_STRLEN -#ifdef YY_USE_PROTOS -static int yy_flex_strlen( yyconst char *s ) -#else -static int yy_flex_strlen( s ) -yyconst char *s; -#endif - { - register int n; - for ( n = 0; s[n]; ++n ) - ; - - return n; - } -#endif - - -#ifdef YY_USE_PROTOS -static void *yy_flex_alloc( yy_size_t size ) -#else -static void *yy_flex_alloc( size ) -yy_size_t size; -#endif - { - return (void *) malloc( size ); - } - -#ifdef YY_USE_PROTOS -static void *yy_flex_realloc( void *ptr, yy_size_t size ) -#else -static void *yy_flex_realloc( ptr, size ) -void *ptr; -yy_size_t size; -#endif - { - /* The cast to (char *) in the following accommodates both - * implementations that use char* generic pointers, and those - * that use void* generic pointers. It works with the latter - * because both ANSI C and C++ allow castless assignment from - * any pointer type to void*, and deal with argument conversions - * as though doing an assignment. - */ - return (void *) realloc( (char *) ptr, size ); - } - -#ifdef YY_USE_PROTOS -static void yy_flex_free( void *ptr ) -#else -static void yy_flex_free( ptr ) -void *ptr; -#endif - { - free( ptr ); - } - -#if YY_MAIN -int main() - { - yylex(); - return 0; - } -#endif -#line 42 "pam_conv.lex" - diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.lex b/contrib/libpam/conf/pam_conv1/pam_conv.lex deleted file mode 100644 index d5f618ef4518..000000000000 --- a/contrib/libpam/conf/pam_conv1/pam_conv.lex +++ /dev/null @@ -1,42 +0,0 @@ - -%{ -/* - * $Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $ - * - * Copyright (c) Andrew G. Morgan 1997 - * - * This file is covered by the Linux-PAM License (which should be - * distributed with this file.) - */ - - const static char lexid[]= - "$Id: pam_conv.lex,v 1.1 1997/01/23 05:35:50 morgan Exp $\n" - "Copyright (c) Andrew G. Morgan 1997 \n"; - - extern int current_line; -%} - -%% - -"#"[^\n]* ; /* skip comments (sorry) */ - -"\\\n" { - ++current_line; -} - -([^\n\t ]|[\\][^\n])+ { - return TOK; -} - -[ \t]+ ; /* Ignore */ - -<> { - return EOFILE; -} - -[\n] { - ++current_line; - return NL; -} - -%% diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.tab.c b/contrib/libpam/conf/pam_conv1/pam_conv.tab.c deleted file mode 100644 index 6ca566cfb948..000000000000 --- a/contrib/libpam/conf/pam_conv1/pam_conv.tab.c +++ /dev/null @@ -1,1019 +0,0 @@ - -/* A Bison parser, made from pam_conv.y - by GNU Bison version 1.25 - */ - -#define YYBISON 1 /* Identify Bison output. */ - -#define NL 258 -#define EOFILE 259 -#define TOK 260 - -#line 1 "pam_conv.y" - - -/* - * $Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $ - * - * Copyright (c) Andrew G. Morgan 1997 - * - * This file is covered by the Linux-PAM License (which should be - * distributed with this file.) - */ - - const static char bisonid[]= - "$Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $\n" - "Copyright (c) Andrew G. Morgan 1997-8 \n"; - -#include -#include -#include -#include - - int current_line=1; - extern char *yytext; - -/* XXX - later we'll change this to be the specific conf file(s) */ -#define newpamf stderr - -#define PAM_D "./pam.d" -#define PAM_D_MODE 0755 -#define PAM_D_MAGIC_HEADER \ - "#%PAM-1.0\n" \ - "#[For version 1.0 syntax, the above header is optional]\n" - -#define PAM_D_FILE_FMT PAM_D "/%s" - - const char *old_to_new_ctrl_flag(const char *old); - void yyerror(const char *format, ...); - -#line 39 "pam_conv.y" -typedef union { - int def; - char *string; -} YYSTYPE; -#include - -#ifndef __cplusplus -#ifndef __STDC__ -#define const -#endif -#endif - - - -#define YYFINAL 17 -#define YYFLAG -32768 -#define YYNTBASE 6 - -#define YYTRANSLATE(x) ((unsigned)(x) <= 260 ? yytranslate[x] : 11) - -static const char yytranslate[] = { 0, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 1, 2, 3, 4, 5 -}; - -#if YYDEBUG != 0 -static const short yyprhs[] = { 0, - 0, 1, 4, 7, 10, 17, 20, 21, 24, 26 -}; - -static const short yyrhs[] = { -1, - 6, 3, 0, 6, 7, 0, 6, 4, 0, 10, - 10, 10, 9, 8, 3, 0, 1, 3, 0, 0, - 8, 10, 0, 5, 0, 5, 0 -}; - -#endif - -#if YYDEBUG != 0 -static const short yyrline[] = { 0, - 53, 54, 55, 56, 62, 126, 132, 135, 151, 157 -}; -#endif - - -#if YYDEBUG != 0 || defined (YYERROR_VERBOSE) - -static const char * const yytname[] = { "$","error","$undefined.","NL","EOFILE", -"TOK","complete","line","tokenls","path","tok", NULL -}; -#endif - -static const short yyr1[] = { 0, - 6, 6, 6, 6, 7, 7, 8, 8, 9, 10 -}; - -static const short yyr2[] = { 0, - 0, 2, 2, 2, 6, 2, 0, 2, 1, 1 -}; - -static const short yydefact[] = { 1, - 0, 0, 2, 4, 10, 3, 0, 6, 0, 0, - 9, 7, 0, 5, 8, 0, 0 -}; - -static const short yydefgoto[] = { 1, - 6, 13, 12, 7 -}; - -static const short yypact[] = {-32768, - 4, 7,-32768,-32768,-32768,-32768, 6,-32768, 6, 8, --32768,-32768, -2,-32768,-32768, 12,-32768 -}; - -static const short yypgoto[] = {-32768, --32768,-32768,-32768, -7 -}; - - -#define YYLAST 13 - - -static const short yytable[] = { 9, - 14, 10, 5, 16, 2, 15, 3, 4, 5, 8, - 5, 17, 11 -}; - -static const short yycheck[] = { 7, - 3, 9, 5, 0, 1, 13, 3, 4, 5, 3, - 5, 0, 5 -}; -/* -*-C-*- Note some compilers choke on comments on `#line' lines. */ -#line 3 "/usr/share/bison.simple" - -/* Skeleton output parser for bison, - Copyright (C) 1984, 1989, 1990 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ - -/* As a special exception, when this file is copied by Bison into a - Bison output file, you may use that output file without restriction. - This special exception was added by the Free Software Foundation - in version 1.24 of Bison. */ - -#ifndef alloca -#ifdef __GNUC__ -#define alloca __builtin_alloca -#else /* not GNU C. */ -#if (!defined (__STDC__) && defined (sparc)) || defined (__sparc__) || defined (__sparc) || defined (__sgi) -#include -#else /* not sparc */ -#if defined (MSDOS) && !defined (__TURBOC__) -#include -#else /* not MSDOS, or __TURBOC__ */ -#if defined(_AIX) -#include - #pragma alloca -#else /* not MSDOS, __TURBOC__, or _AIX */ -#ifdef __hpux -#ifdef __cplusplus -extern "C" { -void *alloca (unsigned int); -}; -#else /* not __cplusplus */ -void *alloca (); -#endif /* not __cplusplus */ -#endif /* __hpux */ -#endif /* not _AIX */ -#endif /* not MSDOS, or __TURBOC__ */ -#endif /* not sparc. */ -#endif /* not GNU C. */ -#endif /* alloca not defined. */ - -/* This is the parser code that is written into each bison parser - when the %semantic_parser declaration is not specified in the grammar. - It was written by Richard Stallman by simplifying the hairy parser - used when %semantic_parser is specified. */ - -/* Note: there must be only one dollar sign in this file. - It is replaced by the list of actions, each action - as one case of the switch. */ - -#define yyerrok (yyerrstatus = 0) -#define yyclearin (yychar = YYEMPTY) -#define YYEMPTY -2 -#define YYEOF 0 -#define YYACCEPT return(0) -#define YYABORT return(1) -#define YYERROR goto yyerrlab1 -/* Like YYERROR except do call yyerror. - This remains here temporarily to ease the - transition to the new meaning of YYERROR, for GCC. - Once GCC version 2 has supplanted version 1, this can go. */ -#define YYFAIL goto yyerrlab -#define YYRECOVERING() (!!yyerrstatus) -#define YYBACKUP(token, value) \ -do \ - if (yychar == YYEMPTY && yylen == 1) \ - { yychar = (token), yylval = (value); \ - yychar1 = YYTRANSLATE (yychar); \ - YYPOPSTACK; \ - goto yybackup; \ - } \ - else \ - { yyerror ("syntax error: cannot back up"); YYERROR; } \ -while (0) - -#define YYTERROR 1 -#define YYERRCODE 256 - -#ifndef YYPURE -#define YYLEX yylex() -#endif - -#ifdef YYPURE -#ifdef YYLSP_NEEDED -#ifdef YYLEX_PARAM -#define YYLEX yylex(&yylval, &yylloc, YYLEX_PARAM) -#else -#define YYLEX yylex(&yylval, &yylloc) -#endif -#else /* not YYLSP_NEEDED */ -#ifdef YYLEX_PARAM -#define YYLEX yylex(&yylval, YYLEX_PARAM) -#else -#define YYLEX yylex(&yylval) -#endif -#endif /* not YYLSP_NEEDED */ -#endif - -/* If nonreentrant, generate the variables here */ - -#ifndef YYPURE - -int yychar; /* the lookahead symbol */ -YYSTYPE yylval; /* the semantic value of the */ - /* lookahead symbol */ - -#ifdef YYLSP_NEEDED -YYLTYPE yylloc; /* location data for the lookahead */ - /* symbol */ -#endif - -int yynerrs; /* number of parse errors so far */ -#endif /* not YYPURE */ - -#if YYDEBUG != 0 -int yydebug; /* nonzero means print parse trace */ -/* Since this is uninitialized, it does not stop multiple parsers - from coexisting. */ -#endif - -/* YYINITDEPTH indicates the initial size of the parser's stacks */ - -#ifndef YYINITDEPTH -#define YYINITDEPTH 200 -#endif - -/* YYMAXDEPTH is the maximum size the stacks can grow to - (effective only if the built-in stack extension method is used). */ - -#if YYMAXDEPTH == 0 -#undef YYMAXDEPTH -#endif - -#ifndef YYMAXDEPTH -#define YYMAXDEPTH 10000 -#endif - -/* Prevent warning if -Wstrict-prototypes. */ -#ifdef __GNUC__ -int yyparse (void); -#endif - -#if __GNUC__ > 1 /* GNU C and GNU C++ define this. */ -#define __yy_memcpy(TO,FROM,COUNT) __builtin_memcpy(TO,FROM,COUNT) -#else /* not GNU C or C++ */ -#ifndef __cplusplus - -/* This is the most reliable way to avoid incompatibilities - in available built-in functions on various systems. */ -static void -__yy_memcpy (to, from, count) - char *to; - char *from; - int count; -{ - register char *f = from; - register char *t = to; - register int i = count; - - while (i-- > 0) - *t++ = *f++; -} - -#else /* __cplusplus */ - -/* This is the most reliable way to avoid incompatibilities - in available built-in functions on various systems. */ -static void -__yy_memcpy (char *to, char *from, int count) -{ - register char *f = from; - register char *t = to; - register int i = count; - - while (i-- > 0) - *t++ = *f++; -} - -#endif -#endif - -#line 196 "/usr/share/bison.simple" - -/* The user can define YYPARSE_PARAM as the name of an argument to be passed - into yyparse. The argument should have type void *. - It should actually point to an object. - Grammar actions can access the variable by casting it - to the proper pointer type. */ - -#ifdef YYPARSE_PARAM -#ifdef __cplusplus -#define YYPARSE_PARAM_ARG void *YYPARSE_PARAM -#define YYPARSE_PARAM_DECL -#else /* not __cplusplus */ -#define YYPARSE_PARAM_ARG YYPARSE_PARAM -#define YYPARSE_PARAM_DECL void *YYPARSE_PARAM; -#endif /* not __cplusplus */ -#else /* not YYPARSE_PARAM */ -#define YYPARSE_PARAM_ARG -#define YYPARSE_PARAM_DECL -#endif /* not YYPARSE_PARAM */ - -int -yyparse(YYPARSE_PARAM_ARG) - YYPARSE_PARAM_DECL -{ - register int yystate; - register int yyn; - register short *yyssp; - register YYSTYPE *yyvsp; - int yyerrstatus; /* number of tokens to shift before error messages enabled */ - int yychar1 = 0; /* lookahead token as an internal (translated) token number */ - - short yyssa[YYINITDEPTH]; /* the state stack */ - YYSTYPE yyvsa[YYINITDEPTH]; /* the semantic value stack */ - - short *yyss = yyssa; /* refer to the stacks thru separate pointers */ - YYSTYPE *yyvs = yyvsa; /* to allow yyoverflow to reallocate them elsewhere */ - -#ifdef YYLSP_NEEDED - YYLTYPE yylsa[YYINITDEPTH]; /* the location stack */ - YYLTYPE *yyls = yylsa; - YYLTYPE *yylsp; - -#define YYPOPSTACK (yyvsp--, yyssp--, yylsp--) -#else -#define YYPOPSTACK (yyvsp--, yyssp--) -#endif - - int yystacksize = YYINITDEPTH; - -#ifdef YYPURE - int yychar; - YYSTYPE yylval; - int yynerrs; -#ifdef YYLSP_NEEDED - YYLTYPE yylloc; -#endif -#endif - - YYSTYPE yyval; /* the variable used to return */ - /* semantic values from the action */ - /* routines */ - - int yylen; - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Starting parse\n"); -#endif - - yystate = 0; - yyerrstatus = 0; - yynerrs = 0; - yychar = YYEMPTY; /* Cause a token to be read. */ - - /* Initialize stack pointers. - Waste one element of value and location stack - so that they stay on the same level as the state stack. - The wasted elements are never initialized. */ - - yyssp = yyss - 1; - yyvsp = yyvs; -#ifdef YYLSP_NEEDED - yylsp = yyls; -#endif - -/* Push a new state, which is found in yystate . */ -/* In all cases, when you get here, the value and location stacks - have just been pushed. so pushing a state here evens the stacks. */ -yynewstate: - - *++yyssp = yystate; - - if (yyssp >= yyss + yystacksize - 1) - { - /* Give user a chance to reallocate the stack */ - /* Use copies of these so that the &'s don't force the real ones into memory. */ - YYSTYPE *yyvs1 = yyvs; - short *yyss1 = yyss; -#ifdef YYLSP_NEEDED - YYLTYPE *yyls1 = yyls; -#endif - - /* Get the current used size of the three stacks, in elements. */ - int size = yyssp - yyss + 1; - -#ifdef yyoverflow - /* Each stack pointer address is followed by the size of - the data in use in that stack, in bytes. */ -#ifdef YYLSP_NEEDED - /* This used to be a conditional around just the two extra args, - but that might be undefined if yyoverflow is a macro. */ - yyoverflow("parser stack overflow", - &yyss1, size * sizeof (*yyssp), - &yyvs1, size * sizeof (*yyvsp), - &yyls1, size * sizeof (*yylsp), - &yystacksize); -#else - yyoverflow("parser stack overflow", - &yyss1, size * sizeof (*yyssp), - &yyvs1, size * sizeof (*yyvsp), - &yystacksize); -#endif - - yyss = yyss1; yyvs = yyvs1; -#ifdef YYLSP_NEEDED - yyls = yyls1; -#endif -#else /* no yyoverflow */ - /* Extend the stack our own way. */ - if (yystacksize >= YYMAXDEPTH) - { - yyerror("parser stack overflow"); - return 2; - } - yystacksize *= 2; - if (yystacksize > YYMAXDEPTH) - yystacksize = YYMAXDEPTH; - yyss = (short *) alloca (yystacksize * sizeof (*yyssp)); - __yy_memcpy ((char *)yyss, (char *)yyss1, size * sizeof (*yyssp)); - yyvs = (YYSTYPE *) alloca (yystacksize * sizeof (*yyvsp)); - __yy_memcpy ((char *)yyvs, (char *)yyvs1, size * sizeof (*yyvsp)); -#ifdef YYLSP_NEEDED - yyls = (YYLTYPE *) alloca (yystacksize * sizeof (*yylsp)); - __yy_memcpy ((char *)yyls, (char *)yyls1, size * sizeof (*yylsp)); -#endif -#endif /* no yyoverflow */ - - yyssp = yyss + size - 1; - yyvsp = yyvs + size - 1; -#ifdef YYLSP_NEEDED - yylsp = yyls + size - 1; -#endif - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Stack size increased to %d\n", yystacksize); -#endif - - if (yyssp >= yyss + yystacksize - 1) - YYABORT; - } - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Entering state %d\n", yystate); -#endif - - goto yybackup; - yybackup: - -/* Do appropriate processing given the current state. */ -/* Read a lookahead token if we need one and don't already have one. */ -/* yyresume: */ - - /* First try to decide what to do without reference to lookahead token. */ - - yyn = yypact[yystate]; - if (yyn == YYFLAG) - goto yydefault; - - /* Not known => get a lookahead token if don't already have one. */ - - /* yychar is either YYEMPTY or YYEOF - or a valid token in external form. */ - - if (yychar == YYEMPTY) - { -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Reading a token: "); -#endif - yychar = YYLEX; - } - - /* Convert token to internal form (in yychar1) for indexing tables with */ - - if (yychar <= 0) /* This means end of input. */ - { - yychar1 = 0; - yychar = YYEOF; /* Don't call YYLEX any more */ - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Now at end of input.\n"); -#endif - } - else - { - yychar1 = YYTRANSLATE(yychar); - -#if YYDEBUG != 0 - if (yydebug) - { - fprintf (stderr, "Next token is %d (%s", yychar, yytname[yychar1]); - /* Give the individual parser a way to print the precise meaning - of a token, for further debugging info. */ -#ifdef YYPRINT - YYPRINT (stderr, yychar, yylval); -#endif - fprintf (stderr, ")\n"); - } -#endif - } - - yyn += yychar1; - if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != yychar1) - goto yydefault; - - yyn = yytable[yyn]; - - /* yyn is what to do for this token type in this state. - Negative => reduce, -yyn is rule number. - Positive => shift, yyn is new state. - New state is final state => don't bother to shift, - just return success. - 0, or most negative number => error. */ - - if (yyn < 0) - { - if (yyn == YYFLAG) - goto yyerrlab; - yyn = -yyn; - goto yyreduce; - } - else if (yyn == 0) - goto yyerrlab; - - if (yyn == YYFINAL) - YYACCEPT; - - /* Shift the lookahead token. */ - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Shifting token %d (%s), ", yychar, yytname[yychar1]); -#endif - - /* Discard the token being shifted unless it is eof. */ - if (yychar != YYEOF) - yychar = YYEMPTY; - - *++yyvsp = yylval; -#ifdef YYLSP_NEEDED - *++yylsp = yylloc; -#endif - - /* count tokens shifted since error; after three, turn off error status. */ - if (yyerrstatus) yyerrstatus--; - - yystate = yyn; - goto yynewstate; - -/* Do the default action for the current state. */ -yydefault: - - yyn = yydefact[yystate]; - if (yyn == 0) - goto yyerrlab; - -/* Do a reduction. yyn is the number of a rule to reduce with. */ -yyreduce: - yylen = yyr2[yyn]; - if (yylen > 0) - yyval = yyvsp[1-yylen]; /* implement default value of the action */ - -#if YYDEBUG != 0 - if (yydebug) - { - int i; - - fprintf (stderr, "Reducing via rule %d (line %d), ", - yyn, yyrline[yyn]); - - /* Print the symbols being reduced, and their result. */ - for (i = yyprhs[yyn]; yyrhs[i] > 0; i++) - fprintf (stderr, "%s ", yytname[yyrhs[i]]); - fprintf (stderr, " -> %s\n", yytname[yyr1[yyn]]); - } -#endif - - - switch (yyn) { - -case 4: -#line 56 "pam_conv.y" -{ - return 0; -; - break;} -case 5: -#line 62 "pam_conv.y" -{ - char *filename; - FILE *conf; - int i; - - /* make sure we have lower case */ - for (i=0; yyvsp[-5].string[i]; ++i) { - yyvsp[-5].string[i] = tolower(yyvsp[-5].string[i]); - } - - /* $1 = service-name */ - yyerror("Appending to " PAM_D "/%s", yyvsp[-5].string); - - filename = malloc(strlen(yyvsp[-5].string) + sizeof(PAM_D) + 6); - sprintf(filename, PAM_D_FILE_FMT, yyvsp[-5].string); - conf = fopen(filename, "r"); - if (conf == NULL) { - /* new file */ - conf = fopen(filename, "w"); - if (conf != NULL) { - fprintf(conf, PAM_D_MAGIC_HEADER); - fprintf(conf, - "#\n" - "# The PAM configuration file for the `%s' service\n" - "#\n", yyvsp[-5].string); - } - } else { - fclose(conf); - conf = fopen(filename, "a"); - } - if (conf == NULL) { - yyerror("trouble opening %s - aborting", filename); - exit(1); - } - free(filename); - - /* $2 = module-type */ - fprintf(conf, "%-10s", yyvsp[-4].string); - free(yyvsp[-4].string); - - /* $3 = required etc. */ - { - const char *trans; - - trans = old_to_new_ctrl_flag(yyvsp[-3].string); - free(yyvsp[-3].string); - fprintf(conf, " %-10s", trans); - } - - /* $4 = module-path */ - fprintf(conf, " %s", yyvsp[-2].string); - free(yyvsp[-2].string); - - /* $5 = arguments */ - if (yyvsp[-1].string != NULL) { - fprintf(conf, " \\\n\t\t%s", yyvsp[-1].string); - free(yyvsp[-1].string); - } - - /* end line */ - fprintf(conf, "\n"); - - fclose(conf); -; - break;} -case 6: -#line 126 "pam_conv.y" -{ - yyerror("malformed line"); -; - break;} -case 7: -#line 132 "pam_conv.y" -{ - yyval.string=NULL; -; - break;} -case 8: -#line 135 "pam_conv.y" -{ - int len; - - if (yyvsp[-1].string) { - len = strlen(yyvsp[-1].string) + strlen(yyvsp[0].string) + 2; - yyval.string = malloc(len); - sprintf(yyval.string,"%s %s",yyvsp[-1].string,yyvsp[0].string); - free(yyvsp[-1].string); - free(yyvsp[0].string); - } else { - yyval.string = yyvsp[0].string; - } -; - break;} -case 9: -#line 151 "pam_conv.y" -{ - /* XXX - this could be used to check if file present */ - yyval.string = strdup(yytext); -; - break;} -case 10: -#line 157 "pam_conv.y" -{ - yyval.string = strdup(yytext); -; - break;} -} - /* the action file gets copied in in place of this dollarsign */ -#line 498 "/usr/share/bison.simple" - - yyvsp -= yylen; - yyssp -= yylen; -#ifdef YYLSP_NEEDED - yylsp -= yylen; -#endif - -#if YYDEBUG != 0 - if (yydebug) - { - short *ssp1 = yyss - 1; - fprintf (stderr, "state stack now"); - while (ssp1 != yyssp) - fprintf (stderr, " %d", *++ssp1); - fprintf (stderr, "\n"); - } -#endif - - *++yyvsp = yyval; - -#ifdef YYLSP_NEEDED - yylsp++; - if (yylen == 0) - { - yylsp->first_line = yylloc.first_line; - yylsp->first_column = yylloc.first_column; - yylsp->last_line = (yylsp-1)->last_line; - yylsp->last_column = (yylsp-1)->last_column; - yylsp->text = 0; - } - else - { - yylsp->last_line = (yylsp+yylen-1)->last_line; - yylsp->last_column = (yylsp+yylen-1)->last_column; - } -#endif - - /* Now "shift" the result of the reduction. - Determine what state that goes to, - based on the state we popped back to - and the rule number reduced by. */ - - yyn = yyr1[yyn]; - - yystate = yypgoto[yyn - YYNTBASE] + *yyssp; - if (yystate >= 0 && yystate <= YYLAST && yycheck[yystate] == *yyssp) - yystate = yytable[yystate]; - else - yystate = yydefgoto[yyn - YYNTBASE]; - - goto yynewstate; - -yyerrlab: /* here on detecting error */ - - if (! yyerrstatus) - /* If not already recovering from an error, report this error. */ - { - ++yynerrs; - -#ifdef YYERROR_VERBOSE - yyn = yypact[yystate]; - - if (yyn > YYFLAG && yyn < YYLAST) - { - int size = 0; - char *msg; - int x, count; - - count = 0; - /* Start X at -yyn if nec to avoid negative indexes in yycheck. */ - for (x = (yyn < 0 ? -yyn : 0); - x < (sizeof(yytname) / sizeof(char *)); x++) - if (yycheck[x + yyn] == x) - size += strlen(yytname[x]) + 15, count++; - msg = (char *) malloc(size + 15); - if (msg != 0) - { - strcpy(msg, "parse error"); - - if (count < 5) - { - count = 0; - for (x = (yyn < 0 ? -yyn : 0); - x < (sizeof(yytname) / sizeof(char *)); x++) - if (yycheck[x + yyn] == x) - { - strcat(msg, count == 0 ? ", expecting `" : " or `"); - strcat(msg, yytname[x]); - strcat(msg, "'"); - count++; - } - } - yyerror(msg); - free(msg); - } - else - yyerror ("parse error; also virtual memory exceeded"); - } - else -#endif /* YYERROR_VERBOSE */ - yyerror("parse error"); - } - - goto yyerrlab1; -yyerrlab1: /* here on error raised explicitly by an action */ - - if (yyerrstatus == 3) - { - /* if just tried and failed to reuse lookahead token after an error, discard it. */ - - /* return failure if at end of input */ - if (yychar == YYEOF) - YYABORT; - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Discarding token %d (%s).\n", yychar, yytname[yychar1]); -#endif - - yychar = YYEMPTY; - } - - /* Else will try to reuse lookahead token - after shifting the error token. */ - - yyerrstatus = 3; /* Each real token shifted decrements this */ - - goto yyerrhandle; - -yyerrdefault: /* current state does not do anything special for the error token. */ - -#if 0 - /* This is wrong; only states that explicitly want error tokens - should shift them. */ - yyn = yydefact[yystate]; /* If its default is to accept any token, ok. Otherwise pop it.*/ - if (yyn) goto yydefault; -#endif - -yyerrpop: /* pop the current state because it cannot handle the error token */ - - if (yyssp == yyss) YYABORT; - yyvsp--; - yystate = *--yyssp; -#ifdef YYLSP_NEEDED - yylsp--; -#endif - -#if YYDEBUG != 0 - if (yydebug) - { - short *ssp1 = yyss - 1; - fprintf (stderr, "Error: state stack now"); - while (ssp1 != yyssp) - fprintf (stderr, " %d", *++ssp1); - fprintf (stderr, "\n"); - } -#endif - -yyerrhandle: - - yyn = yypact[yystate]; - if (yyn == YYFLAG) - goto yyerrdefault; - - yyn += YYTERROR; - if (yyn < 0 || yyn > YYLAST || yycheck[yyn] != YYTERROR) - goto yyerrdefault; - - yyn = yytable[yyn]; - if (yyn < 0) - { - if (yyn == YYFLAG) - goto yyerrpop; - yyn = -yyn; - goto yyreduce; - } - else if (yyn == 0) - goto yyerrpop; - - if (yyn == YYFINAL) - YYACCEPT; - -#if YYDEBUG != 0 - if (yydebug) - fprintf(stderr, "Shifting error token, "); -#endif - - *++yyvsp = yylval; -#ifdef YYLSP_NEEDED - *++yylsp = yylloc; -#endif - - yystate = yyn; - goto yynewstate; -} -#line 161 "pam_conv.y" - - -#include "lex.yy.c" - -const char *old_to_new_ctrl_flag(const char *old) -{ - static const char *clist[] = { - "requisite", - "required", - "sufficient", - "optional", - NULL, - }; - int i; - - for (i=0; clist[i]; ++i) { - if (strcasecmp(clist[i], old) == 0) { - break; - } - } - - return clist[i]; -} - -void yyerror(const char *format, ...) -{ - va_list args; - - fprintf(stderr, "line %d: ", current_line); - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); -} - -void main() -{ - if (mkdir(PAM_D, PAM_D_MODE) != 0) { - yyerror(PAM_D " already exists.. aborting"); - exit(1); - } - yyparse(); -} diff --git a/contrib/libpam/conf/pam_conv1/pam_conv.y b/contrib/libpam/conf/pam_conv1/pam_conv.y deleted file mode 100644 index 8ce5ab08f023..000000000000 --- a/contrib/libpam/conf/pam_conv1/pam_conv.y +++ /dev/null @@ -1,203 +0,0 @@ -%{ - -/* - * $Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $ - * - * Copyright (c) Andrew G. Morgan 1997 - * - * This file is covered by the Linux-PAM License (which should be - * distributed with this file.) - */ - - const static char bisonid[]= - "$Id: pam_conv.y,v 1.3 1997/02/15 15:50:50 morgan Exp morgan $\n" - "Copyright (c) Andrew G. Morgan 1997-8 \n"; - -#include -#include -#include -#include - - int current_line=1; - extern char *yytext; - -/* XXX - later we'll change this to be the specific conf file(s) */ -#define newpamf stderr - -#define PAM_D "./pam.d" -#define PAM_D_MODE 0755 -#define PAM_D_MAGIC_HEADER \ - "#%PAM-1.0\n" \ - "#[For version 1.0 syntax, the above header is optional]\n" - -#define PAM_D_FILE_FMT PAM_D "/%s" - - const char *old_to_new_ctrl_flag(const char *old); - void yyerror(const char *format, ...); -%} - -%union { - int def; - char *string; -} - -%token NL EOFILE TOK - -%type tok path tokenls - -%start complete - -%% - -complete -: -| complete NL -| complete line -| complete EOFILE { - return 0; -} -; - -line -: tok tok tok path tokenls NL { - char *filename; - FILE *conf; - int i; - - /* make sure we have lower case */ - for (i=0; $1[i]; ++i) { - $1[i] = tolower($1[i]); - } - - /* $1 = service-name */ - yyerror("Appending to " PAM_D "/%s", $1); - - filename = malloc(strlen($1) + sizeof(PAM_D) + 6); - sprintf(filename, PAM_D_FILE_FMT, $1); - conf = fopen(filename, "r"); - if (conf == NULL) { - /* new file */ - conf = fopen(filename, "w"); - if (conf != NULL) { - fprintf(conf, PAM_D_MAGIC_HEADER); - fprintf(conf, - "#\n" - "# The PAM configuration file for the `%s' service\n" - "#\n", $1); - } - } else { - fclose(conf); - conf = fopen(filename, "a"); - } - if (conf == NULL) { - yyerror("trouble opening %s - aborting", filename); - exit(1); - } - free(filename); - - /* $2 = module-type */ - fprintf(conf, "%-10s", $2); - free($2); - - /* $3 = required etc. */ - { - const char *trans; - - trans = old_to_new_ctrl_flag($3); - free($3); - fprintf(conf, " %-10s", trans); - } - - /* $4 = module-path */ - fprintf(conf, " %s", $4); - free($4); - - /* $5 = arguments */ - if ($5 != NULL) { - fprintf(conf, " \\\n\t\t%s", $5); - free($5); - } - - /* end line */ - fprintf(conf, "\n"); - - fclose(conf); -} -| error NL { - yyerror("malformed line"); -} -; - -tokenls -: { - $$=NULL; -} -| tokenls tok { - int len; - - if ($1) { - len = strlen($1) + strlen($2) + 2; - $$ = malloc(len); - sprintf($$,"%s %s",$1,$2); - free($1); - free($2); - } else { - $$ = $2; - } -} -; - -path -: TOK { - /* XXX - this could be used to check if file present */ - $$ = strdup(yytext); -} - -tok -: TOK { - $$ = strdup(yytext); -} - -%% - -#include "lex.yy.c" - -const char *old_to_new_ctrl_flag(const char *old) -{ - static const char *clist[] = { - "requisite", - "required", - "sufficient", - "optional", - NULL, - }; - int i; - - for (i=0; clist[i]; ++i) { - if (strcasecmp(clist[i], old) == 0) { - break; - } - } - - return clist[i]; -} - -void yyerror(const char *format, ...) -{ - va_list args; - - fprintf(stderr, "line %d: ", current_line); - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); -} - -void main() -{ - if (mkdir(PAM_D, PAM_D_MODE) != 0) { - yyerror(PAM_D " already exists.. aborting"); - exit(1); - } - yyparse(); -} diff --git a/contrib/libpam/defs/hpux.defs b/contrib/libpam/defs/hpux.defs deleted file mode 100644 index d834198369e3..000000000000 --- a/contrib/libpam/defs/hpux.defs +++ /dev/null @@ -1,36 +0,0 @@ -## -# HPUX defs contributed by Derrick J Brashear -## -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the default version. Please look in .../defs/ for your -# preferred OS/vendor. - -OS=hpux9 -ARCH=hpux -CC=gcc -INSTALL=install -MKDIR=mkdir -p -CFLAGS=-g -DPAM_SHL -DHAVE_UTMP_H -ULIBS= -LD=ld -LD_D=$(LD) -b -LD_L=$(LD) -b -USESONAME=no -NEEDSONAME=no -LDCONFIG=: -AR=ar -cr -RANLIB=ranlib -FAKEROOT= -PREFIX=/usr -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security -DYNLOAD="dld" -DYNTYPE="sl" -SHLIBMODE=755 diff --git a/contrib/libpam/defs/linux.defs b/contrib/libpam/defs/linux.defs deleted file mode 100644 index 94e9968c6b25..000000000000 --- a/contrib/libpam/defs/linux.defs +++ /dev/null @@ -1,32 +0,0 @@ -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the default version. Please look in .../defs/ for your -# preferred OS/vendor. - -OS=linux -ARCH=`uname -m | sed 's/^i?86/i386/'` -CC=gcc -INSTALL=install -MKDIR=mkdir -p -CFLAGS=-O7 -pipe -g -ULIBS=#-lefence -LD=ld -LD_D=gcc -shared -Xlinker -x -LD_L=$(LD) -x -shared -USESONAME=yes -SOSWITCH=-soname -NEEDSONAME=no -LDCONFIG=/sbin/ldconfig -AR=ar -cr -RANLIB=ranlib -FAKEROOT= -PREFIX=/usr -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security -NSLLIB=-lnsl diff --git a/contrib/libpam/defs/morgan.defs b/contrib/libpam/defs/morgan.defs deleted file mode 100644 index 178de28d21a8..000000000000 --- a/contrib/libpam/defs/morgan.defs +++ /dev/null @@ -1,35 +0,0 @@ -## -# defs for Andrew's debugging version (which is a modified Red Hat -# box) -## -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the version used for Red Hat Linux. - -OS=linux -ARCH=i386 -CC=gcc -INSTALL=install -MKDIR=mkdir -p -CFLAGS=$(RPM_OPT_FLAGS) -pipe -g -ULIBS= -#-lefence -LD=ld -LD_D=gcc -shared -Xlinker -x -LD_L=$(LD) -x -shared -USESONAME=yes -SOSWITCH=-soname -NEEDSONAME=no -LDCONFIG=/sbin/ldconfig -AR=ar -cr -RANLIB=ranlib -FAKEROOT=$(RPM_BUILD_ROOT) -PREFIX= -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security.d -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security diff --git a/contrib/libpam/defs/redhat.defs b/contrib/libpam/defs/redhat.defs deleted file mode 100644 index 8c7e1e17f75a..000000000000 --- a/contrib/libpam/defs/redhat.defs +++ /dev/null @@ -1,34 +0,0 @@ -## -# defs for Red Hat Linux -# Michael K. Johnson -## -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the version used for Red Hat Linux. - -OS=linux -ARCH=$(shell rpm --showrc | grep 'build arch' | sed 's/^.*: //g') -CC=gcc -INSTALL=install -MKDIR=mkdir -p -CFLAGS=$(RPM_OPT_FLAGS) -pipe -g -ULIBS=#-lefence -LD=ld -LD_D=gcc -shared -Xlinker -x -LD_L=$(LD) -x -shared -USESONAME=yes -SOSWITCH=-soname -NEEDSONAME=no -LDCONFIG=/sbin/ldconfig -AR=ar -cr -RANLIB=ranlib -FAKEROOT=$(RPM_BUILD_ROOT) -PREFIX= -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security diff --git a/contrib/libpam/defs/solaris.defs b/contrib/libpam/defs/solaris.defs deleted file mode 100644 index f9f265297dd5..000000000000 --- a/contrib/libpam/defs/solaris.defs +++ /dev/null @@ -1,48 +0,0 @@ -## -# Solaris defs contributed by Josh Wilmes -## -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the default version. Please look in .../defs/ for your -# preferred OS/vendor. - -# Please note that the linker used must be the GNU ld, not the native Sun -# linker. It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be -# configured as the default linker for gcc. To tell gcc to use the -# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable -# to point at the directory where the gnu linker is installed. Here's -# what I do: -# $ mkdir /tmp/foo -# $ ln -s /path/to/gnu/ld /tmp/foo/ld -# $ export GCC_EXEC_PREFIX=/tmp/foo/ -# $ export PATH=/tmp/foo:$PATH - -OS=solaris -ARCH=sun -CC=cc -INSTALL=install -MKDIR=mkdir -p -WARNINGS = -D_POSIX_SOURCE -PIC=-KPIC -CFLAGS=-g -D__EXTENSIONS__ -Dsolaris -ULIBS= -LD=ld -LD_L=$(LD) -G -LD_D=$(LD_L) -RDYNAMIC= -USESONAME=yes -SOSWITCH=-h -NEEDSONAME=no -LDCONFIG=echo -AR=ar -cr -RANLIB=ranlib -FAKEROOT= -PREFIX=/usr -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security diff --git a/contrib/libpam/defs/sunos.defs b/contrib/libpam/defs/sunos.defs deleted file mode 100644 index 158accc53474..000000000000 --- a/contrib/libpam/defs/sunos.defs +++ /dev/null @@ -1,37 +0,0 @@ -## -# SunOS defs contributed by Derrick J Brashear -## -# this file indicates the compiler and the various hardware/OS dependent -# flags for installation. It also defines the various destinations of -# installed files on the system. -# -# This file is the SunOS version. Please look in .../defs/ for your -# preferred OS/vendor. - -OS=sunos -ARCH=sun -CC=gcc -INSTALL=install -MKDIR=mkdir -p -CFLAGS=-O2 -pipe -g -D__EXTENSIONS__ -ULIBS= -LD_D=gcc -shared -Xlinker -x -LD=ld -LD_L=$(LD) -USESONAME=no -NEEDSONAME=yes -LDCONFIG=/usr/etc/ldconfig -AR=ar cr -RANLIB=ranlib -FAKEROOT= -PREFIX=/usr -SUPLEMENTED=$(PREFIX)/sbin -LIBDIR=$(PREFIX)/lib -SECUREDIR=$(LIBDIR)/security -INCLUDED=/usr/include/security -CONFIGED=/etc -SCONFIGED=/etc/security -WARNINGS= -ansi -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align \ - -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \ - -Wnested-externs -Winline -Wshadow diff --git a/contrib/libpam/doc/modules/README b/contrib/libpam/doc/modules/README deleted file mode 100644 index b97b2cd501b9..000000000000 --- a/contrib/libpam/doc/modules/README +++ /dev/null @@ -1,13 +0,0 @@ -$Id: README,v 1.2 1996/11/17 17:20:28 morgan Exp $ - -This directory contains a number of sgml sub-files. One for each -documented module. They contain a description of each module and give -some indication of its reliability. - -Additionally, there is a 'module.sgml-template' file which should be -used as a blank form for new module descriptions. - -Please feel free to submit amendments/comments etc. regarding these -files to: - - Andrew G. Morgan diff --git a/contrib/libpam/doc/modules/module.sgml-template b/contrib/libpam/doc/modules/module.sgml-template deleted file mode 100644 index 53cd809f338d..000000000000 --- a/contrib/libpam/doc/modules/module.sgml-template +++ /dev/null @@ -1,170 +0,0 @@ - - - [*Familiar full name of module*, eg. The "allow all" module.] - -Synopsis - -

- - -Module Name: -[ - insert the name of the module - - Blank is not permitted. -] - -Author[s]: - -[ - Insert author names here - - Blank is not permitted. If in doubt, put "unknown" if the - author wishes to remain anonymous, put "anonymous". -] - -Maintainer: - -[ - Insert names and date-begun of most recent maintainer. -] - -Management groups provided: - -[ - list the subset of four management groups supported by the - module. Choose from: account; authentication; password; - session. - - Blank entries are not permitted. Explicitly list all of the - management groups. In the future more may be added to libpam! -] - -Cryptographically sensitive: - -[ - Indicate whether this module contains code that can perform - reversible (strong) encryption. This field is primarily to - ensure that people redistributing it are not unwittingly - breaking laws... - - Modules may also require the presence of some local library - that performs the necessary encryption via some standard API. - In this case "uses API" can be included in this field. The - library in question should be added to the system requirements - below. - - Blank = no cryptography is used by module. -] - -Security rating: - -[ - Initially, this field should be left blank. If someone takes - it upon themselves to test the strength of the module, it can - later be filled. - - Blank = unknown. -] - -Clean code base: - -[ - This will probably be filled by the libpam maintainer. - It can be considered to be a public humiliation list. :*) - - I am of the opinion that "gcc -with_all_those_flags" is - trying to tell us something about whether the program - works as intended. Since there is currently no Security - evaluation procedure for modules IMHO this is not a - completely unreasonable indication (a lower bound anyway) - of the reliability of a module. - - This field would indicate the number and flavor of - warnings that gcc barfs up when trying to compile the - module as part of the tree. Is this too tyrannical? - - Blank = Linux-PAM maintainer has not tested it :) -] - -System dependencies: - -[ - here we list config files, dynamic libraries needed, system - resources, kernel options.. etc. - - Blank = nothing more than libc required. -] - -Network aware: - -[ - Does the module base its behavior on probing a network - connection? Does it expect to be protected by the - application? - - Blank = Ignorance of network. -] - - - -Overview of module - -[ - some text describing the intended actions of the module - general comments mainly (specifics in sections - below). -] - -[ - - [ now we have a level subsection for each of the - management groups. Include as many as there are groups - listed above in the synopsis ] - -[ Account | Authentication | Password | Session ] component - -

- - -Recognized arguments: - -[ - List the supported arguments (leave their description for the - description below. - - Blank = no arguments are read and nothing is logged to syslog - about any arguments that are passed. Note, this - behavior is contrary to the RFC! -] - -Description: - -[ - This component of the module performs the task of ... -] - -Examples/suggested usage: - -[ - Here we list some doos and don'ts for this module. -] - - - - diff --git a/contrib/libpam/doc/modules/pam_chroot.sgml b/contrib/libpam/doc/modules/pam_chroot.sgml deleted file mode 100644 index 7f8c4a39b642..000000000000 --- a/contrib/libpam/doc/modules/pam_chroot.sgml +++ /dev/null @@ -1,86 +0,0 @@ - - -Chroot - -Synopsis - -

- - -Module Name: -Author: -Bruce Campbell <brucec@humbug.org.au> - -Maintainer: -Author; proposed on 20/11/96 - email for status - -Management groups provided: -account; session; authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -Unwritten. - -System dependencies: - -Network aware: -Expects localhost. - - - -Overview of module - -

-This module is intended to provide a transparent wrapper around the -average user, one that puts them in a fake file-system (eg, their -'/' is really /some/where/else). - -

-Useful if you have several classes of users, and are slightly paranoid -about security. Can be used to limit who else users can see on the -system, and to limit the selection of programs they can run. - -Account component: - -

-Authentication component: - -

-Session component: - -

- - - -Recognized arguments: -Arguments and logging levels for the PAM version are being worked on. - -Description: - -Examples/suggested usage: -Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm', -'cp' and 'ed' in there is a bit... -

-Don't take it to extremes (eg, you can set up a separate environment for -each user, but its a big waste of your disk space.) - - - - diff --git a/contrib/libpam/doc/modules/pam_cracklib.sgml b/contrib/libpam/doc/modules/pam_cracklib.sgml deleted file mode 100644 index 4700c2a04f03..000000000000 --- a/contrib/libpam/doc/modules/pam_cracklib.sgml +++ /dev/null @@ -1,254 +0,0 @@ - - -Cracklib pluggable password strength-checker - -Synopsis - -

- - -Module Name: - -pam_cracklib - -Author: - -Cristian Gafton <gafton@redhat.com> - -Maintainer: - -Author. - -Management groups provided: - -password - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Requires the system library /usr/lib/cracklib_dict. - -Network aware: - - - -Overview of module - -

-This module can be plugged into the -This module works in the following manner: it first calls the -Cracklib routine to check the strength of the password; if -crack likes the password, the module does an additional set of -strength checks. These checks are: - - - - -

-This module with no arguments will work well for standard unix -password encryption. With md5 encryption, passwords can be longer -than 8 characters and the default settings for this module can make it -hard for the user to choose a satisfactory new password. Notably, the -requirement that the new password contain no more than 1/2 of the -characters in the old password becomes a non-trivial constraint. For -example, an old password of the form "the quick brown fox jumped over -the lazy dogs" would be difficult to change... In addition, the -default action is to allow passwords as small as 5 characters in -length. For a md5 systems it can be a good idea to increase the -required minimum size of a password. One can then allow more credit -for different kinds of characters but accept that the new password may -share most of these characters with the old password. - -Password component - -

- - -Recognized arguments: - -Description: - -The action of this module is to prompt the user for a password and -check its strength against a system dictionary and a set of rules for -identifying poor choices. - -

-The default action is to prompt for a single password, check its -strength and then, if it is considered strong, prompt for the password -a second time (to verify that it was typed correctly on the first -occasion). All being well, the password is passed on to subsequent -modules to be installed as the new authentication token. - -

-The default action may be modified in a number of ways using the -arguments recognized by the module: - - - other, -upper, lower and Cracklib itself, a "way too short" limit of 4 which is hard -coded in and a defined limit (6) that will be checked without -reference to minlen. If you want to allow passwords as short -as 5 characters you should either not use this module or recompile -the crack library and then recompile this module. - - - -Examples/suggested usage: - -(At the time of writing, this module can only be stacked before the - -For an example of the use of this module, we show how it may be -stacked with the password component of - -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_pwdb module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_pwdb.so use_authtok - - - -

-Another example (in the /etc/pam.d/passwd format) is for the -case that you want to use md5 password encryption: - - -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_pwdb.so use_authtok nullok md5 - - - - - - diff --git a/contrib/libpam/doc/modules/pam_deny.sgml b/contrib/libpam/doc/modules/pam_deny.sgml deleted file mode 100644 index 99f367156fe5..000000000000 --- a/contrib/libpam/doc/modules/pam_deny.sgml +++ /dev/null @@ -1,179 +0,0 @@ - - -The locking-out module - -Synopsis - -

- - -Module Name: -pam_deny - -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -current Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: - -Clean code base: -clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module can be used to deny access. It always indicates a failure -to the application through the PAM framework. As is commented in the -overview section , this module -might be suitable for using for default (the Account component - -

- - -Recognized arguments: - -Description: - -This component does nothing other than return a failure. The -failure type is Examples/suggested usage: - -Stacking this module with type -The following example would make it impossible to login: - - -# -# add this line to your other login entries to disable all accounts -# -login account required pam_deny.so - - - - - -Authentication component - -

- - -Recognized arguments: - -Description: - -This component does nothing other than return a failure. The failure -type is Examples/suggested usage: - -To deny access to default applications with this component of the - - -# -# add this line to your existing OTHER entries to prevent -# authentication succeeding with default applications. -# -OTHER auth required pam_deny.so - - - - - -Password component - -

- - -Recognized arguments: - -Description: - -This component of the module denies the user the opportunity to change -their password. It always responds with Examples/suggested usage: - -This module should be used to prevent an application from updating the -applicant user's password. For example, to prevent - -# -# add this line to your other login entries to prevent the login -# application from being able to change the user's password. -# -login password required pam_deny.so - - - - - -Session component - -

- - -Recognized arguments: - -Description: - -This aspect of the module prevents an application from starting a -session on the host computer. - -Examples/suggested usage: - -Together with another session module, that displays a message of the -day perhaps (XXX - such a module needs to be written), -this module can be used to block a user from starting a shell. Given -the presence of a - -# -# An example to see how to configure login to refuse the user a -# session (politely) -# -login session required pam_motd.so \ - file=/etc/system_time -login session required pam_deny.so - - - - - - diff --git a/contrib/libpam/doc/modules/pam_env.sgml b/contrib/libpam/doc/modules/pam_env.sgml deleted file mode 100644 index a62f4576f132..000000000000 --- a/contrib/libpam/doc/modules/pam_env.sgml +++ /dev/null @@ -1,125 +0,0 @@ - - -Set/unset environment variables - -Synopsis - -

- - -Module Name: -Author: -Dave Kinchlea <kinch@kinch.ark.com> - -Maintainer: -Author - -Management groups provided: -Authentication (setcred) - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -/etc/security/pam_env.conf - -Network aware: - - - -Overview of module - -

-This module allows the (un)setting of environment variables. Supported -is the use of previously set environment variables as well as -PAM_ITEMs such as PAM_RHOST. - -Authentication component - -

- - -Recognized arguments: -Description: -This module allows you to (un)set arbitrary environment variables -using fixed strings, the value of previously set environment variables -and/or -All is controlled via a configuration file (by default, -/etc/security/pam_env.conf but can be overriden with -connfile argument). Each line starts with the variable name, -there are then two possible options for each variable DEFAULT -and OVERRIDE. DEFAULT allows and administrator to -set the value of the variable to some default value, if none is -supplied then the empty string is assumed. The OVERRIDE -option tells pam_env that it should enter in its value (overriding the -default value) if there is one to use. OVERRIDE is not used, -"" is assumed and no override will be done. - -

- - -VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] - - - -

-(Possibly non-existent) environment variables may be used in values -using the ${string} syntax and (possibly -non-existent) @{string} syntax. Both the $ -and @ characters can be backslash-escaped to be used -as literal values (as in \$. Double quotes may -be used in values (but not environment variable names) when white -space is needed the full value must be delimited by the quotes and -embedded or escaped quotes are not supported. - -

-The behavior of this module can be modified with one of the following -flags: - -

- - -/etc/security/pam_env.conf is used as -the configuration file. This option overrides the default. You must -supply a complete path + file name. - - - -Examples/suggested usage: - -See sample pam_env.conf for more information and examples. - - - - - - - - - - - - - - diff --git a/contrib/libpam/doc/modules/pam_filter.sgml b/contrib/libpam/doc/modules/pam_filter.sgml deleted file mode 100644 index 99f06ef01b64..000000000000 --- a/contrib/libpam/doc/modules/pam_filter.sgml +++ /dev/null @@ -1,150 +0,0 @@ - - -The filter module - -Synopsis - -

- - -Module Name: - -pam_filter - -Author: - -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: - -Author. - -Management groups provided: - -account; authentication; password; session - -Cryptographically sensitive: - -Not yet. - -Security rating: - -Clean code base: - -This module compiles cleanly on Linux based systems. - -System dependencies: - -To function it requires Network aware: - - - -Overview of module - -

-This module was written to offer a plug-in alternative to programs -like ttysnoop (XXX - need a reference). Since writing a filter that -performs this function has not occurred, it is currently only a toy. -The single filter provided with the module simply transposes upper and -lower case letters in the input and output streams. (This can be very -annoying and is not kind to termcap based editors). - -Account+Authentication+Password+Session components - -

- - -Recognized arguments: - -Description: - -Each component of the module has the potential to invoke the desired -filter. The filter is always -The behavior of the module can be significantly altered by the -arguments passed to it in the - -Permitted values for -For the case of the account component. Either -For the case of the password component, - -Examples/suggested usage: - -At the time of writing there is little real use to be made of this -module. For fun you might try adding the following line to your -login's configuration entries - - -# -# An example to see how to configure login to transpose upper and -# lower case letters once the user has logged in(!) -# -login session required pam_filter.so \ - run1 /usr/sbin/pam_filter/upperLOWER - - - - - - diff --git a/contrib/libpam/doc/modules/pam_ftp.sgml b/contrib/libpam/doc/modules/pam_ftp.sgml deleted file mode 100644 index ca2e065d0122..000000000000 --- a/contrib/libpam/doc/modules/pam_ftp.sgml +++ /dev/null @@ -1,93 +0,0 @@ - - -Anonymous access module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: -prompts for email address of user; easily spoofed (XXX - needs work) - - - -Overview of module - -

-The purpose of this module is to provide a pluggable anonymous ftp -mode of access. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module intercepts the user's name and password. If the name is -`` -The behavior of the module can be modified with the following flags: - - - -Examples/suggested usage: - -An example of the use of this module is provided in the configuration -file section . With care, this -module could be used to provide new/temporary account anonymous -login. - - - - diff --git a/contrib/libpam/doc/modules/pam_group.sgml b/contrib/libpam/doc/modules/pam_group.sgml deleted file mode 100644 index 360edee06afb..000000000000 --- a/contrib/libpam/doc/modules/pam_group.sgml +++ /dev/null @@ -1,108 +0,0 @@ - - -The group access module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: -Sensitive to Clean code base: - -System dependencies: -Requires an /etc/security/group.conf file. Can be compiled -with or without Network aware: -Only through correctly set - -Overview of module - -

-This module provides group-settings based on the user's name and the -terminal they are requesting a given service from. It takes note of -the time of day. - -Authentication component - -

- - -Recognized arguments: - -Description: - -This module does not authenticate the user, but instead it grants -group memberships (in the credential setting phase of the -authentication module) to the user. Such memberships are based on the -service they are applying for. The group memberships are listed in -text form in the /etc/security/group.conf file. - -Examples/suggested usage: - -For this module to function correctly there must be a correctly -formatted /etc/security/groups.conf file present. The format -of this file is as follows. Group memberships are given based on the -service application satisfying any combination of lines in the -configuration file. Each line (barring comments which are preceded by -` - -services ; ttys ; users ; times ; groups - - -Here the first four fields share the syntax of the pam_time -configuration file; /etc/security/pam_time.conf, and the last -field, the -As stated in above this module's usefulness relies on the file-systems -accessible to the user. The point being that once granted the -membership of a group, the user may attempt to create a -The pam_group module fuctions in parallel with the -/etc/group file. If the user is granted any groups based on -the behavior of this module, they are granted in addition to -those entries /etc/group (or equivalent). - - - - diff --git a/contrib/libpam/doc/modules/pam_krb4.sgml b/contrib/libpam/doc/modules/pam_krb4.sgml deleted file mode 100644 index edb87d1a0584..000000000000 --- a/contrib/libpam/doc/modules/pam_krb4.sgml +++ /dev/null @@ -1,126 +0,0 @@ - - -The Kerberos 4 module. - -Synopsis - -

- - -Module Name: -Author: -Derrick J. Brashear <shadow@dementia.org> - -Maintainer: -Author. - -Management groups provided: -authentication; password; session - -Cryptographically sensitive: -uses API - -Security rating: - -Clean code base: - -System dependencies: -libraries - Network aware: -Gets Kerberos ticket granting ticket via a Kerberos key distribution -center reached via the network. - - - -Overview of module - -

-This module provides an interface for doing Kerberos verification of a -user's password, getting the user a Kerberos ticket granting ticket -for use with the Kerberos ticket granting service, destroying the -user's tickets at logout time, and changing a Kerberos password. - - Session component - -

- - -Recognized arguments: - -Description: - -This component of the module currently sets the user's Examples/suggested usage: - -This part of the module won't be terribly useful until we can change -the environment from within a - - Password component - -

- - -Recognized arguments: -Description: - -This component of the module changes a user's Kerberos password -by first getting and using the user's old password to get -a session key for the password changing service, then sending -a new password to that service. - -Examples/suggested usage: - -This should only be used with a real Kerberos v4 - - Authentication component - -

- - -Recognized arguments: -Description: - -This component of the module verifies a user's Kerberos password -by requesting a ticket granting ticket from the Kerberos server -and optionally using it to attempt to retrieve the local computer's -host key and verifying using the key file on the local machine if -one exists. - -It also writes out a ticket file for the user to use later, and -deletes the ticket file upon logout (not until Examples/suggested usage: - -This module can be used with a real Kerberos server using MIT -v4 Kerberos keys. The module or the system Kerberos libraries -may be modified to support AFS style Kerberos keys. Currently -this is not supported to avoid cryptography constraints. - - - - diff --git a/contrib/libpam/doc/modules/pam_lastlog.sgml b/contrib/libpam/doc/modules/pam_lastlog.sgml deleted file mode 100644 index 8c0e662c3cf9..000000000000 --- a/contrib/libpam/doc/modules/pam_lastlog.sgml +++ /dev/null @@ -1,119 +0,0 @@ - - -The last login module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author - -Management groups provided: -auth - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -uses information contained in the /var/log/wtmp file. - -Network aware: - - - -Overview of module - -

-This session module maintains the /var/log/wtmp file. Adding -an open entry when called via the pam_open_seesion() function -and completing it when pam_close_session() is called. This -module can also display a line of information about the last login of -the user. If an application already performs these tasks, it is not -necessary to use this module. - -Authentication component - -

- - -Recognized arguments: -Description: - -

-This module can be used to provide a ``Last login on ...'' -message. when the user logs into the system from what ever application -uses the PAM libraries. In addition, the module maintains the -/var/log/wtmp file. - -

-The behavior of this module can be modified with one of the following -flags: - -

- -/var/log/wtmp file. - -/var/log/wtmp file does not contain any old entries -for the user, indicate that the user has never previously logged in -with a ``welcome..." message. - - - -Examples/suggested usage: - -This module can be used to indicate that the user has new mail when -they /etc/pam.conf file: - - -# -# do we have any mail? -# -login session optional pam_lastlog.so - - - -

-Note, some applications may perform this function themselves. In such -cases, this module is not necessary. - - - - diff --git a/contrib/libpam/doc/modules/pam_limits.sgml b/contrib/libpam/doc/modules/pam_limits.sgml deleted file mode 100644 index 6b98ea64fcbd..000000000000 --- a/contrib/libpam/doc/modules/pam_limits.sgml +++ /dev/null @@ -1,196 +0,0 @@ - - -The resource limits module - -Synopsis - -

- - -Module Name: -Authors: -Cristian Gafton <gafton@redhat.com> -Thanks are also due to Elliot Lee <sopwith@redhat.com> -for his comments on improving this module. - -Maintainer: -Cristian Gafton - 1996/11/20 - -Management groups provided: -session - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -requires an /etc/security/limits.conf file and kernel support -for resource limits. Also uses the library, Network aware: - - - -Overview of module - -

-This module, through the Session component - -

- - -Recognized arguments: -conf=/path/to/file.conf - -Description: - -Through the contents of the configuration file, -/etc/security/limits.conf, resource limits are placed on -users' sessions. Users of -The behavior of this module can be modified with the following -arguments: - - -conf=/path/to/file.conf - -indicate an alternative - -Examples/suggested usage: - -In order to use this module the system administrator must first create -a /etc/security/limits.conf). This file describes the resource -limits the superuser wishes to impose on users and groups. No limits -are imposed on -Each line of the configuration file describes a limit for a user in -the form: - - - - - - -

-The fields listed above should be filled as follows... -<domain> can be: - - a username - a groupname, with @group syntax - the wild-card - -

-<type> can have the two values: - - - - -

-<item> can be one of the following: - - - -

-To completely disable limits for a user (or a group), a single dash -(-) will do (Example: `` -Also, please note that all limit settings are set -In the -The -The following is an example configuration file: - - -# EXAMPLE /etc/security/limits.conf file: -# ======================================= -# -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 - - -Note, the use of -For the services that need resources limits (login for example) put a -the following line in /etc/pam.conf as the last line for that -service (usually after the pam_unix session line: - - -# -# Resource limits imposed on login sessions via pam_limits -# -login session required pam_limits.so - - - - - - diff --git a/contrib/libpam/doc/modules/pam_listfile.sgml b/contrib/libpam/doc/modules/pam_listfile.sgml deleted file mode 100644 index fe4a0d27cc2e..000000000000 --- a/contrib/libpam/doc/modules/pam_listfile.sgml +++ /dev/null @@ -1,138 +0,0 @@ - - -The list-file module - -Synopsis - -

- - -Module Name: -Author: -Elliot Lee <sopwith@cuc.edu> - -Maintainer: -Red Hat Software: -Michael K. Johnson <johnsonm@redhat.com> 1996/11/18 -(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -clean - -System dependencies: - -Network aware: - - - -Overview of module - -

-The list-file module provides a way to deny or allow services based on -an arbitrary file. - -Authentication component - -

- - -Recognized arguments: - -onerr=succeed|fail; -sense=allow|deny; -file=filename; -item=user|tty|rhost|ruser|group|shell -apply=user|@group - -Description: - -The module gets the item of the type specified -- user specifies -the username, PAM_USER; tty specifies the name of the terminal -over which the request has been made, PAM_TTY; rhost specifies -the name of the remote host (if any) from which the request was made, -PAM_RHOST; and ruser specifies the name of the remote user -(if available) who made the request, PAM_RUSER -- and looks for -an instance of that item in the file filename. filename -contains one line per item listed. If the item is found, then if -sense=allow, PAM_SUCCESS is returned, causing the -authorization request to succeed; else if sense=deny, -PAM_AUTH_ERR is returned, causing the authorization -request to fail. - -

-If an error is encountered (for instance, if filename -does not exist, or a poorly-constructed argument is encountered), -then if onerr=succeed, PAM_SUCCESS is returned, -otherwise if onerr=fail, PAM_AUTH_ERR or -PAM_SERVICE_ERR (as appropriate) will be returned. - -

-An additional argument, apply=, can be used to restrict the -application of the above to a specific user -(apply=username) or a given group -(apply=@groupname). This added restriction is only -meaningful when used with the -Besides this last one, all arguments should be specified; do not count -on any default behavior, as it is subject to change. - -

-No credentials are awarded by this module. - -Examples/suggested usage: - -Classic ``ftpusers'' authentication can be implemented with this entry -in /etc/pam.conf: - - -# -# deny ftp-access to users listed in the /etc/ftpusers file -# -ftp auth required pam_listfile.so \ - onerr=succeed item=user sense=deny file=/etc/ftpusers - - -Note, users listed in /etc/ftpusers file are -(counterintuitively) -To allow login access only for certain users, you can use an -pam.conf entry like this: - - -# -# permit login to users listed in /etc/loginusers -# -login auth required pam_listfile.so \ - onerr=fail item=user sense=allow file=/etc/loginusers - - - -

-For this example to work, all users who are allowed to use the login -service should be listed in the file /etc/loginusers. Unless -you are explicitly trying to lock out root, make sure that when you do -this, you leave a way for root to log in, either by listing root in -/etc/loginusers, or by listing a user who is able to - - diff --git a/contrib/libpam/doc/modules/pam_mail.sgml b/contrib/libpam/doc/modules/pam_mail.sgml deleted file mode 100644 index 9a99f2064c36..000000000000 --- a/contrib/libpam/doc/modules/pam_mail.sgml +++ /dev/null @@ -1,124 +0,0 @@ - - -The mail module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author - -Management groups provided: -auth - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Default mail directory /var/spool/mail/ - -Network aware: - - - -Overview of module - -

-This module looks at the user's mail directory and indicates -whether the user has any mail in it. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module provides the ``you have new mail'' service to the user. It -can be plugged into any application that has credential hooks. It gives a -single message indicating the -Although the module supplies functions for the authentication -management group of functions, it cannot be used to authenticate a -user; its authentication function instructs -The behavior of this module can be modified with one of the following -flags: - -

- -/var/spool/mail. Note, if the supplied - -Examples/suggested usage: - -This module can be used to indicate that the user has new mail when -they /etc/pam.conf file: - - -# -# do we have any mail? -# -login auth optional pam_mail.so - - - -

-Note, some applications may perform this function themselves. In such -cases, this module is not necessary. - - - - diff --git a/contrib/libpam/doc/modules/pam_nologin.sgml b/contrib/libpam/doc/modules/pam_nologin.sgml deleted file mode 100644 index de4b32a8efbd..000000000000 --- a/contrib/libpam/doc/modules/pam_nologin.sgml +++ /dev/null @@ -1,75 +0,0 @@ - - -The no-login module - -Synopsis - -

- - -Module Name: -Author: -Written by Michael K. Johnson <johnsonm@redhat.com> -(based on code taken from a module written by Andrew G. Morgan -<morgan@parc.power.net>). - -Maintainer: -Michael K. Johnson <johnsonm@redhat.com> - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -1 warning about dropping const - -System dependencies: - -Network aware: - - - -Overview of module - -

-Provides standard Unix Authentication component - -

- - -Recognized arguments: - -Description: - -Provides standard Unix /etc/nologin exists, only root is allowed to log in; other -users are turned away with an error message. All users (root or -otherwise) are shown the contents of /etc/nologin. - -

-If the file /etc/nologin does not exist, this module succeeds -silently. - -Examples/suggested usage: - -In order to make this module effective, all login methods should -be secured by it. It should be used as a required -method listed before any sufficient methods in order to -get standard Unix nologin semantics. - - - - diff --git a/contrib/libpam/doc/modules/pam_permit.sgml b/contrib/libpam/doc/modules/pam_permit.sgml deleted file mode 100644 index 84df9fc1754f..000000000000 --- a/contrib/libpam/doc/modules/pam_permit.sgml +++ /dev/null @@ -1,83 +0,0 @@ - - -The promiscuous module - -Synopsis - -

- - -Module Name: -pam_permit - -Author: -Andrew G. Morgan, <morgan@parc.power.net> - -Maintainer: -Linux-PAM maintainer. - -Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: -VERY LOW. Use with extreme caution. - -Clean code base: -Clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module is very dangerous. It should be used with extreme -caution. Its action is always to permit access. It does nothing else. - -Account+Authentication+Password+Session components - -

- - -Recognized arguments: - -Description: - -No matter what management group, the action of this module is to -simply return -In the case of authentication, the user's name will be acquired. Many -applications become confused if this name is unknown. - -Examples/suggested usage: - -It is seldom a good idea to use this module. However, it does have -some legitimate uses. For example, if the system-administrator wishes -to turn off the account management on a workstation, and at the same -time continue to allow logins, then she might use the following -configuration file entry for login: - - -# -# add this line to your other login entries to disable account -# management, but continue to permit users to log in... -# -login account required pam_permit.so - - - - - - diff --git a/contrib/libpam/doc/modules/pam_pwdb.sgml b/contrib/libpam/doc/modules/pam_pwdb.sgml deleted file mode 100644 index c9f7bff1124a..000000000000 --- a/contrib/libpam/doc/modules/pam_pwdb.sgml +++ /dev/null @@ -1,245 +0,0 @@ - - -The Password-Database module - -Synopsis - -

- - -Module Name: -pam_pwdb - -Author: -Cristian Gafton <gafton@redhat.com> -and Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Authors. - -Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires properly configured Network aware: - - - -Overview of module - -

-This module is a pluggable replacement for the . - -Account component - -

- - -Recognized arguments: -Description: - -The Examples/suggested usage: - -In its accounting mode, this module can be inserted as follows: - - -# -# Ensure users account and password are still active -# -login account required pam_pwdb.so - - - - - -Authentication component - -

- - -Recognized arguments: -Description: - -The -The default action of this module is to not permit the user access to -a service if their -When given the argument -The argument, nodelay, can be used to discourage the -authentication component from requesting a delay should the -authentication as a whole fail. The default action is for the module -to request a delay-on-failure of the order of one second. - -

-Remaining arguments, supported by the other functions of this module, -are silently ignored. Other arguments are logged as errors through - -A helper binary, pwdb_chkpwd, is provided to check the user's -password when it is stored in a read protected database. This binary -is very simple and will only check the password of the user invoking -it. It is called transparently on behalf of the user by the -authenticating component of this module. In this way it is possible -for applications like xlock to work without being setuid-root. - -Examples/suggested usage: - -The correct functionality of this module is dictated by having an -appropriate /etc/pwdb.conf file, the user -databases specified there dictate the source of the authenticated -user's record. - - - -Password component - -

- - -Recognized arguments: -Description: - -This part of the -In the case of conventional unix databases (which store the password -encrypted) the -The -The argument -The -The Examples/suggested usage: - -An example of the stacking of this module with respect to the -pluggable password checking module, - -Session component - -

- - -Recognized arguments: - -Description: - -No arguments are recognized by this module component. Its action is -simply to log the username and the service-type to -Examples/suggested usage: - -The use of the session modules is straightforward: - - -# -# pwdb - unix like session opening and closing -# -login session required pam_pwdb.so - - - - - - diff --git a/contrib/libpam/doc/modules/pam_radius.sgml b/contrib/libpam/doc/modules/pam_radius.sgml deleted file mode 100644 index 4d5f39ab3422..000000000000 --- a/contrib/libpam/doc/modules/pam_radius.sgml +++ /dev/null @@ -1,117 +0,0 @@ - - -The RADIUS session module - -Synopsis - -

- - -Module Name: -Author: -Cristian Gafton <gafton@redhat.com> - -Maintainer: -Author. - -Management groups provided: -session - -Cryptographically sensitive: -This module does not deal with passwords - -Security rating: - -Clean code base: -gcc reports 1 warning when compiling /usr/include/rpc/clnt.h. -Hey, is not my fault ! - -System dependencies: - -Network aware: - -yes; this is a network module (independent of application). - - - -Overview of module - -

-This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only -option supported is the use of the RADIUS server as an accounting -server. - -Session component - -

- - -Recognized arguments: - -Description: - -This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only -option supported is the use of the RADIUS server as an -(There are few things which needs to be cleared out first in -the PAM project until one will be able to use this module and expect -it to magically start pppd in response to a RADIUS server command to -use PPP for this user, or to initiate a telnet connection to another -host, or to hang and call back the user using parameters provided in -the RADIUS server response. Most of these things are better suited for -the radius login application. I hope to make available Real Soon (tm) -patches for the login apps to make it work this way.) - -

-When opening a session, this module sends an ``Accounting-Start'' -message to the RADIUS server, which will log/update/whatever a -database for this user. On close, an ``Accounting-Stop'' message is -sent to the RADIUS server. - -

-This module has no other prerequisites for making it work. One can -install a RADIUS server just for fun and use it as a centralized -accounting server and forget about wtmp/last/sac etc. . - -Examples/suggested usage: - -For the services that need this module (/etc/pam.conf as the last line for that -service (usually after the pam_unix session line): - - -login session required pam_radius.so - - -Replace -This module make extensive use of the API provided in libpwdb -0.54preB or later. By default, it will read the radius server -configuration (hostname and secret) from /etc/raddb/server. -This is a default compiled into libpwdb, and curently there is no way to -modify this default without recompiling libpwdb. I am working on -extending the radius support from libpwdb to provide a possibility -to make this runtime-configurable. - -Also please note that libpwdb will require also the RADIUS -dictionary to be present (/etc/raddb/dictionary). - - - - - diff --git a/contrib/libpam/doc/modules/pam_rhosts.sgml b/contrib/libpam/doc/modules/pam_rhosts.sgml deleted file mode 100644 index 91001022a2b0..000000000000 --- a/contrib/libpam/doc/modules/pam_rhosts.sgml +++ /dev/null @@ -1,157 +0,0 @@ - - -The rhosts module - -Synopsis - -

- - -Module Name: -Author: -Al Longyear <longyear@netcom.com> - -Maintainer: - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -Clean. - -System dependencies: - -Network aware: -Standard - -Overview of module - -

-This module performs the standard network authentication for services, -as used by traditional implementations of Authentication component - -

- - -Recognized arguments: -Description: - -The authentication mechanism of this module is based on the contents -of two files; /etc/hosts.equiv (or #include <netdb.h>) and ~/.rhosts. Firstly, -hosts listed in the former file are treated as equivalent to the -localhost. Secondly, entries in the user's own copy of the latter file -is used to map "/etc/hosts.equiv and their remote account -is identical to their local one, or if their remote account has an -entry in their personal configuration file. - -

-Some restrictions are applied to the attributes of the user's personal -configuration file: it must be a regular file (as defined by - -The module authenticates a remote user (internally specified by the -item -In the case of /etc/host.equiv file is - -The behavior of the module is modified by flags: - - - - -/etc/hosts.equiv file. - - -~/.rhosts. - - -~/.rhosts file must not be writable by anyone -other than its owner. This option overlooks group write access in the -case that the group owner of this file has the same name as the -user being authenticated. To lessen the security problems associated -with this option, the module also checks that the user is the only -member of their private group. - - - - -Examples/suggested usage: - -To allow users to login from trusted remote machines, you should try -adding the following line to your /etc/pam.conf file - - -# -# No passwords required for users from hosts listed above. -# -login auth sufficient pam_rhosts_auth.so no_rhosts - - -Note, in this example, the system administrator has turned off all -/etc/host.equiv file, by replacing - - diff --git a/contrib/libpam/doc/modules/pam_rootok.sgml b/contrib/libpam/doc/modules/pam_rootok.sgml deleted file mode 100644 index ff6aa86e34da..000000000000 --- a/contrib/libpam/doc/modules/pam_rootok.sgml +++ /dev/null @@ -1,85 +0,0 @@ - - -The root access module - -Synopsis - -

- - -Module Name: -pam_rootok - -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Linux-PAM maintainer - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -Clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module is for use in situations where the superuser wishes -to gain access to a service without having to enter a password. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module authenticates the user if their Examples/suggested usage: - -In the case of the - -# -# su authentication. Root is granted access by default. -# -su auth sufficient pam_rootok.so -su auth required pam_unix_auth.so - - - -

-Note. For programs that are run by the superuser (or started when the -system boots) this module should not be used to authenticate users. - - - - diff --git a/contrib/libpam/doc/modules/pam_securetty.sgml b/contrib/libpam/doc/modules/pam_securetty.sgml deleted file mode 100644 index 276ae90435c2..000000000000 --- a/contrib/libpam/doc/modules/pam_securetty.sgml +++ /dev/null @@ -1,72 +0,0 @@ - - -The securetty module - -Synopsis - -

- - -Module Name: -Author[s]: -Elliot Lee <sopwith@cuc.edu> - -Maintainer: -Red Hat Software: - -(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -/etc/securetty file - -Network aware: - -Requires the application to fill in the PAM_TTY item -correctly in order to act meaningfully. - - - -Overview of module - -

-Provides standard Unix securetty checking. - -Authentication component - -

- - -Recognized arguments: - -Description: - -Provides standard Unix securetty checking, which causes authentication -for root to fail unless PAM_TTY is set to a string listed in -the /etc/securetty file. For all other users, it succeeds. - -Examples/suggested usage: - -For canonical usage, should be listed as a required -authentication method before any sufficient authentication -methods. - - - - diff --git a/contrib/libpam/doc/modules/pam_time.sgml b/contrib/libpam/doc/modules/pam_time.sgml deleted file mode 100644 index 0b3cddfcb44a..000000000000 --- a/contrib/libpam/doc/modules/pam_time.sgml +++ /dev/null @@ -1,166 +0,0 @@ - - -Time control - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author - -Management groups provided: -account - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires a configuration file /etc/security/time.conf - -Network aware: -Through the - -Overview of module - -

-Running a well regulated system occasionally involves restricting -access to certain services in a selective manner. This module offers -some time control for access to services offered by a system. Its -actions are determined with a configuration file. This module can be -configured to deny access to (individual) users based on their name, -the time of day, the day of week, the service they are applying for -and their terminal from which they are making their request. - -Account component - -

- - -Recognized arguments: - -Description: - -This module bases its actions on the rules listed in its configuration -file: /etc/security/pam.conf. Each rule has the following -form, - - -In words, each rule occupies a line, terminated with a newline or the -beginning of a comment; a ` - - -By a logic list we mean a sequence of tokens (associated with the -appropriate !morgan&!root, indicating that this rule -does not apply to the user morgan nor to root; and -tty*&!ttyp*, which indicates that the rule applies only -to console terminals but not pseudoterminals. - - - -Mo Tu We Th Fr Sa Su Wk Wd Al - - -The last two of these being -The time range part is a pair of 24-hour times, - -

-Note, that the given time restriction is only applied when the first -three fields are satisfied by a user's application for service. - -

-For convenience and readability a rule can be extended beyond a single -line with a `\Examples/suggested usage: - -The use of this module is initiated with an entry in the - - -# -# apply pam_time accounting to login requests -# -login account required pam_time.so - - -where, here we are applying the module to the -Some examples of rules that can be placed in the -/etc/security/time.conf configuration file are the following: - - -login ; tty* & ; !ttyp* ; !root ; !Al0000-2400 -all users except for games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 -games (configured to use Linux-PAM) are only to be accessed out of -working hours. This rule does not apply to the user - -

-Note, currently there is no daemon enforcing the end of a session. -This needs to be remedied. - -

-Poorly formatted rules are logged as errors using - - diff --git a/contrib/libpam/doc/modules/pam_warn.sgml b/contrib/libpam/doc/modules/pam_warn.sgml deleted file mode 100644 index 6e81f187f694..000000000000 --- a/contrib/libpam/doc/modules/pam_warn.sgml +++ /dev/null @@ -1,67 +0,0 @@ - - -Warning logger module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@parc.power.net> - -Maintainer: -Author. - -Management groups provided: -authentication; password - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: -logs information about the remote user and host (if pam-items are known) - - - -Overview of module - -

-This module is principally for logging information about a -proposed authentication or application to update a password. - -Authentication+Password component - -

- - -Recognized arguments: - -Description: - -Log the service, terminal, user, remote user and remote host to -Examples/suggested usage: - -an example is provided in the configuration file section . - - - - diff --git a/contrib/libpam/doc/modules/pam_wheel.sgml b/contrib/libpam/doc/modules/pam_wheel.sgml deleted file mode 100644 index 9139695fec84..000000000000 --- a/contrib/libpam/doc/modules/pam_wheel.sgml +++ /dev/null @@ -1,124 +0,0 @@ - - -The wheel module - -Synopsis - -

- - -Module Name: -Author: -Cristian Gafton <gafton@redhat.com> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires libpwdb. - -Network aware: - - - -Overview of module - -

-Only permit root access to members of the wheel (Authentication component - -

- - -Recognized arguments: -Description: - -This module is used to enforce the so-called wheel group. By default, -it permits root access to the system if the applicant user is a member -of the -The action of the module may be modified from this default by one or -more of the following flags in the /etc/pam.conf file. - - - - - - - - -Examples/suggested usage: - -To restrict access to superuser status to the members of the - - -# -# root gains access by default (rootok), only wheel members can -# become root (wheel) but Unix authenticate non-root applicants. -# -su auth sufficient pam_rootok.so -su auth required pam_wheel.so -su auth required pam_unix_auth.so - - - - - - diff --git a/contrib/libpam/doc/ps/README b/contrib/libpam/doc/ps/README deleted file mode 100644 index 6234e14f8f8e..000000000000 --- a/contrib/libpam/doc/ps/README +++ /dev/null @@ -1,3 +0,0 @@ -$Id: README,v 1.1 1996/11/10 19:28:16 morgan Exp $ - -this is the directory for the postscipt documentation diff --git a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw b/contrib/libpam/doc/specs/draft-morgan-pam-00.raw deleted file mode 100644 index 6e37b86a6868..000000000000 --- a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw +++ /dev/null @@ -1,270 +0,0 @@ -PAM working group ## A.G. Morgan -Internet Draft: ## March 24, 1998 -Document: draft-morgan-pam-00.txt ## -Expires: September 24, 1998 ## -Obsoletes: ## - -## Pluggable Authentication Modules ## - -#$ Status of this memo - -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its areas, -and its working groups. Note that other groups may also distribute -working documents as Internet-Drafts. - -Internet-Drafts are draft documents valid for a maximum of six months -and may be updated, replaced, or obsoleted by other documents at any -time. It is inappropriate to use Internet- Drafts as reference -material or to cite them other than as "work in progress." - -To view the entire list of current Internet-Drafts, please check the -"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow -Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), -ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), -ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). - -#$ Abstract - -This document is concerned with the definition of a general -infrastructure for module based authentication. The infrastructure is -named Pluggable Authentication Modules (PAM for short). - -#$ Introduction - -Computers are tools. They provide services to people and other -computers (collectively we shall call these "users" entities). In -order to provide convenient, reliable and individual service to -different entities, it is common for entities to be labelled. Having -defined a label as refering to a some specific entity, the label is -used for the purpose of protecting and allocating data resources. - -All modern operating systems have a notion of labelled entities and -all modern operating systems face a common problem: how to -authenticate the association of a predefined label with applicant -entities. - -There are as many authentication methods as one might care to count. -None of them are perfect and none of them are invulnerable. In -general, any given authentication method becomes weaker over time. It -is common then for new authentication methods to be developed in -response to newly discovered weaknesses in the old authentication -methods. - -The problem with reinventing authentication methods is the fact that -old applications do not support them. This contributes to an inertia -that discourages the overhaul of weakly protected systems. Another -problem is that individuals (people) are frequently powerless to layer -the protective authentication around their systems. They are forced -to rely on single (lowest common denominator) authentication schemes -even in situations where this is far from appropriate. - -PAM, as discussed in this document, is a generalization of the -approach first introduced in [#$R#{OSF_RFC_PAM}]. In short, it is a -general framework of interfaces that abstract the process of -authentication. With PAM, a service provider can custom protect -individual services to the level that they deam is appropriate. - -PAM has nothing explicit to say about transport layer encryption. -Within the context of this document encryption and/or compression of -data exchanges are application specific (strictly between client and -server). - -#$ Definitions - -Here we pose the authentication problem as one of configuring defined -interfaces between two entities. - -#$$#{players} Players in the authentication process - -PAM reserves the following words to specify unique entities in the -authentication process: - - applicant - the entity (user) initiating an application for service - [PAM associates PAM_RUSER with this requesting user]. - - arbitrator - the entity (user) under who's identity the service application - is negotiated and with who's authority service is granted. - - user - the entity (user) who's identity is being authenticated - [PAM associates PAM_USER with this identity]. - - server - the application that provides service, or acts as an - authenticated gateway to the requested service. This - application is completely responsible for the transport - layer. PAM makes no assumptions about how data is - exchanged between the server and the client. - - client - application providing the direct/primary interface to - applicant. This application is completely responsible - for transporting client-side data to the server. - PAM makes no assumptions about how data is exchanged between - the client and the server. - - module - authentication binary that provides server-side support for - some authentication method. - - agent - authentication binary that provides client-side support for - some authentication method. - -#$$ Special cases - -In the previous section (#{players}) we identified the most general -selection of authentication participants. In the case of network -authentication, it is easy to ascribe identities to the defined -players. However, there are special (less general) cases and we -recognize them here. - -The primary authentication step, when a user is directly introduced -into a computer system (log's on to a workstation) is a special case. -In this situation, the "client" and the "server" are generally one -application. Before authenticating such a user, the "applicant" is -formally unknown. - -#$ Defined interfaces - -Here, we discuss the formal interfaces between the players in the -authentication process. - -#$$#{applicant_client} Applicant <-> client - -Once the client is invoked, requests to the applicant entity are -initiated by the client application. General clients are able to make -the following requests to an applicant: - - echo text - echo error - prompt for echo'd text input - prompt for concealed text input - -the nature of the interface provided by the client for the benefit of -the applicant entity is client specific and not defined by PAM. - -#$$ Client <-> agent - -In general, authentication schemes require more modes of exchange than -the four defined in the previous section (#{applicant_client}). This -provides a role for client-loadable agents. The client and agent -exchange binary-messages that can have one of the following forms: - - client -> agent - prompt for binary data packet using a binary packet - - agent -> client - set environment variable - get environment variable - echo text - echo error - prompt for echo'd text input - prompt for concealed text input - -The single defined procedure for exchange is that the client first -prompts the agent with a binary packet and expects to receive a binary -(response) packet in return. Before returning the binary response, -the agent may request an arbitrary number of exchanges with the client. - -#$$ Client <-> server - -Once the client has established a connection with the server (the -nature of the transport protocol is not specified by PAM), the server -is reponsible for driving the authentication process. - -General servers can request the following from the client: - - (directed to the applicant) - echo text - echo error - prompt for echo'd text response - prompt for concealed text response - - (directed to the appropriate agent) - binary prompt for a binary response - -Client side agents are required to process binary prompts. Their -binary responses are passed directly back to the server. - -#$$ Server <-> module - -Modules drive the authentication process. The server provides a -conversation function with which it encapsulates module-generated -requests and exchanges them with the client. - -General conversation functions can support the following five -"conversation" requests: - - echo text - echo error - prompt for echo'd text response - prompt for concealed text response - prompt for binary packet with binary packet - -The server is responsible for redirecting these requests to the -client. - -#$ C API for defined interfaces - -#$$ Applicant <-> client - -No API is defined for this interface. The interface is considered to -be specific to the client application. Example applications include -terminal login, (X)windows login, machine file transfer applications. - -#$$ Client <-> agent - -This interface is concerned with the exchange of "binary prompts". A -binary prompt has the following form: { 4 8-bit bytes in network order -encoding an unsigened 32 bit integer (length), 4 8-bit bytes in -network order encoding an unsigened 32 bit integer (control), -"length-4" 8-bit bytes bytes comprising upto 2^32-4 bytes of binary -data }. - -## [ u32 | u32 | (length-4 bytes) ] ## -## length control data ## - -The composition of the "data" is not specified. Valid control values -are: - -##control value | used by | description ## -##------------------------------------------------------------------## -## | | ## -##PAMC_CONTROL_OK | agent | agent is happy ## -##PAMC_CONTROL_FAIL | agent | agent failed ## -##PAMC_CONTROL_BUSY | agent | agent is busy ## -##PAMC_CONTROL_PUTENV | agent | set envvar of client ## -##PAMC_CONTROL_GETENV | agent | want envvar of client ## -##PAMC_CONTROL_GETECHO | agent | echo'd prompt to applicant## -##PAMC_CONTROL_GETNOECHO | agent | secret prompt to applicant## -##PAMC_CONTROL_PUTTEXT | agent | echo text to applicant ## -##PAMC_CONTROL_SELECT | client | client selects named agent## -##PAMC_CONTROL_EXCHANGE | client+agent | data exchange packet ## -##PAMC_CONTROL_DONE | agent | agent has completed ## -##PAMC_CONTROL_EMPTY | agent | agent has no reply ## - -#$ Security considerations - -This document is devoted to standardizing authentication -infrastructure: everything in this document has implications for -security. - -#$ Contact - -The email list for discussing issues related to this document is -. - -#$ References - -[#{OSF_RFC_PAM}] OSF RFC 86.0, "Unified Login with Pluggable Authentication - Modules (PAM)", October 1995 - -#$ Author's Address - -Andrew Morgan -Email: morgan@ftp.kernel.org - diff --git a/contrib/libpam/doc/specs/formatter/Makefile b/contrib/libpam/doc/specs/formatter/Makefile deleted file mode 100644 index d73258d7819f..000000000000 --- a/contrib/libpam/doc/specs/formatter/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -LIBS=-lfl - -padout: parse.tab.o - $(CC) -o padout parse.tab.o $(LIBS) - -parse.tab.o: parse.tab.c lex.yy.c - $(CC) -c parse.tab.c - -parse.tab.c: parse.y - bison parse.y - -lex.yy.c: parse.lex - flex parse.lex - -clean: - rm -f parse.tab.o parse.tab.c lex.yy.c padout *~ core diff --git a/contrib/libpam/doc/specs/formatter/parse.lex b/contrib/libpam/doc/specs/formatter/parse.lex deleted file mode 100644 index 1d5c898e0549..000000000000 --- a/contrib/libpam/doc/specs/formatter/parse.lex +++ /dev/null @@ -1,11 +0,0 @@ -%% - -\#[\$]+[a-zA-Z]*(\=[0-9]+)? return NEW_COUNTER; -\#\{[a-zA-Z][a-zA-Z0-9\_]*\} return LABEL; -\# return NO_INDENT; -\#\# return RIGHT; -\\\# return HASH; -[^\n] return CHAR; -[\n] return NEWLINE; - -%% diff --git a/contrib/libpam/doc/specs/formatter/parse.y b/contrib/libpam/doc/specs/formatter/parse.y deleted file mode 100644 index 6da47d17e9a0..000000000000 --- a/contrib/libpam/doc/specs/formatter/parse.y +++ /dev/null @@ -1,293 +0,0 @@ - -%{ -#include -#include -#include - -#define MAXLINE 1000 -#define INDENT_STRING " " -#define PAPER_WIDTH 74 - - int indent=0; - int line=1; - char *last_label=NULL; - - extern void yyerror(const char *x); - extern char *get_label(const char *label); - extern void set_label(const char *label, const char *target); - char *new_counter(const char *key); - -#include "lex.yy.c" - -%} - -%union { - int def; - char *string; -} - -%token NEW_COUNTER LABEL HASH CHAR NEWLINE NO_INDENT RIGHT -%type stuff text - -%start doc - -%% - -doc: -| doc NEWLINE { - printf("\n"); - ++line; -} -| doc stuff NEWLINE { - if (strlen($2) > (PAPER_WIDTH-(indent ? strlen(INDENT_STRING):0))) { - yyerror("line too long"); - } - printf("%s%s\n", indent ? INDENT_STRING:"", $2); - free($2); - indent = 1; - ++line; -} -| doc stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len >= 0) { - memset(fixed, ' ', len); - fixed[len] = '\0'; - } else { - yyerror("line too wide"); - fixed[0] = '\0'; - } - printf("%s%s%s\n", $2, fixed, $4); - free($2); - free($4); - indent = 1; - ++line; -} -| doc stuff RIGHT stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len, l; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len < 0) { - len = 0; - yyerror("line too wide"); - } - - l = len/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s%s", $2, fixed, $4); - free($2); - free($4); - - l = (len+1)/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s\n", fixed, $6); - free($6); - - indent = 1; - ++line; -} -| doc stuff RIGHT stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len, l; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len < 0) { - len = 0; - yyerror("line too wide"); - } - - l = len/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s%s", $2, fixed, $4); - free($2); - free($4); - - l = (len+1)/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s\n", fixed, $6); - free($6); - - indent = 1; - ++line; -} -; - -stuff: { - $$ = strdup(""); -} -| stuff text { - $$ = malloc(strlen($1)+strlen($2)+1); - sprintf($$,"%s%s", $1, $2); - free($1); - free($2); -} -; - -text: CHAR { - $$ = strdup(yytext); -} -| text CHAR { - $$ = malloc(strlen($1)+2); - sprintf($$,"%s%s", $1, yytext); - free($1); -} -| NO_INDENT { - $$ = strdup(""); - indent = 0; -} -| HASH { - $$ = strdup("#"); -} -| LABEL { - if (($$ = get_label(yytext)) == NULL) { - set_label(yytext, last_label); - $$ = strdup(""); - } -} -| NEW_COUNTER { - $$ = new_counter(yytext); -} -; - -%% - -typedef struct node_s { - struct node_s *left, *right; - const char *key; - char *value; -} *node_t; - -node_t label_root = NULL; -node_t counter_root = NULL; - -const char *find_key(node_t root, const char *key) -{ - while (root) { - int cmp = strcmp(key, root->key); - - if (cmp > 0) { - root = root->right; - } else if (cmp) { - root = root->left; - } else { - return root->value; - } - } - return NULL; -} - -node_t set_key(node_t root, const char *key, const char *value) -{ - if (root) { - int cmp = strcmp(key, root->key); - if (cmp > 0) { - root->right = set_key(root->right, key, value); - } else if (cmp) { - root->left = set_key(root->left, key, value); - } else { - free(root->value); - root->value = strdup(value); - } - } else { - root = malloc(sizeof(struct node_s)); - root->right = root->left = NULL; - root->key = strdup(key); - root->value = strdup(value); - } - return root; -} - -void yyerror(const char *x) -{ - fprintf(stderr, "line %d: %s\n", line, x); -} - -char *get_label(const char *label) -{ - const char *found = find_key(label_root, label); - - if (found) { - return strdup(found); - } - return NULL; -} - -void set_label(const char *label, const char *target) -{ - if (target == NULL) { - yyerror("no hanging value for label"); - target = ""; - } - label_root = set_key(label_root, label, target); -} - -char *new_counter(const char *key) -{ - int i=0, j, ndollars = 0; - const char *old; - char *new; - - if (key[i++] != '#') { - yyerror("bad index"); - return strdup(""); - } - - while (key[i] == '$') { - ++ndollars; - ++i; - } - - key += i; - old = find_key(counter_root, key); - new = malloc(20*ndollars); - - if (old) { - for (j=0; ndollars > 1 && old[j]; ) { - if (old[j++] == '.' && --ndollars <= 0) { - break; - } - } - if (j) { - strncpy(new, old, j); - } - if (old[j]) { - i = atoi(old+j); - } else { - new[j++] = '.'; - i = 0; - } - } else { - j=0; - while (--ndollars > 0) { - new[j++] = '0'; - new[j++] = '.'; - } - i = 0; - } - new[j] = '\0'; - sprintf(new+j, "%d", ++i); - - counter_root = set_key(counter_root, key, new); - - if (last_label) { - free(last_label); - } - last_label = strdup(new); - - return new; -} - -main() -{ - yyparse(); -} diff --git a/contrib/libpam/doc/txts/README b/contrib/libpam/doc/txts/README deleted file mode 100644 index b62bc2d7448a..000000000000 --- a/contrib/libpam/doc/txts/README +++ /dev/null @@ -1,3 +0,0 @@ -$Id: README,v 1.1 1996/11/10 19:18:06 morgan Exp $ - -This is a directory for text versions of the pam documentation diff --git a/contrib/libpam/examples/Makefile b/contrib/libpam/examples/Makefile deleted file mode 100644 index 063f24d0df03..000000000000 --- a/contrib/libpam/examples/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# -# $Id: Makefile,v 1.10 1996/11/10 19:50:59 morgan Exp $ -# - -dummy: - - @echo "*** This is not a top level Makefile!" - -PROGS = blank xsh check_user -SRCS = blank.c xsh.c check_user.c - -# have removed the following pair since they no longer conform to -# any recognized conventions: vpass test -# ditto: vpass.c test.c - -PROGSUID = - -all: $(PROGS) - -check_user: check_user.o - $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) - -blank: blank.o - $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) - -xsh: xsh.o - $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) - -install: all - if [ -n "$(PROGS)" ]; then cp $(PROGS) ../bin ; fi - if [ -n "$(PROGSUID)" ]; then \ - $(INSTALL) -m 4555 -o root -g bin $(PROGSUID) ../bin ; fi - -clean: - rm -f *.a *.so *.o *~ $(PROGS) $(PROGSUID) - -remove: - cd ../bin ; rm -f $(PROGS) $(PROGSUID) - -extraclean: clean - rm -f *.a *.out *.o *.so - for x in $(PROGS) $(PROGSUID) ; do rm -f ../bin/$$x ; done diff --git a/contrib/libpam/examples/blank.c b/contrib/libpam/examples/blank.c deleted file mode 100644 index 3808e5589f80..000000000000 --- a/contrib/libpam/examples/blank.c +++ /dev/null @@ -1,173 +0,0 @@ -/* - * $Id: blank.c,v 1.7 1996/12/01 03:16:53 morgan Exp morgan $ - * - * $Log: blank.c,v $ - * Revision 1.7 1996/12/01 03:16:53 morgan - * added setcred closing function - * - * Revision 1.6 1996/11/10 19:51:40 morgan - * minor change to avoid gcc warning - * - * Revision 1.5 1996/07/07 23:53:05 morgan - * added optional fail delay (non-standard Linux-PAM) - * - * Revision 1.4 1996/05/02 04:44:18 morgan - * moved conversation to a libmisc library routine. - * - * - */ - -/* Andrew Morgan (morgan@parc.power.net) -- a self contained `blank' - * application - * - * I am not very proud of this code. It makes use of a possibly ill- - * defined pamh pointer to call pam_strerror() with. The reason that - * I was sloppy with this is historical (pam_strerror, prior to 0.59, - * did not require a pamh argument) and if this program is used as a - * model for anything, I should wish that you will take this error into - * account. - */ - -#include -#include - -#include -#include - -/* ------ some local (static) functions ------- */ - -static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn) -{ - fprintf(stderr,"==> called %s()\n got: `%s'\n", fn, - pam_strerror(pamh, code)); - if (really && code) - exit (1); -} - -/* ------ some static data objects ------- */ - -static struct pam_conv conv = { - misc_conv, - NULL -}; - -/* ------- the application itself -------- */ - -void main(int argc, char **argv) -{ - pam_handle_t *pamh=NULL; - char *username=NULL; - int retcode; - - /* did the user call with a username as an argument ? */ - - if (argc > 2) { - fprintf(stderr,"usage: %s [username]\n",argv[0]); - } else if (argc == 2) { - username = argv[1]; - } - - /* initialize the Linux-PAM library */ - retcode = pam_start("blank", username, &conv, &pamh); - bail_out(pamh,1,retcode,"pam_start"); - - /* test the environment stuff */ - { -#define MAXENV 15 - const char *greek[MAXENV] = { - "a=alpha", "b=beta", "c=gamma", "d=delta", "e=epsilon", - "f=phi", "g=psi", "h=eta", "i=iota", "j=mu", "k=nu", - "l=zeta", "h=", "d", "k=xi" - }; - char **env; - int i; - - for (i=0; i - slight modifications by AGM. - - You need to add the following (or equivalent) to the /etc/pam.conf file. - # check authorization - check auth required pam_unix_auth.so - check account required pam_unix_acct.so - - $Log: check_user.c,v $ - Revision 1.1 1996/11/10 21:19:30 morgan - Initial revision - - */ - -#include -#include -#include - -static struct pam_conv conv = { - misc_conv, - NULL -}; - -int main(int argc, char *argv[]) -{ - pam_handle_t *pamh=NULL; - int retval; - const char *user="nobody"; - - if(argc == 2) { - user = argv[1]; - } - - if(argc > 2) { - fprintf(stderr, "Usage: check_user [username]\n"); - exit(1); - } - - retval = pam_start("check", user, &conv, &pamh); - - if (retval == PAM_SUCCESS) - retval = pam_authenticate(pamh, 0); /* is user really user? */ - - if (retval == PAM_SUCCESS) - retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ - - /* This is where we have been authorized or not. */ - - if (retval == PAM_SUCCESS) { - fprintf(stdout, "Authenticated\n"); - } else { - fprintf(stdout, "Not Authenticated\n"); - } - - if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ - pamh = NULL; - fprintf(stderr, "check_user: failed to release authenticator\n"); - exit(1); - } - - return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ -} diff --git a/contrib/libpam/examples/test.c b/contrib/libpam/examples/test.c deleted file mode 100644 index 0a1f5a6168fb..000000000000 --- a/contrib/libpam/examples/test.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * $Log: test.c,v $ - * Revision 1.3 1996/03/10 00:14:20 morgan - * made lines less than 80 chars long. - * - * Revision 1.2 1996/03/09 09:16:26 morgan - * changed the header file that it includes. - * - * Revision 1.1 1996/03/09 09:13:34 morgan - * Initial revision - */ - -/* Marc Ewing (marc@redhat.com) - original test code - * Alexander O. Yuriev (alex@bach.cis.temple.edu) - * Andrew Morgan (morgan@physics.ucla.edu) - */ - -#include -#include -#include - -#include - -/* this program is not written to the PAM spec: it tests the - * pam_[sg]et_data() functions. Which is usually reserved for modules */ - -#include -#include - -#define USERNAMESIZE 1024 - -static int test_conv( int num_msg, - const struct pam_message **msgm, - struct pam_response **response, - void *appdata_ptr ) -{ - return 0; -} - -static struct pam_conv conv = { - test_conv, - NULL -}; - -static int cleanup_func(pam_handle_t *pamh, void *data, int error_status) -{ - printf("Cleaning up!\n"); - return PAM_SUCCESS; -} - -void main( void ) -{ - pam_handle_t *pamh; - char *name = ( char *) malloc( USERNAMESIZE + 1 ); - char *p = NULL; - char *s = NULL; - - if (! name ) - { - perror( "Ouch, don't have enough memory"); - exit( -1 ); - } - - - - - fprintf( stdout, "Enter a name of a user to authenticate : "); - name = fgets( name , USERNAMESIZE, stdin ); - if ( !name ) - { - perror ( "Hey, how can authenticate " - "someone whos name I don't know?" ); - exit ( -1 ); - } - - *( name + strlen ( name ) - 1 ) = 0; - - pam_start( "login", name, &conv, &pamh ); - - p = x_strdup( getpass ("Password: ") ); - if ( !p ) - { - perror ( "You love NULL pointers, " - "don't you? I don't "); - exit ( -1 ); - } - pam_set_item ( pamh, PAM_AUTHTOK, p ); - pam_get_item ( pamh, PAM_USER, (void**) &s); - pam_set_data(pamh, "DATA", "Hi there! I'm data!", cleanup_func); - pam_get_data(pamh, "DATA", (void **) &s); - printf("%s\n", s); - - fprintf( stdout, "*** Attempting to perform " - "PAM authentication...\n"); - fprintf( stdout, "%s\n", - pam_strerror( pam_authenticate( pamh, 0 ) ) ) ; - - pam_end(pamh, PAM_SUCCESS); -} diff --git a/contrib/libpam/examples/vpass.c b/contrib/libpam/examples/vpass.c deleted file mode 100644 index 617a5f2e8241..000000000000 --- a/contrib/libpam/examples/vpass.c +++ /dev/null @@ -1,47 +0,0 @@ -#include -#include -#include -#include -#include -#include - -static int test_conv(int num_msg, const struct pam_message **msgm, - struct pam_response **response, void *appdata_ptr) -{ - return 0; -} - -static struct pam_conv conv = { - test_conv, - NULL -}; - -int main(void) -{ - char *user; - pam_handle_t *pamh; - struct passwd *pw; - uid_t uid; - int res; - - uid = geteuid(); - pw = getpwuid(uid); - if (pw) { - user = pw->pw_name; - } else { - fprintf(stderr, "Invalid userid: %d\n", uid); - exit(1); - } - - pam_start("vpass", user, &conv, &pamh); - pam_set_item(pamh, PAM_TTY, "/dev/tty"); - if ((res = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { - fprintf(stderr, "Oops: %s\n", pam_strerror(res)); - exit(1); - } - - pam_end(pamh, res); - exit(0); -} - - diff --git a/contrib/libpam/examples/xsh.c b/contrib/libpam/examples/xsh.c deleted file mode 100644 index ad134f6217ba..000000000000 --- a/contrib/libpam/examples/xsh.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * $Id: xsh.c,v 1.4 1996/11/10 21:09:45 morgan Exp morgan $ - * - * $Log: xsh.c,v $ - * Revision 1.4 1996/11/10 21:09:45 morgan - * no gcc warnings - * - * Revision 1.3 1996/07/07 23:53:36 morgan - * added support for non standard pam_fail_delay - * - * Revision 1.2 1996/05/02 04:44:48 morgan - * moved conversaation to a libmisc routine. - * - * Revision 1.1 1996/04/07 08:18:55 morgan - * Initial revision - * - */ - -/* Andrew Morgan (morgan@parc.power.net) -- an example application - * that invokes a shell, based on blank.c */ - -#include -#include - -#include -#include - -/* ------ some local (static) functions ------- */ - -static void bail_out(pam_handle_t *pamh,int really, int code, const char *fn) -{ - fprintf(stderr,"==> called %s()\n got: `%s'\n", fn, - pam_strerror(pamh,code)); - if (really && code) - exit (1); -} - -/* ------ some static data objects ------- */ - -static struct pam_conv conv = { - misc_conv, - NULL -}; - -/* ------- the application itself -------- */ - -void main(int argc, char **argv, char **envp) -{ - pam_handle_t *pamh=NULL; - char *username=NULL; - int retcode; - - /* did the user call with a username as an argument ? */ - - if (argc > 2) { - fprintf(stderr,"usage: %s [username]\n",argv[0]); - } else if (argc == 2) { - username = argv[1]; - } - - /* initialize the Linux-PAM library */ - retcode = pam_start("xsh", username, &conv, &pamh); - bail_out(pamh,1,retcode,"pam_start"); - - /* to avoid using goto we abuse a loop here */ - for (;;) { - /* authenticate the user --- `0' here, could have been PAM_SILENT - * | PAM_DISALLOW_NULL_AUTHTOK */ - - retcode = pam_authenticate(pamh, 0); - bail_out(pamh,0,retcode,"pam_authenticate"); - - /* has the user proved themself valid? */ - if (retcode != PAM_SUCCESS) { - fprintf(stderr,"%s: invalid request\n",argv[0]); - break; - } - - /* the user is valid, but should they have access at this - time? */ - - retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */ - bail_out(pamh,0,retcode,"pam_acct_mgmt"); - - if (retcode == PAM_NEW_AUTHTOK_REQD) { - fprintf(stderr,"Application must request new password...\n"); - retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK); - bail_out(pamh,0,retcode,"pam_chauthtok"); - } - - if (retcode != PAM_SUCCESS) { - fprintf(stderr,"%s: invalid request\n",argv[0]); - break; - } - - /* `0' could be as above */ - retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); - bail_out(pamh,0,retcode,"pam_setcred"); - - if (retcode != PAM_SUCCESS) { - fprintf(stderr,"%s: problem setting user credentials\n" - ,argv[0]); - break; - } - - /* open a session for the user --- `0' could be PAM_SILENT */ - retcode = pam_open_session(pamh,0); - bail_out(pamh,0,retcode,"pam_open_session"); - if (retcode != PAM_SUCCESS) { - fprintf(stderr,"%s: problem opening a session\n",argv[0]); - break; - } - - fprintf(stderr,"The user has been authenticated and `logged in'\n"); - - /* this is always a really bad thing for security! */ - system("/bin/sh"); - - /* close a session for the user --- `0' could be PAM_SILENT - * it is possible that this pam_close_call is in another program.. - */ - - retcode = pam_close_session(pamh,0); - bail_out(pamh,0,retcode,"pam_close_session"); - if (retcode != PAM_SUCCESS) { - fprintf(stderr,"%s: problem closing a session\n",argv[0]); - break; - } - - break; /* don't go on for ever! */ - } - - /* close the Linux-PAM library */ - retcode = pam_end(pamh, PAM_SUCCESS); - pamh = NULL; - bail_out(pamh,1,retcode,"pam_end"); - - exit(0); -} diff --git a/contrib/libpam/modules/Makefile b/contrib/libpam/modules/Makefile deleted file mode 100644 index 0066fb473e0c..000000000000 --- a/contrib/libpam/modules/Makefile +++ /dev/null @@ -1,132 +0,0 @@ -# $Id: Makefile,v 1.21 1997/04/05 06:44:43 morgan Exp morgan $ -# -# Makefile -# -# This makefile controls the build process of shared and static PAM modules. -# -# $Log: Makefile,v $ -# Revision 1.21 1997/04/05 06:44:43 morgan -# pam_env and pam_tally added -# -# Revision 1.20 1997/02/15 18:57:11 morgan -# fixed bash syntax -# -# Revision 1.19 1997/01/04 20:21:32 morgan -# moved responsibility of conditional compilation to modules (more flexible) -# -# Revision 1.18 1996/12/01 03:34:40 morgan -# update for .54 -# -# Revision 1.17 1996/11/10 20:20:15 morgan -# cross platform support and new modules -# -# Revision 1.16 1996/09/05 06:20:45 morgan -# added two modules: listfile and shells -# -# Revision 1.15 1996/08/09 05:38:28 morgan -# added new/proposed modules. -# fixed makefile installation dependencies -# -# Revision 1.14 1996/07/08 00:00:33 morgan -# added wheel and group modules -# - -MODDIRS=\ - pam_access \ - pam_afs \ - pam_afsauth \ - pam_afspass \ - pam_afstok \ - pam_cracklib \ - pam_deny \ - pam_desgold \ - pam_env \ - pam_filter \ - pam_ftp \ - pam_group \ - pam_kerberos \ - pam_krb4 \ - pam_lastlog \ - pam_listfile \ - pam_limits \ - pam_mail \ - pam_nologin \ - pam_opie \ - pam_passwd+ \ - pam_permit \ - pam_pwdb \ - pam_radius \ - pam_restrict \ - pam_rhosts \ - pam_rootok \ - pam_securetty \ - pam_shells \ - pam_sid \ - pam_skey \ - pam_skey2 \ - pam_stress \ - pam_syslog \ - pam_tally \ - pam_time \ - pam_unix \ - pam_warn \ - pam_wheel - - -# //////////////////////////////////////////////////// -# // You should not modify anything below this line // -# //////////////////////////////////////////////////// - -dummy: - @echo "*** This is not a top-level Makefile! ***" - -# ----------------------------------------------------------- - -all: - @echo modules for $(OS) are: - @ls -d $(MODDIRS) 2>/dev/null ; echo :-------- - @echo -ifdef STATIC - rm -f ./_static_module_* -endif - @for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i all ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } elif [ -f ./.$$i ]; then { \ - cat ./.$$i ; \ - } fi ; \ - done - -install: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i install ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } fi ; \ - done - -remove: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i remove ; \ - } fi ; \ - done - -lclean: - rm -f _static_module_* - -clean: lclean - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i clean ; \ - } fi ; \ - done - -extraclean: lclean - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i extraclean ; \ - fi ; \ - done - diff --git a/contrib/libpam/modules/README b/contrib/libpam/modules/README deleted file mode 100644 index 864159478c65..000000000000 --- a/contrib/libpam/modules/README +++ /dev/null @@ -1,55 +0,0 @@ -This directory contains the modules. - -If you want to reserve a module name please email -and announce its name. Andrew Morgan, , will -add it to the Makefile in the next release of Linux-PAM. - -As of Linux-PAM-0.40 modules can optionally conform to the static -modules conventions. - -This file was updated for Linux-PAM-0.53. - -The conventions are as follows: - -There are only 6 functions that a module may declare as "public" they -fall into 4 managment groups as follows: - - functions Management group - ------------------------------------------ ---------------- - pam_sm_authenticate, pam_sm_setcred, PAM_SM_AUTH - pam_sm_acct_mgmt, PAM_SM_ACCOUNT - pam_sm_open_session, pam_sm_close_session, PAM_SM_SESSION - pam_sm_chauthtok PAM_SM_PASSWORD - -If a module contains definitions for any of the above functions, it -must supply definitions for all of the functions in the corresponding -management group. - -The header file that defines the ANSI prototypes for these functions -is . In the case that the module wishes to -offer the functions of a given managment group, it must #define -PAM_SM_XXX, where XXX is one of the above four tokens. These -definitions must occur *prior* to the -#include line. - -The pam_sm_... functions should be defined to be of type 'PAM_EXTERN int'. - -In the case that a module is being compiled with PAM_STATIC #define'd -it should also define a globally accessible structure -_"NAME"_modstruct containing references to each of the functions -defined by the module. (this structure is defined in -. "NAME" is the title of the module -(eg. "pam_deny") - -If a module wants to be included in the static libpam.a its Makefile -should execute "register_static" with appropriate arguments (in this -directory). - -[ -For SIMPLE working examples, see - - ./modules/pam_deny/* and ./modules/pam_rootok/* -.] - -Andrew Morgan -96/11/10 diff --git a/contrib/libpam/modules/dont_makefile b/contrib/libpam/modules/dont_makefile deleted file mode 100644 index f256ce1b3a61..000000000000 --- a/contrib/libpam/modules/dont_makefile +++ /dev/null @@ -1,19 +0,0 @@ -######################################################################### -# This is a makefile that does nothing. It is designed to be included -# by module Makefile-s when they are not compatable with the local -# system -######################################################################### - -all: - @echo "This module will not be compiled on this system" - -extraclean: clean - -install: clean - -clean: - @echo "Nothing to do" - -######################################################################### -# all over.. -######################################################################### diff --git a/contrib/libpam/modules/pam_access/Makefile b/contrib/libpam/modules/pam_access/Makefile deleted file mode 100644 index a3d684bb7179..000000000000 --- a/contrib/libpam/modules/pam_access/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# $Id: Makefile,v 1.1 1997/06/23 00:39:42 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/06/23 00:39:42 morgan -# Initial revision -# -# - -TITLE=pam_access -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/access.conf -export CONFILE - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< diff --git a/contrib/libpam/modules/pam_access/README b/contrib/libpam/modules/pam_access/README deleted file mode 100644 index df10c269ec04..000000000000 --- a/contrib/libpam/modules/pam_access/README +++ /dev/null @@ -1,40 +0,0 @@ -# Description of its configuration file (/etc/security/access.conf): -# -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). -# -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# -# Alexei Nogin 1997/06/15 -############################################################################ diff --git a/contrib/libpam/modules/pam_access/access.conf b/contrib/libpam/modules/pam_access/access.conf deleted file mode 100644 index abfefa5e75eb..000000000000 --- a/contrib/libpam/modules/pam_access/access.conf +++ /dev/null @@ -1,52 +0,0 @@ -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). -# -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# -############################################################################## -# -# Disallow console logins to all but a few accounts. -# -#-:ALL EXCEPT wheel shutdown sync:console -# -# Disallow non-local logins to privileged accounts (group wheel). -# -#-:wheel:ALL EXCEPT LOCAL .win.tue.nl -# -# Some accounts are not allowed to login from anywhere: -# -#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL -# -# All other accounts are allowed to login from anywhere. -# diff --git a/contrib/libpam/modules/pam_access/install_conf b/contrib/libpam/modules/pam_access/install_conf deleted file mode 100755 index 0667b5ecbbc5..000000000000 --- a/contrib/libpam/modules/pam_access/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -CONF=./access.conf -QUIET_INSTALL=../../.quiet_install -MODULE=pam_access - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_access/pam_access.c b/contrib/libpam/modules/pam_access/pam_access.c deleted file mode 100644 index 121333928a26..000000000000 --- a/contrib/libpam/modules/pam_access/pam_access.c +++ /dev/null @@ -1,424 +0,0 @@ -/* pam_access module */ - -/* - * Written by Alexei Nogin 1997/06/15 - * (I took login_access from logdaemon-5.6 and converted it to PAM - * using parts of pam_time code.) - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -/* man page says above file includes this... */ -extern int gethostname(char *name, size_t len); - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef BROKEN_NETWORK_MATCH -# include -# include -#endif - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include -#include - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_access", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_ERR, format, args); - va_end(args); - closelog(); -} - -#define PAM_ACCESS_CONFIG CONFILE - -int strcasecmp(const char *s1, const char *s2); - -/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ - - /* - * This module implements a simple but effective form of login access - * control based on login names and on host (or domain) names, internet - * addresses (or network numbers), or on terminal line names in case of - * non-networked logins. Diagnostics are reported through syslog(3). - * - * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. - */ - -#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) -#undef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 256 -#endif - - /* Delimiters for fields and for lists of users, ttys or hosts. */ - -static char fs[] = ":"; /* field separator */ -static char sep[] = ", \t"; /* list-element separator */ - - /* Constants to be used in assignments only, not in comparisons... */ - -#define YES 1 -#define NO 0 - - /* - * A structure to bundle up all login-related information to keep the - * functional interfaces as generic as possible. - */ -struct login_info { - struct passwd *user; - char *from; -}; - -typedef int match_func (char *, struct login_info *); - -static int list_match (char *, struct login_info *, - match_func *); -static int user_match (char *, struct login_info *); -static int from_match (char *, struct login_info *); -static int string_match (char *, char *); - -/* login_access - match username/group and host/tty with access control file */ - -static int login_access(struct passwd *user, char *from) -{ - struct login_info item; - FILE *fp; - char line[BUFSIZ]; - char *perm; /* becomes permission field */ - char *users; /* becomes list of login names */ - char *froms; /* becomes list of terminals or hosts */ - int match = NO; - int end; - int lineno = 0; /* for diagnostics */ - - /* - * Bundle up the arguments to avoid unnecessary clumsiness lateron. - */ - item.user = user; - item.from = from; - - /* - * Process the table one line at a time and stop at the first match. - * Blank lines and lines that begin with a '#' character are ignored. - * Non-comment lines are broken at the ':' character. All fields are - * mandatory. The first field should be a "+" or "-" character. A - * non-existing table means no access control. - */ - - if ((fp = fopen(PAM_ACCESS_CONFIG, "r"))!=NULL) { - while (!match && fgets(line, sizeof(line), fp)) { - lineno++; - if (line[end = strlen(line) - 1] != '\n') { - _log_err("%s: line %d: missing newline or line too long", - PAM_ACCESS_CONFIG, lineno); - continue; - } - if (line[0] == '#') - continue; /* comment line */ - while (end > 0 && isspace(line[end - 1])) - end--; - line[end] = 0; /* strip trailing whitespace */ - if (line[0] == 0) /* skip blank lines */ - continue; - if (!(perm = strtok(line, fs)) - || !(users = strtok((char *) 0, fs)) - || !(froms = strtok((char *) 0, fs)) - || strtok((char *) 0, fs)) { - _log_err("%s: line %d: bad field count", PAM_ACCESS_CONFIG, lineno); - continue; - } - if (perm[0] != '+' && perm[0] != '-') { - _log_err("%s: line %d: bad first field", PAM_ACCESS_CONFIG, lineno); - continue; - } - match = (list_match(froms, &item, from_match) - && list_match(users, &item, user_match)); - } - (void) fclose(fp); - } else if (errno != ENOENT) { - _log_err("cannot open %s: %m", PAM_ACCESS_CONFIG); - } - return (match == 0 || (line[0] == '+')); -} - -/* list_match - match an item against a list of tokens with exceptions */ - -static int list_match(char *list, struct login_info *item, match_func *match_fn) -{ - char *tok; - int match = NO; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { - if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ - break; - if ((match = (*match_fn) (tok, item))) /* YES */ - break; - } - /* Process exceptions to matches. */ - - if (match != NO) { - while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) - /* VOID */ ; - if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) - return (match); - } - return (NO); -} - -/* myhostname - figure out local machine name */ - -static char * myhostname(void) -{ - static char name[MAXHOSTNAMELEN + 1]; - - gethostname(name, MAXHOSTNAMELEN); - name[MAXHOSTNAMELEN] = 0; - return (name); -} - -/* netgroup_match - match group against machine or user */ - -static int netgroup_match(char *group, char *machine, char *user) -{ -#ifdef NIS - static char *mydomain = 0; - - if (mydomain == 0) - yp_get_default_domain(&mydomain); - return (innetgr(group, machine, user, mydomain)); -#else - _log_err("NIS netgroup support not configured"); - return (NO); -#endif -} - -/* user_match - match a username against one token */ - -static int user_match(char *tok, struct login_info *item) -{ - char *string = item->user->pw_name; - struct login_info fake_item; - struct group *group; - int i; - char *at; - - /* - * If a token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the username, if the - * token is a group that contains the username, or if the token is the - * name of the user's primary group. - */ - - if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ - *at = 0; - fake_item.from = myhostname(); - return (user_match(tok, item) && from_match(at + 1, &fake_item)); - } else if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, (char *) 0, string)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if ((group = getgrnam(tok))) { /* try group membership */ - if (item->user->pw_gid == group->gr_gid) - return (YES); - for (i = 0; group->gr_mem[i]; i++) - if (strcasecmp(string, group->gr_mem[i]) == 0) - return (YES); - } - return (NO); -} - -/* from_match - match a host or tty against a list of tokens */ - -static int from_match(char *tok, struct login_info *item) -{ - char *string = item->from; - int tok_len; - int str_len; - - /* - * If a token has the magic value "ALL" the match always succeeds. Return - * YES if the token fully matches the string. If the token is a domain - * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES - * if it matches the head of the string. - */ - - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(string)) > (tok_len = strlen(tok)) - && strcasecmp(tok, string + str_len - tok_len) == 0) - return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) - return (YES); -#ifdef BROKEN_NETWORK_MATCH - } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ - && strncmp(tok, string, tok_len) == 0) { - return (YES); -#else /* BROKEN_NETWORK_MATCH */ - } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { - /* - The code below does a more correct check if the address specified - by "string" starts from "tok". - 1998/01/27 Andrey V. Savochkin - */ - struct hostent *h; - char hn[3+1+3+1+3+1+3+1]; - int r; - - h = gethostbyname(string); - if (h == NULL) - return (NO); - if (h->h_addrtype != AF_INET) - return (NO); - if (h->h_length != 4) - return (NO); /* only IPv4 addresses (SAW) */ - r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u", - (unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1], - (unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]); - if (r < 0 || r >= sizeof(hn)) - return (NO); - if (!strncmp(tok, hn, tok_len)) - return (YES); -#endif /* BROKEN_NETWORK_MATCH */ - } - return (NO); -} - -/* string_match - match a string against one token */ - -static int string_match(char *tok, char *string) -{ - - /* - * If the token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the string. - */ - - if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ - return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ - return (YES); - } - return (NO); -} - -/* end of login_access.c */ - -int strcasecmp(const char *s1, const char *s2) -{ - while ((toupper(*s1)==toupper(*s2)) && (*s1) && (*s2)) {s1++; s2++;} - return(toupper(*s1)-toupper(*s2)); -} - -/* --- public account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - const char *user=NULL; - char *from=NULL; - struct passwd *user_pw; - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - _log_err("cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - /* remote host name */ - - if (pam_get_item(pamh, PAM_RHOST, (const void **)&from) - != PAM_SUCCESS) { - _log_err("cannot find the remote host name"); - return PAM_ABORT; - } - - if (from==NULL) { - - /* local login, set tty name */ - - if (pam_get_item(pamh, PAM_TTY, (const void **)&from) != PAM_SUCCESS - || from == NULL) { - D(("PAM_TTY not set, probing stdin")); - from = ttyname(STDIN_FILENO); - if (from == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - if (strncmp("/dev/",from,5) == 0) { /* strip leading /dev/ */ - from += 5; - } - - } - if ((user_pw=getpwnam(user))==NULL) return (PAM_USER_UNKNOWN); - if (login_access(user_pw,from)) return (PAM_SUCCESS); else { - _log_err("access denied for user `%s' from `%s'",user,from); - return (PAM_PERM_DENIED); - } -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_access_modstruct = { - "pam_access", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif - diff --git a/contrib/libpam/modules/pam_cracklib/Makefile b/contrib/libpam/modules/pam_cracklib/Makefile deleted file mode 100644 index 668f2f846296..000000000000 --- a/contrib/libpam/modules/pam_cracklib/Makefile +++ /dev/null @@ -1,110 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton 1996/09/10 -# - -ifndef FULL_LINUX_PAM_SOURCE_TREE -# -# here you should make default variable defines... -# -MKDIR=mkdir -p -LD_D=gcc -shared -Xlinker -x -INSTALL=install -SECUREDIR=/usr/lib/security -# -HAVE_CRACKLIB=yes -endif - -ifeq ($(HAVE_CRACKLIB),yes) - -TITLE=pam_cracklib -CRACKLIB=-lcrack -CRACKLIB_DICTPATH=/usr/lib/cracklib_dict -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef CRACKLIB_DICTPATH -CFLAGS+=-DCRACKLIB_DICTPATH=\"$(CRACKLIB_DICTPATH)\" -endif - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) Makefile - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(CRACKLIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else - -include ../dont_makefile - -endif diff --git a/contrib/libpam/modules/pam_cracklib/README b/contrib/libpam/modules/pam_cracklib/README deleted file mode 100644 index e4b02731b523..000000000000 --- a/contrib/libpam/modules/pam_cracklib/README +++ /dev/null @@ -1,21 +0,0 @@ - -pam_cracklib: - check the passwd against dictionary words. - -RECOGNIZED ARGUMENTS: - debug verbose log - - type=XXX alter the message printed as a prompt to the user. - the message printed is in the form - "New XXX password: ". - Default XXX=UNIX - - retry=N Prompt user at most N times before returning with - error. Default N=1. - -MODULE SERVICES PROVIDED: - passwd chauthtok - -AUTHOR: - Cristian Gafton - diff --git a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c b/contrib/libpam/modules/pam_cracklib/pam_cracklib.c deleted file mode 100644 index 3400dfb25209..000000000000 --- a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c +++ /dev/null @@ -1,687 +0,0 @@ -/* pam_cracklib module */ - -/* - * 0.85. added six new options to use this with long passwords. - * 0.8. tidied output and improved D(()) usage for debugging. - * 0.7. added support for more obscure checks for new passwd. - * 0.6. root can reset user passwd to any values (it's only warned) - * 0.5. supports retries - 'retry=N' argument - * 0.4. added argument 'type=XXX' for 'New XXX password' prompt - * 0.3. Added argument 'debug' - * 0.2. new password is feeded to cracklib for verify after typed once - * 0.1. First release - */ - -/* - * Written by Cristian Gafton 1996/09/10 - * Long password support by Philip W. Dalrymple 1997/07/18 - * See the end of the file for Copyright Information - * - * Modification for long password systems (>8 chars). The original - * module had problems when used in a md5 password system in that it - * allowed too short passwords but required that at least half of the - * bytes in the new password did not appear in the old one. this - * action is still the default and the changes should not break any - * current user. This modification adds 6 new options, one to set the - * number of bytes in the new password that are not in the old one, - * the other five to control the length checking, these are all - * documented (or will be before anyone else sees this code) in the PAM - * S.A.G. in the section on the cracklib module. - */ - -#include -#define __USE_BSD -#include -#include -#include -#include -#include -#include -#include -#include - -extern char *FascistCheck(char *pw, const char *dictpath); - -#ifndef CRACKLIB_DICTPATH -#define CRACKLIB_DICTPATH "/usr/lib/cracklib_dict" -#endif - -#define PROMPT1 "New %s password: " -#define PROMPT2 "Retype new %s password: " -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_PASSWORD - -#include -#include - -#ifndef LINUX_PAM -#include -#endif /* LINUX_PAM */ - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Cracklib", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ -#define PAM_DEBUG_ARG 0x0001 - -/* module data - AGM: please remove these static variables... PAM was - * designed to be reentrant based soley on a unique pamh... this - * breaks that. */ - -static int retry_times = 0; -static int diff_ok = 10; -static int min_length = 9; -static int dig_credit = 1; -static int up_credit = 1; -static int low_credit = 1; -static int oth_credit = 1; -static char prompt_type[BUFSIZ]; - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - char *ep = NULL; - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"type=",5)) - strcpy(prompt_type, *argv+5); - else if (!strncmp(*argv,"retry=",6)) { - retry_times = strtol(*argv+6,&ep,10); - if (!ep || (retry_times < 1)) - retry_times = 1; - } else if (!strncmp(*argv,"difok=",6)) { - diff_ok = strtol(*argv+6,&ep,10); - if (!ep || (diff_ok < 0)) - diff_ok = 10; - } else if (!strncmp(*argv,"minlen=",7)) { - min_length = strtol(*argv+7,&ep,10); - if (!ep || (min_length < 5)) - min_length = 5; - } else if (!strncmp(*argv,"dcredit=",8)) { - dig_credit = strtol(*argv+8,&ep,10); - if (!ep || (dig_credit < 0)) - dig_credit = 0; - } else if (!strncmp(*argv,"ucredit=",8)) { - up_credit = strtol(*argv+8,&ep,10); - if (!ep || (up_credit < 0)) - up_credit = 0; - } else if (!strncmp(*argv,"lcredit=",8)) { - low_credit = strtol(*argv+8,&ep,10); - if (!ep || (low_credit < 0)) - low_credit = 0; - } else if (!strncmp(*argv,"ocredit=",8)) { - oth_credit = strtol(*argv+8,&ep,10); - if (!ep || (oth_credit < 0)) - oth_credit = 0; - } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* Helper functions */ - -/* this is a front-end for module-application conversations */ -static int converse(pam_handle_t *pamh, int ctrl, int nargs, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - - if ( retval == PAM_SUCCESS ) { - retval = conv->conv(nargs, (const struct pam_message **)message, - response, conv->appdata_ptr); - if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) { - _pam_log(LOG_DEBUG, "conversation failure [%s]", - pam_strerror(pamh, retval)); - } - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]", - pam_strerror(pamh, retval)); - } - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl, - int type, const char *text) -{ - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - int retval; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; - - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (retval == PAM_SUCCESS) - _pam_drop_reply(resp, 1); - - return retval; -} - -/* use this to free strings. ESPECIALLY password strings */ -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - free(xx); - return NULL; -} - -/* - * can't be a palindrome - like `R A D A R' or `M A D A M' - */ -static int palindrome(const char *old, const char *new) -{ - int i, j; - - i = strlen (new); - - for (j = 0;j < i;j++) - if (new[i - j - 1] != new[j]) - return 0; - - return 1; -} - -/* - * more than half of the characters are different ones. - * or at least diff_ok are different - * NOTE that the defaults are NOT the same as befor this - * change. as long as there are at least 10 different bytes - * in a new password it will now pass even if the password - * is longer than 20 bytes (MD5) - */ - -static int similiar(const char *old, const char *new) -{ - int i, j; - - for (i = j = 0;new[i] && old[i];i++) - if (strchr (new, old[i])) - j++; - - if (j >= diff_ok || i >= j * 2) - return 0; - - return 1; -} - -/* - * a nice mix of characters. - */ -static int simple(const char *old, const char *new) -{ - int digits = 0; - int uppers = 0; - int lowers = 0; - int others = 0; - int size; - int i; - - for (i = 0;new[i];i++) { - if (isdigit (new[i])) - digits++; - else if (isupper (new[i])) - uppers++; - else if (islower (new[i])) - lowers++; - else - others++; - } - - /* - * The scam was this - a password of only one character type - * must be 8 letters long. Two types, 7, and so on. - * This is now changed, the base size and the credits or defaults - * see the docs on the module for info on these parameters, the - * defaults cause the effect to be the same as before the change - */ - - if (digits > dig_credit) - digits = dig_credit; - - if (uppers > up_credit) - uppers = up_credit; - - if (lowers > low_credit) - lowers = low_credit; - - if (others > oth_credit) - others = oth_credit; - - size = min_length; - size -= digits; - size -= uppers; - size -= lowers; - size -= others; - - if (size <= i) - return 0; - - return 1; -} - -static char * str_lower(char *string) -{ - char *cp; - - for (cp = string; *cp; cp++) - *cp = tolower(*cp); - return string; -} - -static const char * password_check(const char *old, const char *new) -{ - const char *msg = NULL; - char *oldmono, *newmono, *wrapped; - - if (strcmp(new, old) == 0) { - msg = "is the same as the old one"; - return msg; - } - - newmono = str_lower(x_strdup(new)); - oldmono = str_lower(x_strdup(old)); - wrapped = malloc(strlen(oldmono) * 2 + 1); - strcpy (wrapped, oldmono); - strcat (wrapped, oldmono); - - if (palindrome(oldmono, newmono)) - msg = "is a palindrome"; - - if (!msg && strcmp(oldmono, newmono) == 0) - msg = "case changes only"; - - if (!msg && similiar(oldmono, newmono)) - msg = "is too similiar to the old one"; - - if (!msg && simple(old, new)) - msg = "is too simple"; - - if (!msg && strstr(wrapped, newmono)) - msg = "is rotated"; - - memset(newmono, 0, strlen(newmono)); - memset(oldmono, 0, strlen(oldmono)); - memset(wrapped, 0, strlen(wrapped)); - free(newmono); - free(oldmono); - free(wrapped); - - return msg; -} - - -static int _pam_unix_approve_pass(pam_handle_t *pamh, - unsigned int ctrl, - const char *pass_old, - const char *pass_new) -{ - const char *msg = NULL; - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "bad authentication token"); - make_remark(pamh, ctrl, PAM_ERROR_MSG, - pass_new == NULL ? - "No password supplied":"Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - */ - msg = password_check(pass_old,pass_new); - if (msg) { - char remark[BUFSIZ]; - - memset(remark,0,sizeof(remark)); - sprintf(remark,"BAD PASSWORD: %s",msg); - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "new passwd fails strength check: %s", - msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); - return PAM_AUTHTOK_ERR; - }; - return PAM_SUCCESS; - -} - -/* The Main Thing (by Cristian Gafton, CEO at this module :-) - * (stolen from http://home.netscape.com) - */ -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - - retry_times = 1; - memset(prompt_type,0,sizeof(prompt_type)); - ctrl = _pam_parse(argc, argv); - - D(("called.")); - if (!prompt_type[0]) - strcpy(prompt_type,"UNIX"); - - if (flags & PAM_PRELIM_CHECK) { - /* Check for passwd dictionary */ - struct stat st; - char buf[sizeof(CRACKLIB_DICTPATH)+10]; - - D(("prelim check")); - - memset(buf,0,sizeof(buf)); /* zero the buffer */ - sprintf(buf,"%s.pwd",CRACKLIB_DICTPATH); - - if (!stat(buf,&st) && st.st_size) - return PAM_SUCCESS; - else { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"dict path '%s'[.pwd] is invalid", - CRACKLIB_DICTPATH); - return PAM_ABORT; - } - - /* Not reached */ - return PAM_SERVICE_ERR; - - } else if (flags & PAM_UPDATE_AUTHTOK) { - int retval; - char *token1, *token2, *oldtoken; - const char *item; - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - const char *cracklib_dictpath = CRACKLIB_DICTPATH; - char prompt[BUFSIZ]; - - D(("do update")); - retval = pam_get_item(pamh, PAM_OLDAUTHTOK, - (const void **)&oldtoken); - if (retval != PAM_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_ERR,"Can not get old passwd"); - oldtoken=NULL; - retval = PAM_SUCCESS; - } - - do { - /* - * make sure nothing inappropriate gets returned - */ - token1 = token2 = NULL; - - if (!retry_times) { - D(("returning %s because maxtries reached", - pam_strerror(pamh, retval))); - return retval; - } - - /* Planned modus operandi: - * Get a passwd. - * Verify it against cracklib. - * If okay get it a second time. - * Check to be the same with the first one. - * set PAM_AUTHTOK and return - */ - - /* Prepare to ask the user for the first time */ - memset(prompt,0,sizeof(prompt)); - sprintf(prompt,PROMPT1,prompt_type); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token1 = x_strdup(resp[0].resp); - if (token1 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 1"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"unable to obtain a password"); - continue; - } - - D(("testing password, retval = %s", pam_strerror(pamh, retval))); - /* now test this passwd against cracklib */ - { - char *crack_msg; - char remark[BUFSIZ]; - - bzero(remark,sizeof(remark)); - D(("against cracklib")); - if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"bad password: %s",crack_msg); - sprintf(remark,"BAD PASSWORD: %s", crack_msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - retval = PAM_AUTHTOK_ERR; - else - retval = PAM_SUCCESS; - } else { - /* check it for strength too... */ - D(("for strength")); - if (oldtoken) { - retval = _pam_unix_approve_pass(pamh,ctrl, - oldtoken,token1); - if (retval != PAM_SUCCESS) - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - retval = PAM_AUTHTOK_ERR; - else - retval = PAM_SUCCESS; - } - } - } - - D(("after testing: retval = %s", pam_strerror(pamh, retval))); - /* if cracklib/strength check said it is a bad passwd... */ - if ((retval != PAM_SUCCESS) && (retval != PAM_IGNORE)) { - int temp_unused; - - temp_unused = pam_set_item(pamh, PAM_AUTHTOK, NULL); - token1 = _pam_delete(token1); - continue; - } - - /* Now we have a good passwd. Ask for it once again */ - - bzero(prompt,sizeof(prompt)); - sprintf(prompt,PROMPT2,prompt_type); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token2 = x_strdup(resp[0].resp); - if (token2 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 2"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG - ,"unable to obtain the password a second time"); - continue; - } - - /* Hopefully now token1 and token2 the same password ... */ - if (strcmp(token1,token2) != 0) { - /* tell the user */ - make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS); - token1 = _pam_delete(token1); - token2 = _pam_delete(token2); - pam_set_item(pamh, PAM_AUTHTOK, NULL); - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Password mistyped"); - retval = PAM_AUTHTOK_RECOVER_ERR; - continue; - } - - /* Yes, the password was typed correct twice - * we store this password as an item - */ - - retval = pam_set_item(pamh, PAM_AUTHTOK, token1); - /* clean it up */ - token1 = _pam_delete(token1); - token2 = _pam_delete(token2); - if ( - (retval != PAM_SUCCESS) || - ( - ( - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item) - ) != PAM_SUCCESS - ) - ) { - _pam_log(LOG_CRIT, "error manipulating password"); - continue; - } - item = NULL; /* break link to password */ - return PAM_SUCCESS; - - } while (retry_times--); - - } else { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "UNKNOWN flags setting %02X",flags); - return PAM_SERVICE_ERR; - } - - /* Not reached */ - return PAM_SERVICE_ERR; -} - - - -#ifdef PAM_STATIC -/* static module data */ -struct pam_module _pam_cracklib_modstruct = { - "pam_cracklib", - NULL, - NULL, - NULL, - NULL, - NULL, - pam_sm_chauthtok -}; -#endif - -/* - * Copyright (c) Cristian Gafton , 1996. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - * The following copyright was appended for the long password support - * added with the libpam 0.58 release: - * - * Modificaton Copyright (c) Philip W. Dalrymple III - * 1997. All rights reserved - * - * THE MODIFICATION THAT PROVIDES SUPPORT FOR LONG PASSWORD TYPE CHECKING TO - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_deny/Makefile b/contrib/libpam/modules/pam_deny/Makefile deleted file mode 100644 index 02506cb38122..000000000000 --- a/contrib/libpam/modules/pam_deny/Makefile +++ /dev/null @@ -1,125 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:43:41 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:43:41 morgan -# full-source-tree and fakeroot -# -# Revision 1.6 1997/02/15 19:04:27 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:11:48 morgan -# crossplatform support -# -# Revision 1.4 1996/09/05 06:50:12 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:48:38 morgan -# make dynamic and static dirs -# -# Revision 1.2 1996/05/26 04:00:16 morgan -# changes for automated static/dynamic modules -# -# Revision 1.1 1996/03/16 17:47:36 morgan -# Initial revision -# -# -# Created by Andrew Morgan 1996/3/11 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -# - -TITLE=pam_deny - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_deny/README b/contrib/libpam/modules/pam_deny/README deleted file mode 100644 index 4f7f6de664fe..000000000000 --- a/contrib/libpam/modules/pam_deny/README +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: README,v 1.1 1996/03/16 18:11:12 morgan Exp $ -# - -this module always fails, it ignores all options. diff --git a/contrib/libpam/modules/pam_deny/pam_deny.c b/contrib/libpam/modules/pam_deny/pam_deny.c deleted file mode 100644 index 76ba24d3fd90..000000000000 --- a/contrib/libpam/modules/pam_deny/pam_deny.c +++ /dev/null @@ -1,94 +0,0 @@ -/* pam_permit module */ - -/* - * $Id: pam_deny.c,v 1.4 1997/02/15 19:05:15 morgan Exp $ - * - * Written by Andrew Morgan 1996/3/11 - * - * $Log: pam_deny.c,v $ - * Revision 1.4 1997/02/15 19:05:15 morgan - * fixed email - * - * Revision 1.3 1996/06/02 08:06:19 morgan - * changes for new static protocol - * - * Revision 1.2 1996/05/26 04:01:12 morgan - * added static support - * - * Revision 1.1 1996/03/16 17:47:36 morgan - * Initial revision - * - */ - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include - -/* --- authentication management functions --- */ - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_AUTH_ERR; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_CRED_UNAVAIL; -} - -/* --- account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_ACCT_EXPIRED; -} - -/* --- password management --- */ - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_AUTHTOK_ERR; -} - -/* --- session management --- */ - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SYSTEM_ERR; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SYSTEM_ERR; -} - -/* end of module definition */ - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_deny_modstruct = { - "pam_deny", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; -#endif diff --git a/contrib/libpam/modules/pam_env/Makefile b/contrib/libpam/modules/pam_env/Makefile deleted file mode 100644 index df363bc9536b..000000000000 --- a/contrib/libpam/modules/pam_env/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -# -# $Id: Makefile,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/04/05 06:42:35 morgan -# Initial revision -# -# Revision 1.1 1997/01/04 20:32:52 morgan -# Initial revision -# -# Created by Andrew Morgan 1996/12/8 -# Adaptations by Dave Kinclea and Cristian Gafton -# - -TITLE=pam_env - -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/pam_env.conf -export CONFILE - -#ifeq ($(HAVE_PWDBLIB),yes) -#CFLAGS += -DWANT_PWDB -#EXTRALIB = -lpwdb -#endif - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_env/README b/contrib/libpam/modules/pam_env/README deleted file mode 100644 index d6e959cdbee5..000000000000 --- a/contrib/libpam/modules/pam_env/README +++ /dev/null @@ -1,72 +0,0 @@ -# $Date: 1997/04/05 06:42:35 $ -# $Author: morgan $ -# $Id: README,v 1.1 1997/04/05 06:42:35 morgan Exp $ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -# -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -# -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -PAGER DEFAULT=less -MANPAGER DEFAULT=less -LESS DEFAULT="M q e h15 z23 b80" -NNTPSERVER DEFAULT=localhost -PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -DOLLAR DEFAULT=\$ -DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/contrib/libpam/modules/pam_env/install_conf b/contrib/libpam/modules/pam_env/install_conf deleted file mode 100755 index 4c608400229f..000000000000 --- a/contrib/libpam/modules/pam_env/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./pam_env.conf-example -MODULE=pam_env - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_env/pam_env.c b/contrib/libpam/modules/pam_env/pam_env.c deleted file mode 100644 index bd0879c52283..000000000000 --- a/contrib/libpam/modules/pam_env/pam_env.c +++ /dev/null @@ -1,779 +0,0 @@ -/* pam_mail module */ - -/* - * $Id: pam_env.c,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $ - * - * Written by Dave Kinchlea 1997/01/31 - * Inspired by Andrew Morgan -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef WANT_PWDB -#include -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */ -#define PAM_SM_SESSION /* But I like to be friendly */ -#define PAM_SM_PASSWORD /* "" */ -#define PAM_SM_ACCOUNT /* "" */ - -#include -#include - -/* This little structure makes it easier to keep variables together */ - -typedef struct var { - char *name; - char *value; - char *defval; - char *override; -} VAR; - -#define BUF_SIZE 1024 -#define MAX_ENV 8192 - -#define GOOD_LINE 0 -#define BAD_LINE 100 /* This must be > the largest PAM_* error code */ - -#define DEFINE_VAR 101 -#define UNDEFINE_VAR 102 -#define ILLEGAL_VAR 103 - -static int _assemble_line(FILE *, char *, int); -static int _parse_line(char *, VAR *); -static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); -static int _expand_arg(pam_handle_t *, char **); -static const char * _pam_get_item_byname(pam_handle_t *, const char *); -static int _define_var(pam_handle_t *, VAR *); -static int _undefine_var(pam_handle_t *, VAR *); - -/* This is a flag used to designate an empty string */ -static char quote='Z'; - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-env", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_NEW_CONF_FILE 02 -#define PAM_ENV_SILENT 04 - -static int _pam_parse(int flags, int argc, const char **argv, char **conffile) -{ - int ctrl=0; - - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conffile=",9)) { - *conffile = x_strdup(9+*argv); - if (*conffile != NULL) { - D(("new Configuration File: %s", *conffile)); - ctrl |= PAM_NEW_CONF_FILE; - } else { - _log_err(LOG_CRIT, - "Configuration file specification missing argument - ignored"); - } - } else { - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile) -{ - int retval; - const char *file; - char buffer[BUF_SIZE]; - FILE *conf; - VAR Var, *var=&Var; - - var->name=NULL; var->defval=NULL; var->override=NULL; - D(("Called.")); - - if (ctrl & PAM_NEW_CONF_FILE) { - file = *conffile; - } else { - file = DEFAULT_CONF_FILE; - } - - D(("Config file name is: %s", file)); - - /* - * Lets try to open the config file, parse it and process - * any variables found. - */ - - if ((conf = fopen(file,"r")) == NULL) { - _log_err(LOG_ERR, "Unable to open config file: %s", - strerror(errno)); - return PAM_ABORT; - } - - /* _pam_assemble_line will provide a complete line from the config file, with all - * comments removed and any escaped newlines fixed up - */ - - while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { - D(("Read line: %s", buffer)); - - if ((retval = _parse_line(buffer, var)) == GOOD_LINE) { - retval = _check_var(pamh, var); - - if (DEFINE_VAR == retval) { - retval = _define_var(pamh, var); - - } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval - && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); - - } /* while */ - - (void) fclose(conf); - - /* tidy up */ - _clean_var(var); /* We could have got here prematurely, this is safe though */ - _pam_overwrite(*conffile); - _pam_drop(*conffile); - file = NULL; - D(("Exit.")); - return (retval<0?PAM_ABORT:PAM_SUCCESS); -} - -/* - * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" - */ - -static int _assemble_line(FILE *f, char *buffer, int buf_len) -{ - char *p = buffer; - char *s, *os; - int used = 0; - - /* loop broken with a 'break' when a non-'\\n' ended line is read */ - - D(("called.")); - for (;;) { - if (used >= buf_len) { - /* Overflow */ - D(("_assemble_line: overflow")); - return -1; - } - if (fgets(p, buf_len - used, f) == NULL) { - if (used) { - /* Incomplete read */ - return -1; - } else { - /* EOF */ - return 0; - } - } - - /* skip leading spaces --- line may be blank */ - - s = p + strspn(p, " \n\t"); - if (*s && (*s != '#')) { - os = s; - - /* - * we are only interested in characters before the first '#' - * character - */ - - while (*s && *s != '#') - ++s; - if (*s == '#') { - *s = '\0'; - used += strlen(os); - break; /* the line has been read */ - } - - s = os; - - /* - * Check for backslash by scanning back from the end of - * the entered line, the '\n' has been included since - * normally a line is terminated with this - * character. fgets() should only return one though! - */ - - s += strlen(s); - while (s > os && ((*--s == ' ') || (*s == '\t') - || (*s == '\n'))); - - /* check if it ends with a backslash */ - if (*s == '\\') { - *s = '\0'; /* truncate the line here */ - used += strlen(os); - p = s; /* there is more ... */ - } else { - /* End of the line! */ - used += strlen(os); - break; /* this is the complete line */ - } - - } else { - /* Nothing in this line */ - /* Don't move p */ - } - } - - return used; -} - -static int _parse_line(char *buffer, VAR *var) -{ - /* - * parse buffer into var, legal syntax is - * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]] - * - * Any other options defined make this a bad line, - * error logged and no var set - */ - - int length, quoteflg=0; - char *ptr, **valptr, *tmpptr; - - D(("Called buffer = <%s>", buffer)); - - length = strcspn(buffer," \t\n"); - - if ((var->name = malloc(length + 1)) == NULL) { - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - - /* - * The first thing on the line HAS to be the variable name, - * it may be the only thing though. - */ - strncpy(var->name, buffer, length); - var->name[length] = '\0'; - D(("var->name = <%s>, length = %d", var->name, length)); - - /* - * Now we check for arguments, we only support two kinds and ('cause I am lazy) - * each one can actually be listed any number of times - */ - - ptr = buffer+length; - while ((length = strspn(ptr, " \t")) > 0) { - ptr += length; /* remove leading whitespace */ - D((ptr)); - if (strncmp(ptr,"DEFAULT=",8) == 0) { - ptr+=8; - D(("Default arg found: <%s>", ptr)); - valptr=&(var->defval); - } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) { - ptr+=9; - D(("Override arg found: <%s>", ptr)); - valptr=&(var->override); - } else { - D(("Unrecognized options: <%s> - ignoring line", ptr)); - _log_err(LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr); - return BAD_LINE; - } - - if ('"' != *ptr) { /* Escaped quotes not supported */ - length = strcspn(ptr, " \t\n"); - tmpptr = ptr+length; - } else { - tmpptr = strchr(++ptr, '"'); - if (!tmpptr) { - D(("Unterminated quoted string: %s", ptr-1)); - _log_err(LOG_ERR, "Unterminated quoted string: %s", ptr-1); - return BAD_LINE; - } - length = tmpptr - ptr; - if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) { - D(("Quotes must cover the entire string: <%s>", ptr)); - _log_err(LOG_ERR, "Quotes must cover the entire string: <%s>", ptr); - return BAD_LINE; - } - quoteflg++; - } - if (length) { - if ((*valptr = malloc(length + 1)) == NULL) { - D(("Couldn't malloc %d bytes", length+1)); - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - (void)strncpy(*valptr,ptr,length); - (*valptr)[length]='\0'; - } else if (quoteflg--) { - *valptr = "e; /* a quick hack to handle the empty string */ - } - ptr = tmpptr; /* Start the search where we stopped */ - } /* while */ - - /* - * The line is parsed, all is well. - */ - - D(("Exit.")); - ptr = NULL; tmpptr = NULL; valptr = NULL; - return GOOD_LINE; -} - -static int _check_var(pam_handle_t *pamh, VAR *var) -{ - /* - * Examine the variable and determine what action to take. - * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take - * or a PAM_* error code if passed back from other routines - * - * if no DEFAULT provided, the empty string is assumed - * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, - * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, - * this variable should be defined with no value - * if OVERRIDE=value and value turns into the empty string, DEFAULT is used - * - * If DEFINE_VAR is to be returned, the correct value to define will - * be pointed to by var->value - */ - - int retval; - - D(("Called.")); - - /* - * First thing to do is to expand any arguments, but only - * if they are not the special quote values (cause expand_arg - * changes memory). - */ - - if (var->defval && ("e != var->defval) && - ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { - return retval; - } - if (var->override && ("e != var->override) && - ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { - return retval; - } - - /* Now its easy */ - - if (var->override && *(var->override) && "e != var->override) { - /* if there is a non-empty string in var->override, we use it */ - D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); - var->value = var->override; - retval = DEFINE_VAR; - } else { - - var->value = var->defval; - if ("e == var->defval) { - /* - * This means that the empty string was given for defval value - * which indicates that a variable should be defined with no value - */ - *var->defval = '\0'; - D(("An empty variable: <%s>", var->name)); - retval = DEFINE_VAR; - } else if (var->defval) { - D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); - retval = DEFINE_VAR; - } else { - D(("UNDEFINE variable <%s>", var->name)); - retval = UNDEFINE_VAR; - } - } - - D(("Exit.")); - return retval; -} - -static int _expand_arg(pam_handle_t *pamh, char **value) -{ - const char *orig=*value, *tmpptr=NULL; - char *ptr; /* - * Sure would be nice to use tmpptr but it needs to be - * a constant so that the compiler will shut up when I - * call pam_getenv and _pam_get_item_byname -- sigh - */ - - char type, tmpval[BUF_SIZE]; /* No unexpanded variable can be bigger than BUF_SIZE */ - char tmp[MAX_ENV]; /* I know this shouldn't be hard-coded but it's so - * much easier this way */ - - D(("Remember to initialize tmp!")); - tmp[0] = '\0'; - - /* - * (possibly non-existent) environment variables can be used as values - * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\" - * (possibly non-existent) PAM items can be used as values - * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape - * - */ - D(("Expanding <%s>",orig)); - while (*orig) { /* while there is some input to deal with */ - if ('\\' == *orig) { - ++orig; - if ('$' != *orig && '@' != *orig) { - D(("Unrecognized escaped character: <%c> - ignoring", *orig)); - _log_err(LOG_ERR, "Unrecognized escaped character: <%c> - ignoring", - *orig); - } else if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - continue; - } - if ('$' == *orig || '@' == *orig) { - if ('{' != *(orig+1)) { - D(("Expandable variables must be wrapped in {} <%s> - ignoring", orig)); - _log_err(LOG_ERR, "Expandable variables must be wrapped in {} <%s> - ignoring", - orig); - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } - continue; - } else { - D(("Expandable argument: <%s>", orig)); - type = *orig; - orig+=2; /* skip the ${ or @{ characters */ - ptr = strchr(orig, '}'); - if (ptr) { - *ptr++ = '\0'; - } else { - D(("Unterminated expandable variable: <%s>", orig-2)); - _log_err(LOG_ERR, "Unterminated expandable variable: <%s>", orig-2); - return PAM_ABORT; - } - strcpy(tmpval, orig); - orig=ptr; - /* - * so, we know we need to expand tmpval, it is either - * an environment variable or a PAM_ITEM. type will tell us which - */ - switch (type) { - - case '$': - D(("Expanding env var: <%s>",tmpval)); - tmpptr = pam_getenv(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - case '@': - D(("Expanding pam item: <%s>",tmpval)); - tmpptr = _pam_get_item_byname(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - default: - D(("Impossible error, type == <%c>", type)); - _log_err(LOG_CRIT, "Impossible error, type == <%c>", type); - return PAM_ABORT; - } /* switch */ - - if (tmpptr) { - if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) { - strcat(tmp, tmpptr); - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* if ('{' != *orig++) */ - } else { /* if ( '$' == *orig || '@' == *orig) */ - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* for (;*orig;) */ - - if (strlen(tmp) > strlen(*value)) { - free(*value); - if ((*value = malloc(strlen(tmp) +1)) == NULL) { - D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); - _log_err(LOG_ERR,"Couldn't malloc %d bytes for expanded var", - strlen(tmp)+1); - return PAM_BUF_ERR; - } - } - strcpy(*value, tmp); - memset(tmp,'\0',sizeof(tmp)); - D(("Exit.")); - - return PAM_SUCCESS; -} - -static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) -{ - /* - * This function just allows me to use names as given in the config - * file and translate them into the appropriate PAM_ITEM macro - */ - - int item; - const char *itemval; - - D(("Called.")); - if (strcmp(name, "PAM_USER") == 0) { - item = PAM_USER; - } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { - item = PAM_USER_PROMPT; - } else if (strcmp(name, "PAM_TTY") == 0) { - item = PAM_TTY; - } else if (strcmp(name, "PAM_RUSER") == 0) { - item = PAM_RUSER; - } else if (strcmp(name, "PAM_RHOST") == 0) { - item = PAM_RHOST; - } else { - D(("Unknown PAM_ITEM: <%s>", name)); - _log_err(LOG_ERR, "Unknown PAM_ITEM: <%s>", name); - return NULL; - } - - if (pam_get_item(pamh, item, (const void **)&itemval) != PAM_SUCCESS) { - D(("pam_get_item failed")); - return NULL; /* let pam_get_item() log the error */ - } - D(("Exit.")); - return itemval; -} - -static int _define_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to define, this is a simple function */ - - char *envvar; - int size, retval=PAM_SUCCESS; - - D(("Called.")); - size = strlen(var->name)+strlen(var->value)+2; - if ((envvar = malloc(size)) == NULL) { - D(("Malloc fail, size = %d", size)); - _log_err(LOG_ERR, "Malloc fail, size = %d", size); - return PAM_BUF_ERR; - } - (void) sprintf(envvar,"%s=%s",var->name,var->value); - retval = pam_putenv(pamh, envvar); - free(envvar); envvar=NULL; - D(("Exit.")); - return retval; -} - -static int _undefine_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to undefine, this is a simple function */ - - D(("Called and exit.")); - return pam_putenv(pamh, var->name); -} - -static void _clean_var(VAR *var) -{ - if (var->name) { - free(var->name); - } - if (var->defval && ("e != var->defval)) { - free(var->defval); - } - if (var->override && ("e != var->override)) { - free(var->override); - } - var->name = NULL; - var->value = NULL; /* never has memory specific to it */ - var->defval = NULL; - var->override = NULL; - return; -} - - - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return PAM_IGNORE; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval, ctrl; - char *conf_file=NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file); - - retval = _parse_config_file(pamh, ctrl, &conf_file); - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - _log_err(LOG_NOTICE, "pam_sm_acct_mgmt called inappropriatly"); - return PAM_SERVICE_ERR; -} - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval, ctrl; - char *conf_file=NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file); - - retval = _parse_config_file(pamh, ctrl, &conf_file); - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc, - const char **argv) -{ - D(("Called and Exit")); - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - _log_err(LOG_NOTICE, "pam_sm_chauthtok called inappropriatly"); - return PAM_SERVICE_ERR; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_env_modstruct = { - "pam_env", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_env/pam_env.conf-example b/contrib/libpam/modules/pam_env/pam_env.conf-example deleted file mode 100644 index 388e8b6b16d4..000000000000 --- a/contrib/libpam/modules/pam_env/pam_env.conf-example +++ /dev/null @@ -1,72 +0,0 @@ -# $Date: 1997/04/05 06:42:35 $ -# $Author: morgan $ -# $Id: pam_env.conf-example,v 1.1 1997/04/05 06:42:35 morgan Exp $ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -# -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -# -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -#PAGER DEFAULT=less -#MANPAGER DEFAULT=less -#LESS DEFAULT="M q e h15 z23 b80" -#NNTPSERVER DEFAULT=localhost -#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -#DOLLAR DEFAULT=\$ -#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -#ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/contrib/libpam/modules/pam_filter/Makefile b/contrib/libpam/modules/pam_filter/Makefile deleted file mode 100644 index dbd6452ab285..000000000000 --- a/contrib/libpam/modules/pam_filter/Makefile +++ /dev/null @@ -1,150 +0,0 @@ -# -# $Id: Makefile,v 1.10 1997/04/05 06:41:09 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.10 1997/04/05 06:41:09 morgan -# fakeroot -# -# Revision 1.9 1997/02/15 18:58:48 morgan -# fixed bash syntax -# -# Revision 1.8 1997/01/04 20:24:29 morgan -# don't compile on solaris, make -> $(MAKE) -# -# Revision 1.7 1996/11/10 20:12:09 morgan -# cross platform support -# -# Created by Andrew Morgan 1996/3/11 -# - -ifeq ($(OS),solaris) - -include ../dont_makefile - -else - -TITLE=pam_filter -FILTERS=upperLOWER -FILTERSDIR=$(SUPLEMENTED)/pam_filter -export FILTERSDIR - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -# -# this is where we compile this module -# - -all: dirs $(LIBSHARED) $(LIBSTATIC) register filters - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -filters: - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i all ; \ - fi ; \ - done - - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i install ; \ - fi ; \ - done - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/pam_filter.h $(FAKEROOT)$(INCLUDED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(INCLUDED)/pam_filter.h - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i remove ; \ - fi ; \ - done - -lclean: - rm -f $(LIBSHARED) $(LIBOBJD) $(LIBOBJS) core *~ - -clean: lclean - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i clean ; \ - fi ; \ - done - -extraclean: lclean - @rm -f *.a *.o *.so *.bak - for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i extraclean ; \ - fi ; \ - done - -.c.o: - $(CC) $(CFLAGS) -c $< - -endif diff --git a/contrib/libpam/modules/pam_filter/README b/contrib/libpam/modules/pam_filter/README deleted file mode 100644 index 9d46a56e5c9c..000000000000 --- a/contrib/libpam/modules/pam_filter/README +++ /dev/null @@ -1,94 +0,0 @@ -# -# $Id: README,v 1.5 1996/12/01 02:53:08 morgan Exp $ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan -# - -This module is intended to be a platform for providing access to all -of the input/output that passes between the user and the application. -It is only suitable for tty-based and (stdin/stdout) applications. And -is only known to work on Linux based systems. - -The action of the module is dictated by the arguments it is given in -the pam.conf file. - -recognized flags are: - - debug print some information to syslog(3) - - new_term set the PAM_TTY item to the new filtered - terminal (the default is to set it - to be that of the users terminal) - - non_term don't try to set the PAM_TTY item - - run1/run2 these arguments indicate that the - module should separate the application - from the user and insert a filter - program between them. The pathname of - the filter program follows the 'runN' - argument. Arguments that follow this - pathname are passed as arguments to - the filter program. - - The distinction between run1 and run2 - is which of the two functions of - the given management-type triggers the - execution of the indicated filter. - - type: run1 run2 - ----- ---- ---- - - auth pam_sm_authenticate pam_sm_setcred - - account [ pam_sm_acct_mgmt (either is good) ] - - session pam_sm_open_session pam_sm_close_session - - password pam_sm_chauthtok/PRELIM pam_sm_chauthtok/UPDATE - -Note, in the case of 'password' PRELIM/UPDATE indicates which of the -two calls to pam_sm_chauthtok from libpam (not the application) will -trigger the filter. - -What a filter program should expect: ------------------------------------- - -Definitions for filter programs (which may be locally designed) are -contained in the file. - -Arguments are not passed to the filter on the command line, since this -is plainly visible when a user types 'ps -a'. Instead they are passed -as the filter's environment. Other information is passed in this way -too. - -Here is a list of the environment variables that a filter should -expect: - - ARGS="filter_path_name argument list" - SERVICE="service_name" (as it appears in /etc/pam.conf) - USER="username" - TYPE="module_fn" (the name of the function in pam_filter.so - that invoked the filter) - -[This list is likely to grow. If you want something added, email me!] - -Among other things this module is intended to provide a useful means -of logging the activity of users in as discrete a manner as possible. - -Existing filters: ------------------ - -Currently, there is a single supplied filter (upperLOWER). The effect -of using this filter is to transpose upper and lower case letters -between the user and the application. This is really annoying when you -try the 'xsh' example application! ;) - -TODO: provide more filters... - Decide if providing stderr interception is really overkill. - -Andrew G. Morgan 1996/5/27 - diff --git a/contrib/libpam/modules/pam_filter/include/pam_filter.h b/contrib/libpam/modules/pam_filter/include/pam_filter.h deleted file mode 100644 index 3eb2730e768b..000000000000 --- a/contrib/libpam/modules/pam_filter/include/pam_filter.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * $Id: pam_filter.h,v 1.2 1997/02/15 19:09:09 morgan Exp $ - * - * this file is associated with the Linux-PAM filter module. - * it was written by Andrew G. Morgan - * - */ - -#ifndef PAM_FILTER_H -#define PAM_FILTER_H - -#include - -/* - * this will fail if there is some problem with these file descriptors - * being allocated by the pam_filter Linux-PAM module. The numbers - * here are thought safe, but the filter developer should use the - * macros, as these numbers are subject to change. - * - * The APPXXX_FILENO file descriptors are the STDIN/OUT/ERR_FILENO of the - * application. The filter uses the STDIN/OUT/ERR_FILENO's to converse - * with the user, passes (modified) user input to the application via - * APPIN_FILENO, and receives application output from APPOUT_FILENO/ERR. - */ - -#define APPIN_FILENO 3 /* write here to give application input */ -#define APPOUT_FILENO 4 /* read here to get application output */ -#define APPERR_FILENO 5 /* read here to get application errors */ - -#define APPTOP_FILE 6 /* used by select */ - -#endif diff --git a/contrib/libpam/modules/pam_filter/pam_filter.c b/contrib/libpam/modules/pam_filter/pam_filter.c deleted file mode 100644 index fc3d1f2b53fc..000000000000 --- a/contrib/libpam/modules/pam_filter/pam_filter.c +++ /dev/null @@ -1,747 +0,0 @@ -/* - * $Id: pam_filter.c,v 1.9 1997/02/15 19:07:49 morgan Exp morgan $ - * - * $Log: pam_filter.c,v $ - * Revision 1.9 1997/02/15 19:07:49 morgan - * fixed email - * - * Revision 1.8 1996/11/10 20:59:23 morgan - * gcc warning removed - * - * Revision 1.7 1996/07/08 00:01:17 morgan - * set the PAM_TTY item now - * - * Revision 1.6 1996/06/02 08:08:19 morgan - * completely re-written - * - * - * written by Andrew Morgan with much help from - * Richard Stevens' UNIX Network Programming book. - */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include -#include - -/* ------ some tokens used for convenience throughout this file ------- */ - -#define FILTER_DEBUG 01 -#define FILTER_RUN1 02 -#define FILTER_RUN2 04 -#define NEW_TERM 010 -#define NON_TERM 020 - -/* -------------------------------------------------------------------- */ - -/* log errors */ - -#include - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_filter", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#define TERMINAL_LEN 12 - -static int master(char *terminal) -/* - * try to open all of the terminals in sequence return first free one, - * or -1 - */ -{ - const char ptys[] = "pqrs", *pty = ptys; - const char hexs[] = "0123456789abcdef", *hex; - struct stat tstat; - int fd; - - strcpy(terminal, "/dev/pty??"); - - while (*pty) { /* step through four types */ - terminal[8] = *pty++; - terminal[9] = '0'; - if (stat(terminal,&tstat) < 0) { - _pam_log(LOG_WARNING, "unknown pseudo terminal; %s", terminal); - break; - } - for (hex = hexs; *hex; ) { /* step through 16 of these */ - terminal[9] = *hex++; - if ((fd = open(terminal, O_RDWR)) >= 0) { - return fd; - } - } - } - - /* no terminal found */ - - return -1; -} - -static int process_args(pam_handle_t *pamh - , int argc, const char **argv, const char *type - , char ***evp, const char **filtername) -{ - int ctrl=0; - - while (argc-- > 0) { - if (strcmp("debug",*argv) == 0) { - ctrl |= FILTER_DEBUG; - } else if (strcmp("new_term",*argv) == 0) { - ctrl |= NEW_TERM; - } else if (strcmp("non_term",*argv) == 0) { - ctrl |= NON_TERM; - } else if (strcmp("run1",*argv) == 0) { - ctrl |= FILTER_RUN1; - if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); - } else - break; - } else if (strcmp("run2",*argv) == 0) { - ctrl |= FILTER_RUN2; - if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); - } else - break; - } else { - _pam_log(LOG_ERR, "unrecognized option: %s (ignored)", *argv); - } - ++argv; /* step along list */ - } - - if (argc < 0) { - /* there was no reference to a filter */ - *filtername = NULL; - *evp = NULL; - } else { - char **levp; - const char *tmp; - int i,size; - - *filtername = *++argv; - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"will run filter %s\n", *filtername); - } - - levp = (char **) malloc(5*sizeof(char *)); - if (levp == NULL) { - _pam_log(LOG_CRIT,"no memory for environment of filter"); - return -1; - } - - for (size=i=0; i terminate */ - - /* the "SERVICE" variable */ - -#define SERVICE_OFFSET 8 /* sizeof("SERVICE="); */ -#define SERVICE_NAME "SERVICE=" - - pam_get_item(pamh, PAM_SERVICE, (const void **)&tmp); - size = SERVICE_OFFSET+strlen(tmp); - - levp[1] = (char *) malloc(size+1); - if (levp[1] == NULL) { - _pam_log(LOG_CRIT,"no memory for service name"); - if (levp) { - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET); - strcpy(levp[1]+SERVICE_OFFSET, tmp); - levp[1][size] = '\0'; /* terminate */ - - /* the "USER" variable */ - -#define USER_OFFSET 5 /* sizeof("USER="); */ -#define USER_NAME "USER=" - - pam_get_user(pamh, &tmp, NULL); - if (tmp == NULL) { - tmp = ""; - } - size = USER_OFFSET+strlen(tmp); - - levp[2] = (char *) malloc(size+1); - if (levp[2] == NULL) { - _pam_log(LOG_CRIT,"no memory for user's name"); - if (levp) { - free(levp[1]); - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[2],USER_NAME,USER_OFFSET); - strcpy(levp[2]+USER_OFFSET, tmp); - levp[2][size] = '\0'; /* terminate */ - - /* the "USER" variable */ - -#define TYPE_OFFSET 5 /* sizeof("TYPE="); */ -#define TYPE_NAME "TYPE=" - - size = TYPE_OFFSET+strlen(type); - - levp[3] = (char *) malloc(size+1); - if (levp[3] == NULL) { - _pam_log(LOG_CRIT,"no memory for type"); - if (levp) { - free(levp[2]); - free(levp[1]); - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[3],TYPE_NAME,TYPE_OFFSET); - strcpy(levp[3]+TYPE_OFFSET, type); - levp[3][size] = '\0'; /* terminate */ - - levp[4] = NULL; /* end list */ - - *evp = levp; - } - - if ((ctrl & FILTER_DEBUG) && *filtername) { - char **e; - - _pam_log(LOG_DEBUG,"filter[%s]: %s",type,*filtername); - _pam_log(LOG_DEBUG,"environment:"); - for (e=*evp; e && *e; ++e) { - _pam_log(LOG_DEBUG," %s",*e); - } - } - - return ctrl; -} - -static void free_evp(char *evp[]) -{ - int i; - - if (evp) - for (i=0; i<4; ++i) { - if (evp[i]) - free(evp[i]); - } - free(evp); -} - -static int set_filter(pam_handle_t *pamh, int flags, int ctrl - , const char **evp, const char *filtername) -{ - int status=-1; - char terminal[TERMINAL_LEN]; - struct termio stored_mode; /* initial terminal mode settings */ - int fd[2], child=0, child2=0, aterminal; - - if (filtername == NULL || *filtername != '/') { - _pam_log(LOG_ALERT, "filtername not permitted; require full path"); - return PAM_ABORT; - } - - if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO)) { - aterminal = 0; - } else { - aterminal = 1; - } - - if (aterminal) { - - /* open the master pseudo terminal */ - - fd[0] = master(terminal); - if (fd[0] < 0) { - _pam_log(LOG_CRIT,"no master terminal"); - return PAM_AUTH_ERR; - } - - /* set terminal into raw mode.. remember old mode so that we can - revert to it after the child has quit. */ - - /* this is termio terminal handling... */ - - if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) { - /* in trouble, so close down */ - close(fd[0]); - _pam_log(LOG_CRIT, "couldn't copy terminal mode"); - return PAM_ABORT; - } else { - struct termio t_mode = stored_mode; - - t_mode.c_iflag = 0; /* no input control */ - t_mode.c_oflag &= ~OPOST; /* no ouput post processing */ - - /* no signals, canonical input, echoing, upper/lower output */ - t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE); - t_mode.c_cflag &= ~(CSIZE|PARENB); /* no parity */ - t_mode.c_cflag |= CS8; /* 8 bit chars */ - - t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */ - t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */ - - if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) { - close(fd[0]); - _pam_log(LOG_WARNING, "couldn't put terminal in RAW mode"); - return PAM_ABORT; - } - - /* - * NOTE: Unlike the stream socket case here the child - * opens the slave terminal as fd[1] *after* the fork... - */ - } - } else { - - /* - * not a terminal line so just open a stream socket fd[0-1] - * both set... - */ - - if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) { - _pam_log(LOG_CRIT,"couldn't open a stream pipe"); - return PAM_ABORT; - } - } - - /* start child process */ - - if ( (child = fork()) < 0 ) { - - _pam_log(LOG_WARNING,"first fork failed"); - if (aterminal) { - (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode); - } - - return PAM_AUTH_ERR; - } - - if ( child == 0 ) { /* child process *is* application */ - - if (aterminal) { - - /* close the controlling tty */ - -#if defined(__hpux) && defined(O_NOCTTY) - int t = open("/dev/tty", O_RDWR|O_NOCTTY); -#else - int t = open("/dev/tty",O_RDWR); - if (t > 0) { - (void) ioctl(t, TIOCNOTTY, NULL); - close(t); - } -#endif /* defined(__hpux) && defined(O_NOCTTY) */ - - /* make this process it's own process leader */ - if (setsid() == -1) { - _pam_log(LOG_WARNING,"child cannot become new session"); - return PAM_ABORT; - } - - /* find slave's name */ - terminal[5] = 't'; /* want to open slave terminal */ - fd[1] = open(terminal, O_RDWR); - close(fd[0]); /* process is the child -- uses line fd[1] */ - - if (fd[1] < 0) { - _pam_log(LOG_WARNING,"cannot open slave terminal; %s" - ,terminal); - return PAM_ABORT; - } - - /* initialize the child's terminal to be the way the - parent's was before we set it into RAW mode */ - - if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) { - _pam_log(LOG_WARNING,"cannot set slave terminal mode; %s" - ,terminal); - close(fd[1]); - return PAM_ABORT; - } - - } else { - - /* nothing to do for a simple stream socket */ - - } - - /* re-assign the stdin/out to fd[1] <- (talks to filter). */ - - if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO || - dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO || - dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); - close(fd[1]); - return PAM_ABORT; - } - - /* make sure that file descriptors survive 'exec's */ - - if ( fcntl(STDIN_FILENO, F_SETFD, 0) || - fcntl(STDOUT_FILENO,F_SETFD, 0) || - fcntl(STDERR_FILENO,F_SETFD, 0) ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); - return PAM_ABORT; - } - - /* now the user input is read from the parent/filter: forget fd */ - - close(fd[1]); - - /* the current process is now aparently working with filtered - stdio/stdout/stderr --- success! */ - - return PAM_SUCCESS; - } - - /* - * process is the parent here. So we can close the application's - * input/output - */ - - close(fd[1]); - - /* Clear out passwords... there is a security problem here in - * that this process never executes pam_end. Consequently, any - * other sensitive data in this process is *not* explicitly - * overwritten, before the process terminates */ - - (void) pam_set_item(pamh, PAM_AUTHTOK, NULL); - (void) pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); - - /* fork a copy of process to run the actual filter executable */ - - if ( (child2 = fork()) < 0 ) { - - _pam_log(LOG_WARNING,"filter fork failed"); - child2 = 0; - - } else if ( child2 == 0 ) { /* exec the child filter */ - - if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO || - dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO || - dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign APPIN/OUT/ERR...'s"); - close(fd[0]); - exit(1); - } - - /* make sure that file descriptors survive 'exec's */ - - if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 || - fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 || - fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) { - _pam_log(LOG_WARNING - ,"unable to retain APPIN/OUT/ERR...'s"); - close(APPIN_FILENO); - close(APPOUT_FILENO); - close(APPERR_FILENO); - exit(1); - } - - /* now the user input is read from the parent through filter */ - - execle(filtername, "", NULL, evp); - - /* getting to here is an error */ - - _pam_log(LOG_ALERT, "filter: %s, not executable", filtername); - - } else { /* wait for either of the two children to exit */ - - while (child && child2) { /* loop if there are two children */ - int lstatus=0; - int chid; - - chid = wait(&lstatus); - if (chid == child) { - - if (WIFEXITED(lstatus)) { /* exited ? */ - status = WEXITSTATUS(lstatus); - } else if (WIFSIGNALED(lstatus)) { /* killed ? */ - status = -1; - } else - continue; /* just stopped etc.. */ - child = 0; /* the child has exited */ - - } else if (chid == child2) { - /* - * if the filter has exited. Let the child die - * naturally below - */ - if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus)) - child2 = 0; - } else { - - _pam_log(LOG_ALERT - ,"programming error : " - __FILE__ " line %d" - , lstatus, __LINE__ ); - child = child2 = 0; - status = -1; - - } - } - } - - close(fd[0]); - - /* if there is something running, wait for it to exit */ - - while (child || child2) { - int lstatus=0; - int chid; - - chid = wait(&lstatus); - - if (child && chid == child) { - - if (WIFEXITED(lstatus)) { /* exited ? */ - status = WEXITSTATUS(lstatus); - } else if (WIFSIGNALED(lstatus)) { /* killed ? */ - status = -1; - } else - continue; /* just stopped etc.. */ - child = 0; /* the child has exited */ - - } else if (child2 && chid == child2) { - - if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus)) - child2 = 0; - - } else { - - _pam_log(LOG_ALERT - ,"programming error : " - __FILE__ " line %d" - , lstatus, __LINE__ ); - child = child2 = 0; - status = -1; - - } - } - - if (aterminal) { - /* reset to initial terminal mode */ - (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode); - } - - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"parent process exited"); /* clock off */ - } - - /* quit the parent process, returning the child's exit status */ - - exit(status); -} - -static int set_the_terminal(pam_handle_t *pamh) -{ - const char *tty; - - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - _pam_log(LOG_ERR, "couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _pam_log(LOG_ERR, "couldn't set tty name"); - return PAM_ABORT; - } - } - return PAM_SUCCESS; -} - -static int need_a_filter(pam_handle_t *pamh - , int flags, int argc, const char **argv - , const char *name, int which_run) -{ - int ctrl; - char **evp; - const char *filterfile; - int retval; - - ctrl = process_args(pamh, argc, argv, name, &evp, &filterfile); - if (ctrl == -1) { - return PAM_AUTHINFO_UNAVAIL; - } - - /* set the tty to the old or the new one? */ - - if (!(ctrl & NON_TERM) && !(ctrl & NEW_TERM)) { - retval = set_the_terminal(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "tried and failed to set PAM_TTY"); - } - } else { - retval = PAM_SUCCESS; /* nothing to do which is always a success */ - } - - if (retval == PAM_SUCCESS && (ctrl & which_run)) { - retval = set_filter(pamh, flags, ctrl - , (const char **)evp, filterfile); - } - - if (retval == PAM_SUCCESS - && !(ctrl & NON_TERM) && (ctrl & NEW_TERM)) { - retval = set_the_terminal(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR - , "tried and failed to set new terminal as PAM_TTY"); - } - } - - free_evp(evp); - - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG, "filter/%s, returning %d", name, retval); - _pam_log(LOG_DEBUG, "[%s]", pam_strerror(pamh, retval)); - } - - return retval; -} - -/* ----------------- public functions ---------------- */ - -/* - * here are the advertised access points ... - */ - -/* ------------------ authentication ----------------- */ - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh - , int flags, int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "authenticate", FILTER_RUN1); -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv, "setcred", FILTER_RUN2); -} - -/* --------------- account management ---------------- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "setcred", FILTER_RUN1|FILTER_RUN2 ); -} - -/* --------------- session management ---------------- */ - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "open_session", FILTER_RUN1); -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "close_session", FILTER_RUN2); -} - -/* --------- updating authentication tokens --------- */ - - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - int runN; - - if (flags & PAM_PRELIM_CHECK) - runN = FILTER_RUN1; - else if (flags & PAM_UPDATE_AUTHTOK) - runN = FILTER_RUN2; - else { - _pam_log(LOG_ERR, "unknown flags for chauthtok (0x%X)", flags); - return PAM_TRY_AGAIN; - } - - return need_a_filter(pamh, flags, argc, argv, "chauthtok", runN); -} - -#ifdef PAM_STATIC - -/* ------------ stuff for static modules ------------ */ - -struct pam_module _pam_filter_modstruct = { - "pam_filter", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile b/contrib/libpam/modules/pam_filter/upperLOWER/Makefile deleted file mode 100644 index 09b693bf6803..000000000000 --- a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# -# $Id: Makefile,v 1.5 1997/04/05 06:41:35 morgan Exp $ -# -# $Log: Makefile,v $ -# Revision 1.5 1997/04/05 06:41:35 morgan -# fakeroot -# -# Revision 1.4 1997/01/04 20:25:04 morgan -# removed need for make -# -# Revision 1.3 1996/11/10 20:13:08 morgan -# email address -# -# Revision 1.2 1996/11/10 20:12:24 morgan -# cross platform support -# -# Revision 1.1 1996/06/02 08:17:02 morgan -# Initial revision -# -# -# This directory contains a pam_filter filter executable -# -# Created by Andrew Morgan 1996/3/11 -# - -TITLE=upperLOWER - -# - -OBJS = $(TITLE).o - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - -all: $(TITLE) - -$(TITLE): $(OBJS) - $(CC) -o $(TITLE) $(OBJS) - strip $(TITLE) - -install: - $(MKDIR) $(FAKEROOT)$(FILTERSDIR) - $(INSTALL) -m 511 $(TITLE) $(FAKEROOT)$(FILTERSDIR) - -remove: - cd $(FAKEROOT)$(FILTERSDIR) && rm -f $(TITLE) - -clean: - rm -f $(TITLE) $(OBJS) core *~ - -extraclean: clean - rm -f *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c b/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c deleted file mode 100644 index b375c0794edf..000000000000 --- a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c +++ /dev/null @@ -1,160 +0,0 @@ -/* - * $Id: upperLOWER.c,v 1.1 1996/06/02 08:17:02 morgan Exp $ - * - * This is a sample filter program, for use with pam_filter (a module - * provided with Linux-PAM). This filter simply transposes upper and - * lower case letters, it is intended for demonstration purposes and - * it serves no purpose other than to annoy the user... - * - * $Log: upperLOWER.c,v $ - * Revision 1.1 1996/06/02 08:17:02 morgan - * Initial revision - * - */ - -#include -#include -#include -#include -#include - -#include - -/* ---------------------------------------------------------------- */ - -#include -#ifdef hpux -# define log_this syslog -#else -static void log_this(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} -#endif - -#include - -static void do_transpose(char *buffer,int len) -{ - int i; - for (i=0; i %s\r\n",envp[i]); - } - fprintf(stderr,"]: end\r\n"); - } -#endif - - if (argc != 1) { -#ifdef DEBUG - fprintf(stderr,"filter invoked as conventional executable\n"); -#else - log_this(LOG_ERR, "filter invoked as conventional executable"); -#endif - exit(1); - } - - before_user = before_app = do_transpose; /* assign filter functions */ - - /* enter a loop that deals with the input and output of the - user.. passing it to and from the application */ - - FD_ZERO(&readers); /* initialize reading mask */ - - for (;;) { - - FD_SET(APPOUT_FILENO, &readers); /* wake for output */ - FD_SET(APPERR_FILENO, &readers); /* wake for error */ - FD_SET(STDIN_FILENO, &readers); /* wake for input */ - - if ( select(APPTOP_FILE,&readers,NULL,NULL,NULL) < 0 ) { -#ifdef DEBUG - fprintf(stderr,"select failed\n"); -#else - log_this(LOG_WARNING,"select failed"); -#endif - break; - } - - /* application errors */ - - if ( FD_ISSET(APPERR_FILENO,&readers) ) { - int got = read(APPERR_FILENO, buffer, BUFSIZ); - if (got <= 0) { - break; - } else { - /* translate to give to real terminal */ - if (before_user != NULL) - before_user(buffer, got); - if ( write(STDERR_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes?!",got); - break; - } - } - } else if ( FD_ISSET(APPOUT_FILENO,&readers) ) { /* app output */ - int got = read(APPOUT_FILENO, buffer, BUFSIZ); - if (got <= 0) { - break; - } else { - /* translate to give to real terminal */ - if (before_user != NULL) - before_user(buffer, got); - if ( write(STDOUT_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes!?",got); - break; - } - } - } - - if ( FD_ISSET(STDIN_FILENO, &readers) ) { /* user input */ - int got = read(STDIN_FILENO, buffer, BUFSIZ); - if (got < 0) { - log_this(LOG_WARNING,"user input junked"); - break; - } else if (got) { - /* translate to give to application */ - if (before_app != NULL) - before_app(buffer, got); - if ( write(APPIN_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't pass %d bytes!?",got); - break; - } - } else { - /* nothing received -- an error? */ - log_this(LOG_WARNING,"user input null?"); - break; - } - } - } - - exit(0); -} - - - diff --git a/contrib/libpam/modules/pam_ftp/Makefile b/contrib/libpam/modules/pam_ftp/Makefile deleted file mode 100644 index b5355c68b55e..000000000000 --- a/contrib/libpam/modules/pam_ftp/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# -# $Id: Makefile,v 1.2 1997/04/05 06:40:33 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.2 1997/04/05 06:40:33 morgan -# fakeroot -# -# Revision 1.1 1996/12/01 03:17:57 morgan -# Initial revision -# -# -# Created by Andrew Morgan 1996/11/14 -# - -TITLE=pam_ftp - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_ftp/README b/contrib/libpam/modules/pam_ftp/README deleted file mode 100644 index 597f9120bd86..000000000000 --- a/contrib/libpam/modules/pam_ftp/README +++ /dev/null @@ -1,20 +0,0 @@ -# $Id: README,v 1.1 1996/12/01 03:17:57 morgan Exp $ -# - -This module is an authentication module that does not authenticate. -Instead it always returns PAM_IGNORE, indicating that it does not want -to affect the authentication process. - -Its purpose is to log a message to the syslog indicating the -pam_item's available at the time it was invoked. It is a diagnostic -tool. - -Recognized arguments: - - none - -module services provided: - - auth _authetication and _setcred (blank) - -Andrew Morgan diff --git a/contrib/libpam/modules/pam_ftp/pam_ftp.c b/contrib/libpam/modules/pam_ftp/pam_ftp.c deleted file mode 100644 index ca2d41545e94..000000000000 --- a/contrib/libpam/modules/pam_ftp/pam_ftp.c +++ /dev/null @@ -1,295 +0,0 @@ -/* pam_ftp module */ - -/* - * $Id: pam_ftp.c,v 1.2 1997/02/15 16:23:59 morgan Exp morgan $ - * - * Written by Andrew Morgan 1996/3/11 - * - * $Log: pam_ftp.c,v $ - * Revision 1.2 1997/02/15 16:23:59 morgan - * fixed logging to avoid a fixed buffer size - * - * Revision 1.1 1996/12/01 03:17:57 morgan - * Initial revision - * - * - */ - -#define PLEASE_ENTER_PASSWORD "Password required for %s." -#define GUEST_LOGIN_PROMPT "Guest login ok, " \ -"send your complete e-mail address as password." - -/* the following is a password that "can't be correct" */ -#define BLOCK_PASSWORD "\177BAD PASSWPRD\177" - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-ftp", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static int converse(pam_handle_t *pamh, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse\n")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function\n")); - - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation\n")); - - return retval; /* propagate error status */ -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_IGNORE_EMAIL 02 -#define PAM_NO_ANON 04 - -static int _pam_parse(int argc, const char **argv, char **users) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"users=",6)) { - *users = x_strdup(6+*argv); - if (*users == NULL) { - ctrl |= PAM_NO_ANON; - _pam_log(LOG_CRIT, "failed to duplicate user list - anon off"); - } - } else if (!strcmp(*argv,"ignore")) { - ctrl |= PAM_IGNORE_EMAIL; - } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* - * check if name is in list or default list. place users name in *_user - * return 1 if listed 0 if not. - */ - -static int lookup(const char *name, char *list, const char **_user) -{ - int anon = 0; - - *_user = name; /* this is the default */ - if (list) { - const char *l; - char *x; - - x = list; - while ((l = strtok(x, ","))) { - x = NULL; - if (!strcmp(name, l)) { - *_user = list; - anon = 1; - } - } - } else { -#define MAX_L 2 - static const char *l[MAX_L] = { "ftp", "anonymous" }; - int i; - - for (i=0; iresp, "@"); - retval = pam_set_item(pamh, PAM_RUSER, token); - - if (token && retval != PAM_SUCCESS) { - token = strtok(NULL, "@"); - retval = pam_set_item(pamh, PAM_RHOST, token); - } - } - } else { - /* - * we have a password so set AUTHTOK - */ - - (void) pam_set_item(pamh, PAM_AUTHTOK, resp->resp); - - /* - * this module failed, but the next one might succeed with - * this password. - */ - - retval = PAM_AUTH_ERR; - } - - if (resp) { /* clean up */ - _pam_drop_reply(resp, i); - } - - /* success or failure */ - - return retval; - } -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_IGNORE; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_ftp_modstruct = { - "pam_ftp", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_group/Makefile b/contrib/libpam/modules/pam_group/Makefile deleted file mode 100644 index 5db53ccf1133..000000000000 --- a/contrib/libpam/modules/pam_group/Makefile +++ /dev/null @@ -1,114 +0,0 @@ -# -# $Id: Makefile,v 1.6 1997/04/05 06:39:56 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.6 1997/04/05 06:39:56 morgan -# fakeroot -# -# Revision 1.5 1997/01/04 20:28:47 morgan -# compile with and without libpwdb -# -# Revision 1.4 1996/11/10 20:13:18 morgan -# cross platform support -# -# Created by Andrew Morgan 1996/6/11 -# - -TITLE=pam_group -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/group.conf -export CONFILE - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" -ifndef STATIC -ifeq ($(HAVE_PWDBLIB),yes) - DEFS+=-DWANT_PWDB - ELIBS=-lpwdb -endif -endif - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(ELIBS) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(ELIBS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_group/group.conf b/contrib/libpam/modules/pam_group/group.conf deleted file mode 100644 index bdd76adbe68f..000000000000 --- a/contrib/libpam/modules/pam_group/group.conf +++ /dev/null @@ -1,60 +0,0 @@ -## -## Note, to get this to work as it is currently typed you need -## -## 1. to run an application as root -## 2. add the following groups to the /etc/group file: -## floppy, games, sound -## -# -# *** Please note that giving group membership on a session basis is -# *** NOT inherently secure. If a user can create an executable that -# *** is setgid a group that they are infrequently given membership -# *** of, they can basically obtain group membership any time they -# *** like. Example: games are alowed between the hours of 6pm and 6am -# *** user joe logs in at 7pm writes a small C-program toplay.c that -# *** invokes their favorite shell, compiles it and does -# *** "chgrp games toplay; chmod g+s toplay". They are basically able -# *** to play games any time... You have been warned. AGM -# -# this is an example configuration file for the pam_group module. Its -# syntax is based on that of the pam_time module and (at some point in -# the distant past was inspired by the 'shadow' package) -# -# the syntax of the lines is as follows: -# -# services;ttys;users;times;groups -# -# white space is ignored and lines maybe extended with '\\n' (escaped -# newlines). From reading these comments, it is clear that -# text following a '#' is ignored to the end of the line. -# -# the first four fields are described in the pam_time directory. -# The only difference for these is how the time field is interpretted: -# it is used to indicate "when" these groups are to be given to the user. -# -# groups -# The (comma or space separated) list of groups that the user -# inherits membership of. These groups are added if the previous -# fields are satisfied by the user's request -# - -# -# Here is a simple example: running 'xsh' on tty* (any ttyXXX device), -# the user 'us' is given access to the floppy (through membership of -# the floppy group) -# - -#xsh;tty*&!ttyp*;us;Al0000-2400;floppy - -# -# another example: running 'xsh' on tty* (any ttyXXX device), -# the user 'sword' is given access to games (through membership of -# the floppy group) after work hours -# - -#xsh; tty* ;sword;!Wk0900-1800;games, sound -#xsh; tty* ;*;Al0900-1800;floppy - -# -# End of group.conf file -# diff --git a/contrib/libpam/modules/pam_group/install_conf b/contrib/libpam/modules/pam_group/install_conf deleted file mode 100755 index 03bb7edb0235..000000000000 --- a/contrib/libpam/modules/pam_group/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./group.conf -MODULE=pam_group - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_group/pam_group.c b/contrib/libpam/modules/pam_group/pam_group.c deleted file mode 100644 index 9e2cf885e9cf..000000000000 --- a/contrib/libpam/modules/pam_group/pam_group.c +++ /dev/null @@ -1,862 +0,0 @@ -/* pam_group module */ - -/* - * $Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $ - * - * Written by Andrew Morgan 1996/7/6 - * - * $Log: pam_group.c,v $ - * Revision 1.7 1997/02/15 17:31:48 morgan - * time parsing more robust - * - * Revision 1.6 1997/01/04 21:57:49 morgan - * fixed warning about setgroups not being defined - * - * Revision 1.5 1997/01/04 20:26:49 morgan - * can be compiled with and without libpwdb. fixed buffer underwriting - * pays attention to PAM_CRED flags(!) - * - * Revision 1.4 1996/12/01 02:54:37 morgan - * mostly debugging now uses D(()) - * - * Revision 1.3 1996/11/10 21:01:22 morgan - * compatability and pam_get_user changes - */ - -const static char rcsid[] = -"$Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $;\n" -"Version 0.5 for Linux-PAM\n" -"Copyright (c) Andrew G. Morgan 1996 \n"; - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define __USE_BSD -#include -#include -#include -#include - -#ifdef WANT_PWDB -#include -#endif - -#define PAM_GROUP_CONF CONFILE /* from external define */ -#define PAM_GROUP_BUFLEN 1000 -#define FIELD_SEPARATOR ';' /* this is new as of .02 */ - -typedef enum { FALSE, TRUE } boolean; -typedef enum { AND, OR } operator; - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH - -#include -#include - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_group", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - -static void shift_bytes(char *mem, int from, int by) -{ - while (by-- > 0) { - *mem = mem[from]; - ++mem; - } -} - -static int read_field(int fd, char **buf, int *from, int *to) -{ - /* is buf set ? */ - - if (! *buf) { - *buf = (char *) malloc(PAM_GROUP_BUFLEN); - if (! *buf) { - _log_err("out of memory"); - return -1; - } - *from = *to = 0; - fd = open(PAM_GROUP_CONF, O_RDONLY); - } - - /* do we have a file open ? return error */ - - if (fd < 0 && *to <= 0) { - _log_err( PAM_GROUP_CONF " not opened"); - memset(*buf, 0, PAM_GROUP_BUFLEN); - _pam_drop(*buf); - return -1; - } - - /* check if there was a newline last time */ - - if ((*to > *from) && (*to > 0) - && ((*buf)[*from] == '\0')) { /* previous line ended */ - (*from)++; - (*buf)[0] = '\0'; - return fd; - } - - /* ready for more data: first shift the buffer's remaining data */ - - *to -= *from; - shift_bytes(*buf, *from, *to); - *from = 0; - (*buf)[*to] = '\0'; - - while (fd >= 0 && *to < PAM_GROUP_BUFLEN) { - int i; - - /* now try to fill the remainder of the buffer */ - - i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to); - if (i < 0) { - _log_err("error reading " PAM_GROUP_CONF); - return -1; - } else if (!i) { - fd = -1; /* end of file reached */ - } else - *to += i; - - /* - * contract the buffer. Delete any comments, and replace all - * multiple spaces with single commas - */ - - i = 0; -#ifdef DEBUG_DUMP - D(("buffer=<%s>",*buf)); -#endif - while (i < *to) { - if ((*buf)[i] == ',') { - int j; - - for (j=++i; j<*to && (*buf)[j] == ','; ++j); - if (j!=i) { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - } - } - switch ((*buf)[i]) { - int j,c; - case '#': - for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); - if (j >= *to) { - (*buf)[*to = ++i] = '\0'; - } else if (c == '\n') { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - ++i; - } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); - return -1; - } - break; - case '\\': - if ((*buf)[i+1] == '\n') { - shift_bytes(i + *buf, 2, *to - (i+2)); - *to -= 2; - } - break; - case '!': - case ' ': - case '\t': - if ((*buf)[i] != '!') - (*buf)[i] = ','; - /* delete any trailing spaces */ - for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' - || c == '\t' ); ++j); - shift_bytes(i + *buf, j-i, (*to)-j ); - *to -= j-i; - break; - default: - ++i; - } - } - } - - (*buf)[*to] = '\0'; - - /* now return the next field (set the from/to markers) */ - { - int i; - - for (i=0; i<*to; ++i) { - switch ((*buf)[i]) { - case '#': - case '\n': /* end of the line/file */ - (*buf)[i] = '\0'; - *from = i; - return fd; - case FIELD_SEPARATOR: /* end of the field */ - (*buf)[i] = '\0'; - *from = ++i; - return fd; - } - } - *from = i; - (*buf)[*from] = '\0'; - } - - if (*to <= 0) { - D(("[end of text]")); - *buf = NULL; - } - return fd; -} - -/* read a member from a field */ - -static int logic_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -typedef enum { VAL, OP } expect; - -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) -{ - boolean left=FALSE, right, not=FALSE; - operator oper=OR; - int at=0, l; - expect next=VAL; - - while ((l = logic_member(x,&at))) { - int c = x[at]; - - if (next == VAL) { - if (c == '!') - not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); - if (oper == AND) - left &= right; - else - left |= right; - next = OP; - } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); - return FALSE; - } - } else { /* OP */ - switch (c) { - case '&': - oper = AND; - break; - case '|': - oper = OR; - break; - default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); - D(("%c at %d",c,at)); - return FALSE; - } - next = VAL; - } - at += l; - } - - return left; -} - -static boolean is_same(const void *A, const char *b, int len, int rule) -{ - int i; - const char *a; - - a = A; - for (i=0; len > 0; ++i, --len) { - if (b[i] != a[i]) { - if (b[i++] == '*') { - return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); - } else - return FALSE; - } - } - return ( !len ); -} - -typedef struct { - int day; /* array of 7 bits, one set for today */ - int minute; /* integer, hour*100+minute for now */ -} TIME; - -struct day { - const char *d; - int bit; -} static const days[11] = { - { "su", 01 }, - { "mo", 02 }, - { "tu", 04 }, - { "we", 010 }, - { "th", 020 }, - { "fr", 040 }, - { "sa", 0100 }, - { "wk", 076 }, - { "wd", 0101 }, - { "al", 0177 }, - { NULL, 0 } -}; - -static TIME time_now(void) -{ - struct tm *local; - time_t the_time; - TIME this; - - the_time = time((time_t *)0); /* get the current time */ - local = localtime(&the_time); - this.day = days[local->tm_wday].bit; - this.minute = local->tm_hour*100 + local->tm_min; - - D(("day: 0%o, time: %.4d", this.day, this.minute)); - return this; -} - -/* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) -{ - boolean not,pass; - int marked_day, time_start, time_end; - const TIME *at; - int i,j=0; - - at = AT; - D(("checking: 0%o/%.4d vs. %s", at->day, at->minute, times)); - - if (times == NULL) { - /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); - return FALSE; - } - - if (times[j] == '!') { - ++j; - not = TRUE; - } else { - not = FALSE; - } - - for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { - int this_day=-1; - - D(("%c%c ?", times[j], times[j+1])); - for (i=0; days[i].d != NULL; ++i) { - if (tolower(times[j]) == days[i].d[0] - && tolower(times[j+1]) == days[i].d[1] ) { - this_day = days[i].bit; - break; - } - } - j += 2; - if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); - return FALSE; - } - marked_day ^= this_day; - } - if (marked_day == 0) { - _log_err("no day specified"); - return FALSE; - } - D(("day range = 0%o", marked_day)); - - time_start = 0; - for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { - time_start *= 10; - time_start += times[i+j]-'0'; /* is this portable? */ - } - j += i; - - if (times[j] == '-') { - time_end = 0; - for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { - time_end *= 10; - time_end += times[i+j]-'0'; /* is this portable? */ - } - j += i; - } else - time_end = -1; - - D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); - if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); - return TRUE; - } - D(("times(%d to %d)", time_start,time_end)); - D(("marked_day = 0%o", marked_day)); - - /* compare with the actual time now */ - - pass = FALSE; - if (time_start < time_end) { /* start < end ? --> same day */ - if ((at->day & marked_day) && (at->minute >= time_start) - && (at->minute < time_end)) { - D(("time is listed")); - pass = TRUE; - } - } else { /* spans two days */ - if ((at->day & marked_day) && (at->minute >= time_start)) { - D(("caught on first day")); - pass = TRUE; - } else { - marked_day <<= 1; - marked_day |= (marked_day & 0200) ? 1:0; - D(("next day = 0%o", marked_day)); - if ((at->day & marked_day) && (at->minute <= time_end)) { - D(("caught on second day")); - pass = TRUE; - } - } - } - - return (not ^ pass); -} - -static int find_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || isdigit(c) || c == '_' || c == '*' - || c == '-') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -#define GROUP_BLK 10 -#define blk_size(len) (((len-1 + GROUP_BLK)/GROUP_BLK)*GROUP_BLK) - -static int mkgrplist(char *buf, gid_t **list, int len) -{ - int l,at=0; - int blks; - - blks = blk_size(len); - D(("cf. blks=%d and len=%d", blks,len)); - - while ((l = find_member(buf,&at))) { - int edge; - - if (len >= blks) { - gid_t *tmp; - - D(("allocating new block")); - tmp = (gid_t *) realloc((*list) - , sizeof(gid_t) * (blks += GROUP_BLK)); - if (tmp != NULL) { - (*list) = tmp; - } else { - _log_err("out of memory for group list"); - free(*list); - (*list) = NULL; - return -1; - } - } - - /* '\0' terminate the entry */ - - edge = (buf[at+l]) ? 1:0; - buf[at+l] = '\0'; - D(("found group: %s",buf+at)); - - /* this is where we convert a group name to a gid_t */ -#ifdef WANT_PWDB - { - int retval; - const struct pwdb *pw=NULL; - - retval = pwdb_locate("group", PWDB_DEFAULT, buf+at - , PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS) { - _log_err("bad group: %s; %s", buf+at, pwdb_strerror(retval)); - } else { - const struct pwdb_entry *pwe=NULL; - - D(("group %s exists", buf+at)); - retval = pwdb_get_entry(pw, "gid", &pwe); - if (retval == PWDB_SUCCESS) { - D(("gid = %d [%p]",* (const gid_t *) pwe->value,list)); - (*list)[len++] = * (const gid_t *) pwe->value; - pwdb_entry_delete(&pwe); /* tidy up */ - } else { - _log_err("%s group entry is bad; %s" - , pwdb_strerror(retval)); - } - pw = NULL; /* break link - cached for later use */ - } - } -#else - { - const struct group *grp; - - grp = getgrnam(buf+at); - if (grp == NULL) { - _log_err("bad group: %s", buf+at); - } else { - D(("group %s exists", buf+at)); - (*list)[len++] = grp->gr_gid; - } - } -#endif - - /* next entry along */ - - at += l + edge; - } - D(("returning with [%p/len=%d]->%p",list,len,*list)); - return len; -} - - -static int check_account(const char *service, const char *tty - , const char *user) -{ - int from=0,to=0,fd=-1; - char *buffer=NULL; - int count=0; - TIME here_and_now; - int retval=PAM_SUCCESS; - gid_t *grps; - int no_grps; - - /* - * first we get the current list of groups - the application - * will have previously done an initgroups(), or equivalent. - */ - - D(("counting supplementary groups")); - no_grps = getgroups(0, NULL); /* find the current number of groups */ - if (no_grps > 0) { - grps = calloc( blk_size(no_grps) , sizeof(gid_t) ); - D(("copying current list into grps [%d big]",blk_size(no_grps))); - (void) getgroups(no_grps, grps); -#ifdef DEBUG - { - int z; - for (z=0; z 0) { - D(("rule #%d passed, added %d groups", count, good)); - } else if (good < 0) { - retval = PAM_BUF_ERR; - } else { - D(("rule #%d failed", count)); - } - - } while (buffer); - - /* now set the groups for the user */ - - if (no_grps > 0) { - int err; - D(("trying to set %d groups", no_grps)); -#ifdef DEBUG - for (err=0; err 1996/12/8 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -TITLE=pam_lastlog - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c b/contrib/libpam/modules/pam_lastlog/pam_lastlog.c deleted file mode 100644 index 96714f6bc16d..000000000000 --- a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c +++ /dev/null @@ -1,469 +0,0 @@ -/* pam_lastlog module */ - -/* - * $Id: pam_lastlog.c,v 1.3 1997/04/05 06:18:21 morgan Exp morgan $ - * - * Written by Andrew Morgan 1996/3/11 - * - * This module does the necessary work to display the last login - * time+date for this user, it then updates this entry for the - * present (login) service. - * - * $Log: pam_lastlog.c,v $ - * Revision 1.3 1997/04/05 06:18:21 morgan - * removed xstrdup - unused - * - * Revision 1.2 1997/02/15 17:18:21 morgan - * removed fixed buffer in logging - * - * Revision 1.1 1997/01/04 20:29:28 morgan - * Initial revision - * - */ - -#include -#include -#ifdef HAVE_UTMP_H -# include -#else -# include -#endif -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef WANT_PWDB -#include /* use POSIX front end */ -#endif - -#if defined(hpux) || defined(sunos) || defined(solaris) -# ifndef _PATH_LASTLOG -# define _PATH_LASTLOG "/usr/adm/lastlog" -# endif /* _PATH_LASTLOG */ -# ifndef UT_HOSTSIZE -# define UT_HOSTSIZE 16 -# endif /* UT_HOSTSIZE */ -# ifndef UT_LINESIZE -# define UT_LINESIZE 12 -# endif /* UT_LINESIZE */ -#endif -#if defined(hpux) -struct lastlog { - time_t ll_time; - char ll_line[UT_LINESIZE]; - char ll_host[UT_HOSTSIZE]; /* same as in utmp */ -}; -#endif /* hpux */ - -/* XXX - time before ignoring lock. Is 1 sec enough? */ -#define LASTLOG_IGNORE_LOCK_TIME 1 - -#define DEFAULT_HOST "" /* "[no.where]" */ -#define DEFAULT_TERM "" /* "tt???" */ -#define LASTLOG_NEVER_WELCOME "Welcome to your new account!" -#define LASTLOG_INTRO "Last login:" -#define LASTLOG_TIME " %s" -#define _LASTLOG_HOST_FORMAT " from %%.%ds" -#define _LASTLOG_LINE_FORMAT " on %%.%ds" -#define LASTLOG_TAIL "" -#define LASTLOG_MAXSIZE (sizeof(LASTLOG_INTRO)+0 \ - +sizeof(LASTLOG_TIME)+strlen(the_time) \ - +sizeof(_LASTLOG_HOST_FORMAT)+UT_HOSTSIZE \ - +sizeof(_LASTLOG_LINE_FORMAT)+UT_LINESIZE \ - +sizeof(LASTLOG_TAIL)) - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION - -#include -#include - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-lastlog", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define LASTLOG_DATE 01 /* display the date of the last login */ -#define LASTLOG_HOST 02 /* display the last host used (if set) */ -#define LASTLOG_LINE 04 /* display the last terminal used */ -#define LASTLOG_NEVER 010 /* display a welcome message for first login */ -#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ -#define LASTLOG_QUIET 040 /* keep quiet about things */ - -static int _pam_parse(int flags, int argc, const char **argv) -{ - int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE); - - /* does the appliction require quiet? */ - if (flags & PAM_SILENT) { - ctrl |= LASTLOG_QUIET; - } - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) { - ctrl |= LASTLOG_DEBUG; - } else if (!strcmp(*argv,"nodate")) { - ctrl |= ~LASTLOG_DATE; - } else if (!strcmp(*argv,"noterm")) { - ctrl |= ~LASTLOG_LINE; - } else if (!strcmp(*argv,"nohost")) { - ctrl |= ~LASTLOG_HOST; - } else if (!strcmp(*argv,"silent")) { - ctrl |= LASTLOG_QUIET; - } else if (!strcmp(*argv,"never")) { - ctrl |= LASTLOG_NEVER; - } else { - _log_err(LOG_ERR,"unknown option; %s",*argv); - } - } - - D(("ctrl = %o", ctrl)); - return ctrl; -} - -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (ctrl & LASTLOG_DEBUG) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, int ctrl, const char *remark) -{ - int retval; - - if (!(ctrl & LASTLOG_QUIET)) { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; - - retval = converse(pamh, ctrl, 1, mesg, &resp); - - msg[0].msg = NULL; - if (resp) { - _pam_drop_reply(resp, 1); - } - } else { - D(("keeping quiet")); - retval = PAM_SUCCESS; - } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; -} - -/* - * Values for the announce flags.. - */ - -static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid) -{ - struct flock last_lock; - struct lastlog last_login; - int retval = PAM_SESSION_ERR; - int last_fd; - - /* obtain the last login date and all the relevant info */ - last_fd = open(_PATH_LASTLOG, O_RDWR); - if (last_fd < 0) { - D(("unable to open the %s file", _PATH_LASTLOG)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "unable to open %s file", _PATH_LASTLOG); - } - retval = PAM_PERM_DENIED; - } else { - int win; - - /* read the lastlogin file - for this uid */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); - - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_RDLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); - - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/read", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } - - win = ( read(last_fd, &last_login, sizeof(last_login)) - == sizeof(last_login) ); - - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - - if (!win) { - D(("First login for user uid=%d", _PATH_LASTLOG, uid)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "creating lastlog for uid %d", uid); - } - memset(&last_login, 0, sizeof(last_login)); - } - - /* rewind */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); - - if (!(announce & LASTLOG_QUIET)) { - if (last_login.ll_time) { - char *the_time; - char *remark; - - the_time = ctime(&last_login.ll_time); - the_time[-1+strlen(the_time)] = '\0'; /* delete '\n' */ - - remark = malloc(LASTLOG_MAXSIZE); - if (remark == NULL) { - D(("no memory for last login remark")); - retval = PAM_BUF_ERR; - } else { - int at; - - /* printing prefix */ - at = sprintf(remark, "%s", LASTLOG_INTRO); - - /* we want the date? */ - if (announce & LASTLOG_DATE) { - at += sprintf(remark+at, LASTLOG_TIME, the_time); - } - - /* we want & have the host? */ - if ((announce & LASTLOG_HOST) - && (last_login.ll_host[0] != '\0')) { - char format[2*sizeof(_LASTLOG_HOST_FORMAT)]; - - (void) sprintf(format, _LASTLOG_HOST_FORMAT - , UT_HOSTSIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_host); - _pam_overwrite(format); - } - - /* we want and have the terminal? */ - if ((announce & LASTLOG_LINE) - && (last_login.ll_line[0] != '\0')) { - char format[2*sizeof(_LASTLOG_LINE_FORMAT)]; - - (void) sprintf(format, _LASTLOG_LINE_FORMAT - , UT_LINESIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_line); - _pam_overwrite(format); - } - - /* display requested combo */ - sprintf(remark+at, "%s", LASTLOG_TAIL); - - retval = make_remark(pamh, announce, remark); - - /* free all the stuff malloced */ - _pam_overwrite(remark); - _pam_drop(remark); - } - } else if ((!last_login.ll_time) && (announce & LASTLOG_NEVER)) { - D(("this is the first time this user has logged in")); - retval = make_remark(pamh, announce, LASTLOG_NEVER_WELCOME); - } - } else { - D(("no text was requested")); - retval = PAM_SUCCESS; - } - - /* write latest value */ - { - const char *remote_host=NULL - , *terminal_line=DEFAULT_TERM; - - /* set this login date */ - D(("set the most recent login time")); - - (void) time(&last_login.ll_time); /* set the time */ - - /* set the remote host */ - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&remote_host); - if (remote_host == NULL) { - remote_host = DEFAULT_HOST; - } - - /* copy to last_login */ - strncpy(last_login.ll_host, remote_host - , sizeof(last_login.ll_host)); - remote_host = NULL; - - /* set the terminal line */ - (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal_line); - D(("terminal = %s", terminal_line)); - if (terminal_line == NULL) { - terminal_line = DEFAULT_TERM; - } else if ( !strncmp("/dev/", terminal_line, 5) ) { - /* strip leading "/dev/" from tty.. */ - terminal_line += 5; - } - D(("terminal = %s", terminal_line)); - - /* copy to last_login */ - strncpy(last_login.ll_line, terminal_line - , sizeof(last_login.ll_line)); - terminal_line = NULL; - - D(("locking last_log file")); - - /* now we try to lock this file-record exclusively; non-blocking */ - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_WRLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); - - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/write", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } - - D(("writing to the last_log file")); - (void) write(last_fd, &last_login, sizeof(last_login)); - - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - D(("unlocked")); - - close(last_fd); /* all done */ - } - D(("all done with last login")); - } - - /* reset the last login structure */ - memset(&last_login, 0, sizeof(last_login)); - - return retval; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - int retval, ctrl; - const char *user; - const struct passwd *pwd; - uid_t uid; - - /* - * this module gets the uid of the PAM_USER. Uses it to display - * last login info and then updates the lastlog for that user. - */ - - ctrl = _pam_parse(flags, argc, argv); - - /* which user? */ - - retval = pam_get_item(pamh, PAM_USER, (const void **)&user); - if (retval != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err(LOG_NOTICE, "user unknown"); - return PAM_USER_UNKNOWN; - } - - /* what uid? */ - - pwd = getpwnam(user); - if (pwd == NULL) { - D(("couldn't identify user %s", user)); - return PAM_CRED_INSUFFICIENT; - } - uid = pwd->pw_uid; - pwd = NULL; /* tidy up */ - - /* process the current login attempt (indicate last) */ - - retval = last_login_date(pamh, ctrl, uid); - - /* indicate success or failure */ - - uid = -1; /* forget this */ - - return retval; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_lastlog_modstruct = { - "pam_lastlog", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_limits/Makefile b/contrib/libpam/modules/pam_limits/Makefile deleted file mode 100644 index f6a0e07ca48b..000000000000 --- a/contrib/libpam/modules/pam_limits/Makefile +++ /dev/null @@ -1,102 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton 1996/09/10 -# - -ifeq ($(OS),linux) -ifeq ($(HAVE_PWDBLIB),yes) -TITLE=pam_limits -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/limits.conf -export CONFILE - -CFLAGS+=-DLIMITS_FILE=\"$(CONFILE)\" - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -lpwdb -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else -include ../dont_makefile -endif -else -include ../dont_makefile -endif diff --git a/contrib/libpam/modules/pam_limits/README b/contrib/libpam/modules/pam_limits/README deleted file mode 100644 index 06a6857a8135..000000000000 --- a/contrib/libpam/modules/pam_limits/README +++ /dev/null @@ -1,87 +0,0 @@ - -pam_limits module: - Imposing user limits on login. - -THEORY OF OPERATION: - -First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE -defined Makefile) that describes the resource limits you wish to impose. No -limits are imposed on UID 0 accounts. - -Each line describes a limit for a user in the form: - - - -Where: - can be: - - an user name - - a group name, with @group syntax - - the wildcard *, for default entry - - can have the two values: - - "soft" for enforcinf the soft limits - - "hard" for enforcing hard limits - - can be one of the following: - - core - limits the core file size (KB) - - data - max data size (KB) - - fsize - maximum filesize (KB) - - memlock - max locked-in-memory address space (KB) - - nofile - max number of open files - - rss - max resident set size (KB) - - stack - max stack size (KB) - - cpu - max CPU time (MIN) - - nproc - max number of processes - - as - address space limit - - maxlogins - max number of logins for this user - - maxsyslogins - max number of logins on the system - -To completely disable limits for a user (or a group), a single dash (-) -will do (Example: 'bin -', '@admin -'). Please remember that individual -limits have priority over group limits, so if you impose no limits for admin -group, but one of the members in this group have a limits line, the user -will have its limits set according to this line. - -Also, please note that all limit settings are set PER LOGIN. They are -not global, nor are they permanent (the session only) - -In the LIMITS_FILE, the # character introduces a comment - the rest of the -line is ignored. - -The pam_limits module does its best to report configuration problems found -in LIMITS_FILE via syslog. - -EXAMPLE configuration file: -=========================== -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 - - -ARGUMENTS RECOGNIZED: - debug verbose logging - - conf=/path/to/file the limits configuration file if different from the - one set at compile time. - -MODULE SERVICES PROVIDED: - session _open_session and _close_session (blank) - -USAGE: - For the services you need resources limits (login for example) put a - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line: - - login session required /lib/security/pam_limits.so - - Replace "login" for each service you are using this module, replace - "/lib/security" path with your real modules path. - -AUTHOR: - Cristian Gafton - Thanks to Elliot Lee for his comments on - improving this module. diff --git a/contrib/libpam/modules/pam_limits/install_conf b/contrib/libpam/modules/pam_limits/install_conf deleted file mode 100755 index d92c1f952e46..000000000000 --- a/contrib/libpam/modules/pam_limits/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./limits.skel -MODULE=pam_limits - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_limits/limits.skel b/contrib/libpam/modules/pam_limits/limits.skel deleted file mode 100644 index ea57e42513e4..000000000000 --- a/contrib/libpam/modules/pam_limits/limits.skel +++ /dev/null @@ -1,41 +0,0 @@ -# /etc/security/limits.conf -# -#Each line describes a limit for a user in the form: -# -# -# -#Where: -# can be: -# - an user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit -# - maxlogins - max number of logins for this user -# -# -# - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#@student - maxlogins 4 - -# End of file diff --git a/contrib/libpam/modules/pam_limits/pam_limits.c b/contrib/libpam/modules/pam_limits/pam_limits.c deleted file mode 100644 index 179c43028b4e..000000000000 --- a/contrib/libpam/modules/pam_limits/pam_limits.c +++ /dev/null @@ -1,592 +0,0 @@ -/* - * pam_limits - impose resource limits when opening a user session - * - * 1.5 - Elliot Lee's "max system logins patch" - * 1.4 - addressed bug in configuration file parser - * 1.3 - modified the configuration file format - * 1.2 - added 'debug' and 'conf=' arguments - * 1.1 - added @group support - * 1.0 - initial release - Linux ONLY - * - * See end for Copyright information - */ - -#if !(defined(linux)) -#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! -#endif - -#include -#include -#define __USE_POSIX2 -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifndef UT_USER /* some systems have ut_name instead of ut_user */ -#define UT_USER ut_user -#endif - -/* Module defines */ -#define LINE_LENGTH 1024 - -#define LIMITS_DEF_USER 0 /* limit was set by an user entry */ -#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ -#define LIMITS_DEF_DEFAULT 2 /* limit was set by an default entry */ -#define LIMITS_DEF_NONE 3 /* this limit was not set yet */ - -/* internal data */ -static char conf_file[BUFSIZ]; - -struct user_limits_struct { - int src_soft; - int src_hard; - struct rlimit limit; -}; - -static struct user_limits_struct limits[RLIM_NLIMITS]; -static int login_limit; /* the max logins limit */ -static int login_limit_def; /* which entry set the login limit */ -static int flag_numsyslogins; /* whether to limit logins only for a - specific user or to count all logins */ - -#define LIMIT_LOGIN RLIM_NLIMITS+1 -#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 -#define LIMIT_SOFT 1 -#define LIMIT_HARD 2 - -#define PAM_SM_SESSION - -#include -#include -#include - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_limits", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conf=",5)) - strcpy(conf_file,*argv+5); - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - - -/* limits stuff */ -#ifndef LIMITS_FILE -#define LIMITS_FILE "/etc/security/limits.conf" -#endif - -#define LIMIT_ERR 1 /* error setting a limit */ -#define LOGIN_ERR 2 /* too many logins err */ - -/* Counts the number of user logins and check against the limit*/ -static int check_logins(const char *name, int limit, int ctrl) -{ - struct utmp *ut; - unsigned int count; - - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "checking logins for '%s' / %d\n", name,limit); - } - - if (limit < 0) - return 0; /* no limits imposed */ - if (limit == 0) /* maximum 0 logins ? */ { - _pam_log(LOG_WARNING, "No logins allowed for '%s'\n", name); - return LOGIN_ERR; - } - - setutent(); - count = 0; - while((ut = getutent())) { -#ifdef USER_PROCESS - if (ut->ut_type != USER_PROCESS) - continue; -#endif - if (ut->UT_USER[0] == '\0') - continue; - if (!flag_numsyslogins - && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) - continue; - if (++count >= limit) - break; - } - endutent(); - if (count >= limit) { - if (name) { - _pam_log(LOG_WARNING, "Too many logins (max %d) for %s", - limit, name); - } else { - _pam_log(LOG_WARNING, "Too many system logins (max %d)", limit); - } - return LOGIN_ERR; - } - return 0; -} - -/* checks if a user is on a list of members of the GID 0 group */ -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* Checks if a user is a member of a group */ -static int is_on_group(const char *user_name, const char *group_name) -{ - struct passwd *pwd; - struct group *grp, *pgrp; - char uname[LINE_LENGTH], gname[LINE_LENGTH]; - - if (!strlen(user_name)) - return 0; - if (!strlen(group_name)) - return 0; - memset(uname, 0, sizeof(uname)); - strncpy(uname, user_name, LINE_LENGTH); - memset(gname, 0, sizeof(gname)); - strncpy(gname, group_name, LINE_LENGTH); - - setpwent(); - pwd = getpwnam(uname); - endpwent(); - if (!pwd) - return 0; - - /* the info about this group */ - setgrent(); - grp = getgrnam(gname); - endgrent(); - if (!grp) - return 0; - - /* first check: is a member of the group_name group ? */ - if (is_on_list(grp->gr_mem, uname)) - return 1; - - /* next check: user primary group is group_name ? */ - setgrent(); - pgrp = getgrgid(pwd->pw_gid); - endgrent(); - if (!pgrp) - return 0; - if (!strcmp(pgrp->gr_name, gname)) - return 1; - - return 0; -} - -static int init_limits(void) -{ - int retval = PAM_SUCCESS; - - D(("called.")); - - retval |= getrlimit(RLIMIT_CPU, &limits[RLIMIT_CPU].limit); - limits[RLIMIT_CPU].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_CPU].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_FSIZE, &limits[RLIMIT_FSIZE].limit); - limits[RLIMIT_FSIZE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_FSIZE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_DATA, &limits[RLIMIT_DATA].limit); - limits[RLIMIT_DATA].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_DATA].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_STACK, &limits[RLIMIT_STACK].limit); - limits[RLIMIT_STACK].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_STACK].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_CORE, &limits[RLIMIT_CORE].limit); - limits[RLIMIT_CORE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_CORE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_RSS, &limits[RLIMIT_RSS].limit); - limits[RLIMIT_RSS].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_RSS].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_NPROC, &limits[RLIMIT_NPROC].limit); - limits[RLIMIT_NPROC].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_NPROC].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_NOFILE, &limits[RLIMIT_NOFILE].limit); - limits[RLIMIT_NOFILE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_NOFILE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_MEMLOCK, &limits[RLIMIT_MEMLOCK].limit); - limits[RLIMIT_MEMLOCK].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_MEMLOCK].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_AS, &limits[RLIMIT_AS].limit); - limits[RLIMIT_AS].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_AS].src_hard = LIMITS_DEF_NONE; - - login_limit = -2; - login_limit_def = LIMITS_DEF_NONE; - return retval; -} - -static void process_limit(int source, const char *lim_type, - const char *lim_item, const char *lim_value, - int ctrl) -{ - int limit_item; - int limit_type = 0; - long limit_value; - char **endptr = (char **) &lim_value; - const char *value_orig = lim_value; - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "%s: processing(%d) %s %s %s\n", - __FUNCTION__,source,lim_type,lim_item,lim_value); - - if (strcmp(lim_item, "cpu") == 0) - limit_item = RLIMIT_CPU; - else if (strcmp(lim_item, "fsize") == 0) - limit_item = RLIMIT_FSIZE; - else if (strcmp(lim_item, "data") == 0) - limit_item = RLIMIT_DATA; - else if (strcmp(lim_item, "stack") == 0) - limit_item = RLIMIT_STACK; - else if (strcmp(lim_item, "core") == 0) - limit_item = RLIMIT_CORE; - else if (strcmp(lim_item, "rss") == 0) - limit_item = RLIMIT_RSS; - else if (strcmp(lim_item, "nproc") == 0) - limit_item = RLIMIT_NPROC; - else if (strcmp(lim_item, "nofile") == 0) - limit_item = RLIMIT_NOFILE; - else if (strcmp(lim_item, "memlock") == 0) - limit_item = RLIMIT_MEMLOCK; - else if (strcmp(lim_item, "as") == 0) - limit_item = RLIMIT_AS; - else if (strcmp(lim_item, "maxlogins") == 0) { - limit_item = LIMIT_LOGIN; - flag_numsyslogins = 0; - } else if (strcmp(lim_item, "maxsyslogins") == 0) { - limit_item = LIMIT_NUMSYSLOGINS; - flag_numsyslogins = 1; - } else { - _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item); - return; - } - - if (strcmp(lim_type,"soft")==0) - limit_type=LIMIT_SOFT; - else if (strcmp(lim_type, "hard")==0) - limit_type=LIMIT_HARD; - else if (strcmp(lim_type,"-")==0) - limit_type=LIMIT_SOFT | LIMIT_HARD; - else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { - _pam_log(LOG_DEBUG,"unknown limit type '%s'", lim_type); - return; - } - - limit_value = strtol(lim_value, endptr, 10); - if (limit_value == 0 && value_orig == *endptr) { /* no chars read */ - if (strcmp(lim_value,"-") != 0) { - _pam_log(LOG_DEBUG,"wrong limit value '%s'", lim_value); - return; - } else - if (limit_item != LIMIT_LOGIN) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, - "'-' limit value valid for maxlogins type only"); - return; - } else - limit_value = -1; - } - - switch(limit_item) { - case RLIMIT_CPU: - limit_value *= 60; - break; - case RLIMIT_FSIZE: - case RLIMIT_DATA: - case RLIMIT_STACK: - case RLIMIT_CORE: - case RLIMIT_RSS: - case RLIMIT_MEMLOCK: - case RLIMIT_AS: - limit_value *= 1024; - break; - } - - if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { - if (limit_type & LIMIT_SOFT) - if (limits[limit_item].src_soft < source) - return; - else { - limits[limit_item].limit.rlim_cur = limit_value; - limits[limit_item].src_soft = source; - } - if (limit_type & LIMIT_HARD) - if (limits[limit_item].src_hard < source) - return; - else { - limits[limit_item].limit.rlim_max = limit_value; - limits[limit_item].src_hard = source; - } - } else - if (login_limit_def < source) - return; - else { - login_limit = limit_value; - login_limit_def = source; - } - - return; -} - -static int parse_config_file(const char *uname, int ctrl) -{ - FILE *fil; - char buf[LINE_LENGTH]; - -#define CONF_FILE (conf_file[0])?conf_file:LIMITS_FILE - /* check for the LIMITS_FILE */ - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"reading settings from '%s'", CONF_FILE); - fil = fopen(CONF_FILE, "r"); - if (fil == NULL) { - _pam_log (LOG_WARNING, "can not read settings from %s", CONF_FILE); - return PAM_SERVICE_ERR; - } -#undef CONF_FILE - - /* init things */ - memset(buf, 0, sizeof(buf)); - /* start the show */ - while (fgets(buf, LINE_LENGTH, fil) != NULL) { - char domain[LINE_LENGTH]; - char ltype[LINE_LENGTH]; - char item[LINE_LENGTH]; - char value[LINE_LENGTH]; - int i,j; - char *tptr; - - tptr = buf; - /* skip the leading white space */ - while (*tptr && isspace(*tptr)) - tptr++; - strcpy(buf, (const char *)tptr); - - /* Rip off the comments */ - tptr = strchr(buf,'#'); - if (tptr) - *tptr = '\0'; - /* Rip off the newline char */ - tptr = strchr(buf,'\n'); - if (tptr) - *tptr = '\0'; - /* Anything left ? */ - if (!strlen(buf)) { - memset(buf, 0, sizeof(buf)); - continue; - } - - memset(domain, 0, sizeof(domain)); - memset(ltype, 0, sizeof(ltype)); - memset(item, 0, sizeof(item)); - memset(value, 0, sizeof(value)); - - i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value); - for(j=0; j < strlen(domain); j++) - domain[j]=tolower(domain[j]); - for(j=0; j < strlen(ltype); j++) - ltype[j]=tolower(ltype[j]); - for(j=0; j < strlen(item); j++) - item[j]=tolower(item[j]); - for(j=0; j < strlen(value); j++) - value[j]=tolower(value[j]); - - if (i == 4) { /* a complete line */ - if (strcmp(uname, domain) == 0) /* this user have a limit */ - process_limit(LIMITS_DEF_USER, ltype, item, value, ctrl); - else if (domain[0]=='@') { - if (is_on_group(uname, domain+1)) - process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl); - } else if (strcmp(domain, "*") == 0) - process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl); - } else - _pam_log(LOG_DEBUG,"invalid line '%s'", buf); - } - fclose(fil); - return PAM_SUCCESS; -} - -static int setup_limits(const char * uname, int ctrl) -{ - int i; - int retval = PAM_SUCCESS; - - for (i=0; i limits[i].limit.rlim_max) - limits[i].limit.rlim_cur = limits[i].limit.rlim_max; - retval |= setrlimit(i, &limits[i].limit); - } - - if (retval != PAM_SUCCESS) - retval = LIMIT_ERR; - if (login_limit > 0) { - if (check_logins(uname, login_limit, ctrl) == LOGIN_ERR) - retval |= LOGIN_ERR; - } else if (login_limit == 0) - retval |= LOGIN_ERR; - return retval; -} - -/* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - char *user_name; - struct passwd *pwd; - int ctrl; - - D(("called.")); - - memset(conf_file, 0, sizeof(conf_file)); - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - setpwent(); - pwd = getpwnam(user_name); - endpwent(); - if (!pwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "open_session username '%s' does not exist", - user_name); - return PAM_SESSION_ERR; - } - - /* do not impose limits on UID 0 accounts */ - if (!pwd->pw_uid) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "user '%s' have UID 0 - no limits imposed", - user_name); - return PAM_SUCCESS; - } - - retval = init_limits(); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "can not initialize"); - return PAM_IGNORE; - } - - retval = parse_config_file(pwd->pw_name,ctrl); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "error parsing the configuration file"); - return PAM_IGNORE; - } - - retval = setup_limits(pwd->pw_name, ctrl); - if (retval & LOGIN_ERR) { - printf("\nToo many logins for '%s'\n",pwd->pw_name); - sleep(2); - return PAM_PERM_DENIED; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - /* nothing to do */ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_limits_modstruct = { - "pam_limits", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - -/* - * Copyright (c) Cristian Gafton, 1996-1997, - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_listfile/Makefile b/contrib/libpam/modules/pam_listfile/Makefile deleted file mode 100644 index 02940390b333..000000000000 --- a/contrib/libpam/modules/pam_listfile/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_listfile - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_listfile/README b/contrib/libpam/modules/pam_listfile/README deleted file mode 100644 index b65e7dbbe701..000000000000 --- a/contrib/libpam/modules/pam_listfile/README +++ /dev/null @@ -1,25 +0,0 @@ -SUMMARY: - pam_listfile: - Checks a specified item against a list in a file. - Options: - * item=[tty|user|rhost|ruser|group|shell] - * sense=[allow|deny] (action to take if found in file, - if the item is NOT found in the file, then - the opposite action is requested) - * file=/the/file/to/get/the/list/from - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * apply=[user|@group] - restrict the user class for which the restriction - apply. Note that with item=[user|ruser|group] this - does not make sense, but for item=[tty|rhost|shell] - it have a meaning. (Cristian Gafton) - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Elliot Lee , Red Hat Software. - v0.9 August 16, 1996. - -BUGS: - Bugs? diff --git a/contrib/libpam/modules/pam_listfile/pam_listfile.c b/contrib/libpam/modules/pam_listfile/pam_listfile.c deleted file mode 100644 index e54b12aaec0c..000000000000 --- a/contrib/libpam/modules/pam_listfile/pam_listfile.c +++ /dev/null @@ -1,436 +0,0 @@ -/* - * $Id: pam_listfile.c,v 1.6 1997/04/05 06:38:35 morgan Exp $ - * - * $Log: pam_listfile.c,v $ - * Revision 1.6 1997/04/05 06:38:35 morgan - * reformat mostly - * - * Revision 1.5 1997/02/15 17:29:41 morgan - * removed fixed length buffer in logging - * - * Revision 1.4 1997/01/04 20:32:10 morgan - * ammendments for pam_listfile handling - * - * Revision 1.3 1996/11/10 21:02:08 morgan - * compiles with .53 - * - * Revision 1.2 1996/09/05 06:22:58 morgan - * Michael's patches - * - */ - -/* - * by Elliot Lee , Red Hat Software. - * July 25, 1996. - * This code shamelessly ripped from the pam_rootok module. - */ - -#ifdef linux -# define _SVID_SOURCE -# define _BSD_SOURCE -# define __USE_BSD -# define __USE_SVID -# define __USE_MISC -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef DEBUG -#include -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-listfile", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* checks if a user is on a list of members */ -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* Checks if a user is a member of a group */ -static int is_on_group(const char *user_name, const char *group_name) -{ - struct passwd *pwd; - struct group *grp, *pgrp; - char uname[BUFSIZ], gname[BUFSIZ]; - - if (!strlen(user_name)) - return 0; - if (!strlen(group_name)) - return 0; - bzero(uname, sizeof(uname)); - strncpy(uname, user_name, BUFSIZ-1); - bzero(gname, sizeof(gname)); - strncpy(gname, group_name, BUFSIZ-1); - - setpwent(); - pwd = getpwnam(uname); - endpwent(); - if (!pwd) - return 0; - - /* the info about this group */ - setgrent(); - grp = getgrnam(gname); - endgrent(); - if (!grp) - return 0; - - /* first check: is a member of the group_name group ? */ - if (is_on_list(grp->gr_mem, uname)) - return 1; - - /* next check: user primary group is group_name ? */ - setgrent(); - pgrp = getgrgid(pwd->pw_gid); - endgrent(); - if (!pgrp) - return 0; - if (!strcmp(pgrp->gr_name, gname)) - return 1; - - return 0; -} - -/* --- authentication management functions (only) --- */ - -/* Extended Items that are not directly available via pam_get_item() */ -#define EI_GROUP (1 << 0) -#define EI_SHELL (1 << 1) - -/* Constants for apply= parameter */ -#define APPLY_TYPE_NULL 0 -#define APPLY_TYPE_NONE 1 -#define APPLY_TYPE_USER 2 -#define APPLY_TYPE_GROUP 3 - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; - const char *citemp; - char *ifname=NULL; - char aline[256]; - char mybuf[256],myval[256]; - struct stat fileinfo; - FILE *inf; - char apply_val[256]; - int apply_type; - - /* Stuff for "extended" items */ - struct passwd *userinfo; - struct group *grpinfo; - char *itemlist[256]; /* Maximum of 256 items */ - - D(("called.")); - - apply_type=APPLY_TYPE_NULL; - memset(apply_val,0,sizeof(apply_val)); - - for(i=0; i < argc; i++) { - { - char *junk; - junk = (char *) malloc(strlen(argv[i])+1); - if (junk == NULL) { - return PAM_BUF_ERR; - } - strcpy(junk,argv[i]); - strncpy(mybuf,strtok(junk,"="),255); - strncpy(myval,strtok(NULL,"="),255); - free(junk); - } - if(!strcmp(mybuf,"onerr")) - if(!strcmp(myval,"succeed")) - onerr = PAM_SUCCESS; - else if(!strcmp(myval,"fail")) - onerr = PAM_SERVICE_ERR; - else - return PAM_SERVICE_ERR; - else if(!strcmp(mybuf,"sense")) - if(!strcmp(myval,"allow")) - sense=0; - else if(!strcmp(myval,"deny")) - sense=1; - else - return onerr; - else if(!strcmp(mybuf,"file")) { - ifname = (char *)malloc(strlen(myval)+1); - strcpy(ifname,myval); - } else if(!strcmp(mybuf,"item")) - if(!strcmp(myval,"user")) - citem = PAM_USER; - else if(!strcmp(myval,"tty")) - citem = PAM_TTY; - else if(!strcmp(myval,"rhost")) - citem = PAM_RHOST; - else if(!strcmp(myval,"ruser")) - citem = PAM_RUSER; - else { /* These items are related to the user, but are not - directly gettable with pam_get_item */ - citem = PAM_USER; - if(!strcmp(myval,"group")) - extitem = EI_GROUP; - else if(!strcmp(myval,"shell")) - extitem = EI_SHELL; - else - citem = 0; - } else if(!strcmp(mybuf,"apply")) { - apply_type=APPLY_TYPE_NONE; - if (myval[0]=='@') { - apply_type=APPLY_TYPE_GROUP; - strncpy(apply_val,myval+1,sizeof(apply_val)-1); - } else { - apply_type=APPLY_TYPE_USER; - strncpy(apply_val,myval,sizeof(apply_val)-1); - } - } else { - _pam_log(LOG_ERR,"Unknown option: %s",mybuf); - return onerr; - } - } - - if(!citem) { - _pam_log(LOG_ERR,"Unknown item or item not specified"); - return onerr; - } else if(!ifname) { - _pam_log(LOG_ERR,"List filename not specified"); - return onerr; - } else if(sense == 2) { - _pam_log(LOG_ERR,"Unknown sense or sense not specified"); - return onerr; - } else if( - (apply_type==APPLY_TYPE_NONE) || - ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0')) - ) { - _pam_log(LOG_ERR,"Invalid usage for apply= parameter"); - return onerr; - } - - /* Check if it makes sense to use the apply= parameter */ - if (apply_type != APPLY_TYPE_NULL) { - if((citem==PAM_USER) || (citem==PAM_RUSER)) { - _pam_log(LOG_WARNING,"Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - if(extitem && (extitem==EI_GROUP)) { - _pam_log(LOG_WARNING,"Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - } - - /* Short-circuit - test if this session apply for this user */ - { - const char *user_name; - int rval; - - rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name[0]) { - /* Got it ? Valid ? */ - if(apply_type==APPLY_TYPE_USER) { - if(strcmp(user_name, apply_val)) { - /* Does not apply to this user */ -#ifdef DEBUG - _pam_log(LOG_DEBUG,"don't apply: apply=%s, user=%s", - apply_val,user_name); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } else if(apply_type==APPLY_TYPE_GROUP) { - if(!is_on_group(user_name,apply_val)) { - /* Not a member of apply= group */ -#ifdef DEBUG - _pam_log(LOG_DEBUG,"don't apply: %s not a member of group %s", - user_name,apply_val); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } - } - } - - retval = pam_get_item(pamh,citem,(const void **)&citemp); - if(retval != PAM_SUCCESS) { - return onerr; - } - if((citem == PAM_USER) && !citemp) { - pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - } - - if(!citemp || (strlen(citemp) <= 0)) { - /* The item was NULL - we are sure not to match */ - return sense?PAM_SUCCESS:PAM_AUTH_ERR; - } - - if(extitem) { - switch(extitem) { - case EI_GROUP: - setpwent(); - userinfo = getpwnam(citemp); - setgrent(); - grpinfo = getgrgid(userinfo->pw_gid); - itemlist[0] = x_strdup(grpinfo->gr_name); - setgrent(); - for (i=1; (i < sizeof(itemlist)/sizeof(itemlist[0])-1) && - (grpinfo = getgrent()); ) { - if (is_on_list(grpinfo->gr_mem,citemp)) { - itemlist[i++] = x_strdup(grpinfo->gr_name); - } - } - itemlist[i] = NULL; - endgrent(); - endpwent(); - break; - case EI_SHELL: - setpwent(); - userinfo = getpwnam(citemp); /* Assume that we have already gotten - PAM_USER in pam_get_item() - a valid - assumption since citem gets set to - PAM_USER in the extitem switch */ - citemp = userinfo->pw_shell; - endpwent(); - break; - default: - _pam_log(LOG_ERR,"Internal weirdness, unknown extended item %d", - extitem); - return onerr; - } - } -#ifdef DEBUG - _pam_log(LOG_INFO,"Got file = %s, item = %d, value = %s, sense = %d", - ifname, citem, citemp, sense); -#endif - if(lstat(ifname,&fileinfo)) { - _pam_log(LOG_ERR, - "Couldn't open %s",ifname); - return onerr; - } - - if((fileinfo.st_mode & S_IWOTH) - || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR, - "%s is either world writable or not a normal file", - ifname); - return PAM_AUTH_ERR; - } - - inf = fopen(ifname,"r"); - if(inf == NULL) { /* Check that we opened it successfully */ - if (onerr == PAM_SERVICE_ERR) { - /* Only report if it's an error... */ - _pam_log(LOG_ERR, "Error opening %s", ifname); - } - return onerr; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ -#ifdef DEBUG - assert(PAM_SUCCESS == 0); - assert(PAM_AUTH_ERR != 0); -#endif - if(extitem == EI_GROUP) { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - for(i=0;itemlist[i];) - /* If any of the items match, strcmp() == 0, and we get out - of this loop */ - retval = (strcmp(aline,itemlist[i++]) && retval); - } - for(i=0;itemlist[i];) - free(itemlist[i++]); - } else { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - retval = strcmp(aline,citemp); - } - } - fclose(inf); - free(ifname); - if(retval) { -#ifdef DEBUG - syslog(LOG_INFO,"Returning %d, retval = %d", - sense?PAM_AUTH_ERR:PAM_SUCCESS, retval); -#endif - return sense?PAM_SUCCESS:PAM_AUTH_ERR; - } - else { -#ifdef DEBUG - syslog(LOG_INFO,"Returning %d, retval = %d", - sense?PAM_SUCCESS:PAM_AUTH_ERR, retval); -#endif - return sense?PAM_AUTH_ERR:PAM_SUCCESS; - } -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_listfile_modstruct = { - "pam_listfile", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ - diff --git a/contrib/libpam/modules/pam_mail/Makefile b/contrib/libpam/modules/pam_mail/Makefile deleted file mode 100644 index 5a402ea4015b..000000000000 --- a/contrib/libpam/modules/pam_mail/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -# -# $Id: Makefile,v 1.3 1997/04/05 06:37:45 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.3 1997/04/05 06:37:45 morgan -# fakeroot -# -# Revision 1.2 1997/02/15 16:07:22 morgan -# optional libpwdb compilation -# -# Revision 1.1 1997/01/04 20:32:52 morgan -# Initial revision -# -# -# -# Created by Andrew Morgan 1996/12/8 -# - -TITLE=pam_mail - -ifndef STATIC -ifeq ($(HAVE_PWDBLIB),yes) -CFLAGS += -DWANT_PWDB -EXTRALIB = -lpwdb -endif -endif - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_mail/pam_mail.c b/contrib/libpam/modules/pam_mail/pam_mail.c deleted file mode 100644 index 15160f3d5208..000000000000 --- a/contrib/libpam/modules/pam_mail/pam_mail.c +++ /dev/null @@ -1,401 +0,0 @@ -/* pam_mail module */ - -/* - * $Id: pam_mail.c,v 1.2 1997/02/15 16:06:14 morgan Exp morgan $ - * - * Written by Andrew Morgan 1996/3/11 - * $HOME additions by David Kinchlea 1997/1/7 - * - * $Log: pam_mail.c,v $ - * Revision 1.2 1997/02/15 16:06:14 morgan - * session -> setcred, also added "~"=$HOME - * - * Revision 1.1 1997/01/04 20:33:02 morgan - * Initial revision - */ - -#define DEFAULT_MAIL_DIRECTORY "/var/spool/mail" -#define MAIL_FILE_FORMAT "%s/%s" -#define MAIL_ENV_NAME "MAIL" -#define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s" -#define YOUR_MAIL_FORMAT "You have %s mail in %s" - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef WANT_PWDB -#include -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include -#include - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-mail", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_NO_LOGIN 02 -#define PAM_LOGOUT_TOO 04 -#define PAM_NEW_MAIL_DIR 010 -#define PAM_MAIL_SILENT 020 -#define PAM_NO_ENV 040 -#define PAM_HOME_MAIL 0100 -#define PAM_EMPTY_TOO 0200 - -static int _pam_parse(int flags, int argc, const char **argv, char **maildir) -{ - int ctrl=0; - - if (flags & PAM_SILENT) { - ctrl |= PAM_MAIL_SILENT; - } - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"dir=",4)) { - *maildir = x_strdup(4+*argv); - if (*maildir != NULL) { - D(("new mail directory: %s", *maildir)); - ctrl |= PAM_NEW_MAIL_DIR; - } else { - _log_err(LOG_CRIT, - "failed to duplicate mail directory - ignored"); - } - } else if (!strcmp(*argv,"close")) { - ctrl |= PAM_LOGOUT_TOO; - } else if (!strcmp(*argv,"nopen")) { - ctrl |= PAM_NO_LOGIN; - } else if (!strcmp(*argv,"noenv")) { - ctrl |= PAM_NO_ENV; - } else if (!strcmp(*argv,"empty")) { - ctrl |= PAM_EMPTY_TOO; - } else { - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (PAM_DEBUG_ARG & ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int get_folder(pam_handle_t *pamh, int ctrl - , char **path_mail, char **folder_p) -{ - int retval; - const char *user, *path; - char *folder; - const struct passwd *pwd=NULL; - - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - _log_err(LOG_ERR, "no user specified"); - return PAM_USER_UNKNOWN; - } - - if (ctrl & PAM_NEW_MAIL_DIR) { - path = *path_mail; - if (*path == '~') { /* support for $HOME delivery */ - pwd = getpwnam(user); - if (pwd == NULL) { - _log_err(LOG_ERR, "user [%s] unknown", user); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_USER_UNKNOWN; - } - /* - * "~/xxx" and "~xxx" are treated as same - */ - if (!*++path || (*path == '/' && !*++path)) { - _log_err(LOG_ALERT, "badly formed mail path [%s]", *path_mail); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_ABORT; - } - ctrl |= PAM_HOME_MAIL; - } - } else { - path = DEFAULT_MAIL_DIRECTORY; - } - - /* put folder together */ - - if (ctrl & PAM_HOME_MAIL) { - folder = malloc(sizeof(MAIL_FILE_FORMAT) - +strlen(pwd->pw_dir)+strlen(path)); - } else { - folder = malloc(sizeof(MAIL_FILE_FORMAT)+strlen(path)+strlen(user)); - } - - if (folder != NULL) { - if (ctrl & PAM_HOME_MAIL) { - sprintf(folder, MAIL_FILE_FORMAT, pwd->pw_dir, path); - } else { - sprintf(folder, MAIL_FILE_FORMAT, path, user); - } - D(("folder =[%s]", folder)); - } - - /* tidy up */ - - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - user = NULL; - - if (folder == NULL) { - _log_err(LOG_CRIT, "out of memory for mail folder"); - return PAM_BUF_ERR; - } - - *folder_p = folder; - folder = NULL; - - return PAM_SUCCESS; -} - -static const char *get_mail_status(int ctrl, const char *folder) -{ - const char *type; - struct stat mail_st; - - if (stat(folder, &mail_st) == 0 && mail_st.st_size > 0) { - type = (mail_st.st_atime < mail_st.st_mtime) ? "new":"old" ; - } else if (ctrl & PAM_EMPTY_TOO) { - type = "no"; - } else { - type = NULL; - } - - memset(&mail_st, 0, sizeof(mail_st)); - D(("user has %s mail in %s folder", type, folder)); - return type; -} - -static int report_mail(pam_handle_t *pamh, int ctrl - , const char *type, const char *folder) -{ - int retval; - - if (!(ctrl & PAM_MAIL_SILENT)) { - char *remark; - - remark = malloc(sizeof(YOUR_MAIL_FORMAT)+strlen(type)+strlen(folder)); - if (remark == NULL) { - retval = PAM_BUF_ERR; - } else { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - - sprintf(remark, YOUR_MAIL_FORMAT, type, folder); - - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; - - retval = converse(pamh, ctrl, 1, mesg, &resp); - - _pam_overwrite(remark); - _pam_drop(remark); - if (resp) - _pam_drop_reply(resp, 1); - } - } else { - D(("keeping quiet")); - retval = PAM_SUCCESS; - } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; -} - -/* --- authentication management functions (only) --- */ - -/* - * Cannot use mail to authenticate yourself - */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_IGNORE; -} - -/* - * MAIL is a "credential" - */ - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - int retval, ctrl; - char *path_mail=NULL, *folder; - const char *type; - - /* - * this module (un)sets the MAIL environment variable, and checks if - * the user has any new mail. - */ - - ctrl = _pam_parse(flags, argc, argv, &path_mail); - - /* Do we have anything to do? */ - - if (!(flags & (PAM_ESTABLISH_CRED|PAM_DELETE_CRED))) { - return PAM_SUCCESS; - } - - /* which folder? */ - - retval = get_folder(pamh, ctrl, &path_mail, &folder); - if (retval != PAM_SUCCESS) { - D(("failed to find folder")); - return retval; - } - - /* set the MAIL variable? */ - - if (!(ctrl & PAM_NO_ENV) && (flags & PAM_ESTABLISH_CRED)) { - char *tmp; - - tmp = malloc(strlen(folder)+sizeof(MAIL_ENV_FORMAT)); - if (tmp != NULL) { - sprintf(tmp, MAIL_ENV_FORMAT, folder); - D(("setting env: %s", tmp)); - retval = pam_putenv(pamh, tmp); - _pam_overwrite(tmp); - _pam_drop(tmp); - if (retval != PAM_SUCCESS) { - _pam_overwrite(folder); - _pam_drop(folder); - _log_err(LOG_CRIT, "unable to set " MAIL_ENV_NAME " variable"); - return retval; - } - } else { - _log_err(LOG_CRIT, "no memory for " MAIL_ENV_NAME " variable"); - _pam_overwrite(folder); - _pam_drop(folder); - return retval; - } - } else { - D(("not setting " MAIL_ENV_NAME " variable")); - } - - /* - * OK. we've got the mail folder... what about its status? - */ - - if (((flags & PAM_ESTABLISH_CRED) && !(ctrl & PAM_NO_LOGIN)) - || ((flags & PAM_DELETE_CRED) && (ctrl & PAM_LOGOUT_TOO))) { - type = get_mail_status(ctrl, folder); - if (type != NULL) { - retval = report_mail(pamh, ctrl, type, folder); - type = NULL; - } - } - - /* - * Delete environment variable? - */ - - if (flags & PAM_DELETE_CRED) { - (void) pam_putenv(pamh, MAIL_ENV_NAME); - } - - _pam_overwrite(folder); /* clean up */ - _pam_drop(folder); - - /* indicate success or failure */ - - return retval; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_mail_modstruct = { - "pam_mail", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_nologin/README b/contrib/libpam/modules/pam_nologin/README deleted file mode 100644 index ab7ccd7d9803..000000000000 --- a/contrib/libpam/modules/pam_nologin/README +++ /dev/null @@ -1,12 +0,0 @@ -# $Id: README,v 1.1 1996/10/25 03:19:36 morgan Exp $ -# - -This module always lets root in; it lets other users in only if the file -/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's -contents are displayed to the user. - -module services provided: - - auth _authentication and _setcred (blank) - -Michael K. Johnson diff --git a/contrib/libpam/modules/pam_nologin/pam_nologin.c b/contrib/libpam/modules/pam_nologin/pam_nologin.c deleted file mode 100644 index 2788dcf8f39a..000000000000 --- a/contrib/libpam/modules/pam_nologin/pam_nologin.c +++ /dev/null @@ -1,124 +0,0 @@ -/* pam_nologin module */ - -/* - * $Id: pam_nologin.c,v 1.4 1997/04/05 06:36:47 morgan Exp morgan $ - * - * Written by Michael K. Johnson 1996/10/24 - * - * $Log: pam_nologin.c,v $ - * Revision 1.4 1997/04/05 06:36:47 morgan - * display message when the user is unknown - * - * Revision 1.3 1996/12/01 03:00:54 morgan - * added prototype to conversation, gave static structure name of module - * - * Revision 1.2 1996/11/10 21:02:31 morgan - * compile against .53 - * - * Revision 1.1 1996/10/25 03:19:36 morgan - * Initial revision - * - * - */ - -#include -#include -#include -#include -#include -#include -#include - -#include -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval = PAM_SUCCESS; - int fd; - const char *username; - char *mtmp=NULL; - struct passwd *user_pwd; - struct pam_conv *conversation; - struct pam_message message; - struct pam_message *pmessage = &message; - struct pam_response *resp = NULL; - struct stat st; - - if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) { - /* root can still log in; lusers cannot */ - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) - || !username) { - return PAM_SERVICE_ERR; - } - user_pwd = getpwnam(username); - if (user_pwd && user_pwd->pw_uid == 0) { - message.msg_style = PAM_TEXT_INFO; - } else { - if (!user_pwd) { - retval = PAM_USER_UNKNOWN; - } else { - retval = PAM_AUTH_ERR; - } - message.msg_style = PAM_ERROR_MSG; - } - - /* fill in message buffer with contents of /etc/nologin */ - if (fstat(fd, &st) < 0) /* give up trying to display message */ - return retval; - message.msg = mtmp = malloc(st.st_size+1); - /* if malloc failed... */ - if (!message.msg) return retval; - read(fd, mtmp, st.st_size); - mtmp[st.st_size] = '\000'; - - /* Use conversation function to give user contents of /etc/nologin */ - pam_get_item(pamh, PAM_CONV, (const void **)&conversation); - conversation->conv(1, (const struct pam_message **)&pmessage, - &resp, conversation->appdata_ptr); - free(mtmp); - if (resp) - _pam_drop_reply(resp, 1); - } - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_nologin_modstruct = { - "pam_nologin", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_permit/Makefile b/contrib/libpam/modules/pam_permit/Makefile deleted file mode 100644 index 823b62472e35..000000000000 --- a/contrib/libpam/modules/pam_permit/Makefile +++ /dev/null @@ -1,126 +0,0 @@ -# -# $Id: Makefile,v 1.8 1997/04/05 06:33:25 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.8 1997/04/05 06:33:25 morgan -# fakeroot -# -# Revision 1.7 1997/02/15 19:02:27 morgan -# updated email address -# -# Revision 1.6 1996/11/10 20:14:34 morgan -# cross platform support -# -# Revision 1.5 1996/09/05 06:32:45 morgan -# ld --> gcc -# -# Revision 1.4 1996/05/26 15:49:25 morgan -# make dynamic and static dirs -# -# Revision 1.3 1996/05/26 04:04:26 morgan -# automated static support -# -# Revision 1.2 1996/03/16 17:56:38 morgan -# tidied up -# -# -# Created by Andrew Morgan 1996/3/11 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -# -# - -TITLE=pam_permit - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_permit/README b/contrib/libpam/modules/pam_permit/README deleted file mode 100644 index da179a34829c..000000000000 --- a/contrib/libpam/modules/pam_permit/README +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: README,v 1.1 1996/03/16 18:12:51 morgan Exp $ -# - -this module always returns PAM_SUCCESS, it ignores all options. diff --git a/contrib/libpam/modules/pam_permit/pam_permit.c b/contrib/libpam/modules/pam_permit/pam_permit.c deleted file mode 100644 index 1bdd5644a63b..000000000000 --- a/contrib/libpam/modules/pam_permit/pam_permit.c +++ /dev/null @@ -1,122 +0,0 @@ -/* pam_permit module */ - -/* - * $Id: pam_permit.c,v 1.5 1997/02/15 19:03:15 morgan Exp $ - * - * Written by Andrew Morgan 1996/3/11 - * - * $Log: pam_permit.c,v $ - * Revision 1.5 1997/02/15 19:03:15 morgan - * fixed email address - * - * Revision 1.4 1997/02/15 16:03:10 morgan - * force a name for user - * - * Revision 1.3 1996/06/02 08:10:14 morgan - * updated for new static protocol - * - */ - -#define DEFAULT_USER "nobody" - -#include - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include -#include - -/* --- authentication management functions --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval; - const char *user=NULL; - - /* - * authentication requires we know who the user wants to be - */ - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) { - D(("get user returned error: %s", pam_strerror(pamh,retval))); - return retval; - } - if (user == NULL || *user == '\0') { - D(("username not known")); - pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); - } - user = NULL; /* clean up */ - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- account management functions --- */ - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- password management --- */ - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- session management --- */ - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_permit_modstruct = { - "pam_permit", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif diff --git a/contrib/libpam/modules/pam_pwdb/BUGS b/contrib/libpam/modules/pam_pwdb/BUGS deleted file mode 100644 index 397f367b5372..000000000000 --- a/contrib/libpam/modules/pam_pwdb/BUGS +++ /dev/null @@ -1,8 +0,0 @@ -$Id: BUGS,v 1.2 1996/09/05 06:36:16 morgan Exp $ - -$Log: BUGS,v $ -Revision 1.2 1996/09/05 06:36:16 morgan -revised for .52 to be released - - -As of Linux-PAM-0.52 this is new. No known bugs yet. diff --git a/contrib/libpam/modules/pam_pwdb/CHANGELOG b/contrib/libpam/modules/pam_pwdb/CHANGELOG deleted file mode 100644 index 0cb21879120b..000000000000 --- a/contrib/libpam/modules/pam_pwdb/CHANGELOG +++ /dev/null @@ -1,10 +0,0 @@ -$Header: /home/morgan/pam/Linux-PAM-0.52/modules/pam_unix/RCS/CHANGELOG,v 1.1 1996/08/29 13:23:29 morgan Exp $ - -Tue Apr 23 12:28:09 EDT 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu) - - * PAM_DISALLOW_NULL_AUTHTOK implemented in the authentication module - * pam_sm_open_session() and pam_sm_close_session() implemented - A new "trace" flag added to flags of /etc/pam.conf. Using this - flag system administrator is able to make pam_unix module provide - very extensive audit trail sent so syslog with LOG_AUTHPRIV level. - * pam_sm_set_cred() is done diff --git a/contrib/libpam/modules/pam_pwdb/Makefile b/contrib/libpam/modules/pam_pwdb/Makefile deleted file mode 100644 index 7428bb439040..000000000000 --- a/contrib/libpam/modules/pam_pwdb/Makefile +++ /dev/null @@ -1,155 +0,0 @@ -# $Id: Makefile,v 1.7 1997/04/05 06:28:50 morgan Exp morgan $ -# -# This Makefile controls a build process of the pam_unix module -# for Linux-PAM. You should not modify this Makefile. -# -# rewritten to compile new module Andrew Morgan -# 1996/11/6 -# - -# -# Note, the STATIC module is commented out because it doesn't work. -# please fix! -# - -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -export HAVE_PWDBLIB=yes -endif - -ifeq ($(HAVE_PWDBLIB),yes) - -TITLE=pam_pwdb -CHKPWD=pwdb_chkpwd - -# compilation flags -EXTRAS= -# extra object files -PLUS= -# extra files that may be needed to be created -CREATE= - -# NOTE: this module links dynamically to the libpwdb library. -EXTRALS += -lpwdb -EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\" - -########################### don't edit below ########################## - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) -LIBDEPS = pam_unix_acct.-c pam_unix_auth.-c pam_unix_passwd.-c \ - pam_unix_sess.-c pam_unix_pwupd.-c support.-c bigcrypt.-c - -PLUS += md5.o md5_crypt.o -CFLAGS += $(EXTRAS) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -all: info dirs $(PLUS) $(LIBSHARED) $(LIBSTATIC) register $(CHKPWD) - -dynamic/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -info: - @echo - @echo "*** Building PAM_pwdb module..." - @echo - -$(CHKPWD): pwdb_chkpwd.o md5.o md5_crypt.o - $(CC) -o $(CHKPWD) $^ -lpwdb - -pwdb_chkpwd.o: pwdb_chkpwd.c pam_unix_md.-c bigcrypt.-c - -dirs: -ifdef DYNAMIC - @$(MKDIR) ./dynamic -endif -#ifdef STATIC -# @$(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(PLUS) $(EXTRALS) -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) $(PLUS) $(EXTRALS) -#endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) - $(INSTALL) -m 4555 -o root -g root $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(SUPLEMENTED)/$(CHKPWD) - -clean: - rm -f $(CHKPWD) $(LIBOBJD) $(LIBOBJS) $(MOREDELS) core *~ *.o *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak - -else - -include ../dont_makefile - -endif - -##################################################################### -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:28:50 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 17:25:32 morgan -# update for .56 . extra commands for new helper binary -# -# Revision 1.5 1997/01/04 20:39:08 morgan -# conditional on having libpwdb -# -# Revision 1.4 1996/12/01 03:02:03 morgan -# changed banner, removed linking libraries -# -# Revision 1.3 1996/11/10 20:14:42 morgan -# cross platform support -# -# Revision 1.2 1996/09/05 06:36:49 morgan -# options added and use of LD altered -# -# Revision 1.1 1996/08/29 13:23:29 morgan -# Initial revision -# -# diff --git a/contrib/libpam/modules/pam_pwdb/README b/contrib/libpam/modules/pam_pwdb/README deleted file mode 100644 index 351a706008e9..000000000000 --- a/contrib/libpam/modules/pam_pwdb/README +++ /dev/null @@ -1,41 +0,0 @@ -This is the pam_unix module. It has been significantly rewritten since -.51 was released (due mostly to the efforts of Cristian Gafton), and -now takes more options and correctly updates vanilla UNIX/shadow/md5 -passwords. - -[Please read the source and make a note of all the warnings there, as -the license suggests -- use at your own risk.] - -So far as I am concerned this module is now pretty stable. If you find -any bugs, PLEASE tell me! - -Options recognized by this module are as follows: - - debug - log more debugging info - audit - a little more extreme than debug - use_first_pass - don't prompt the user for passwords - take them from PAM_ items instead - try_first_pass - don't prompt the user for the passwords - unless PAM_(OLD)AUTHTOK is unset - use_authtok - like try_first_pass, but *fail* if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't set the PAM_ items with the passwords - used by this module. - shadow - try to maintian a shadow based system. - unix - when changing passwords, they are placed - in the /etc/passwd file - md5 - when a user changes their password next, - encrypt it with the md5 algorithm. - bigcrypt - when a user changes their password next, - excrypt it with the DEC C2-algorithm(0). - nodelay - used to prevent failed authentication - resulting in a delay of about 1 second. - -There is some support for building a shadow file on-the-fly from an -/etc/passwd file. This is VERY alpha. If you want to play with it you -should read the source to find the appropriate #define that you will -need. - ---------------------- -Andrew Morgan diff --git a/contrib/libpam/modules/pam_pwdb/TODO b/contrib/libpam/modules/pam_pwdb/TODO deleted file mode 100644 index 23eb4c163d08..000000000000 --- a/contrib/libpam/modules/pam_pwdb/TODO +++ /dev/null @@ -1,34 +0,0 @@ -$Id: TODO,v 1.3 1996/11/10 21:03:21 morgan Exp $ - - * get NIS working - * .. including "nonis" argument - * add helper binary - -Wed Sep 4 23:40:09 PDT 1996 Andrew G. Morgan - - * verify that it works for everyone - * look more seriously at the issue of generating a shadow - system on the fly - * add some more password flavors - -Thu Aug 29 06:26:42 PDT 1996 Andrew G. Morgan - - * check that complete rewrite works! ;^) - * complete shadow support to the password changing code. - Also some code needed here for session managment? - (both pam.conf argument to turn it on/off, and some - conditional compilation.) - * md5 passwords... - * make the exclusive nature of the arguments work. That is, - only recognize the flags when appropriate. - -Wed May 8 19:08:49 EDT 1996 Alexander O. Yuriev - - * support.c should go. - -Tue Apr 23 21:43:55 EDT 1996 Alexander O. Yuriev - - * pam_sm_chauth_tok() should be written - * QUICK FIX: pam_sm_setcred() probably returns incorrect error code - - diff --git a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c b/contrib/libpam/modules/pam_pwdb/bigcrypt.-c deleted file mode 100644 index 321f24911296..000000000000 --- a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * This function implements the "bigcrypt" algorithm specifically for - * Linux-PAM. - * - * This algorithm is algorithm 0 (default) shipped with the C2 secure - * implementation of Digital UNIX. - * - * Disclaimer: This work is not based on the source code to Digital - * UNIX, nor am I connected to Digital Equipment Corp, in any way - * other than as a customer. This code is based on published - * interfaces and reasonable guesswork. - * - * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 - * characters or less. Each block is encrypted using the standard UNIX - * libc crypt function. The result of the encryption for one block - * provides the salt for the suceeding block. - * - * Restrictions: The buffer used to hold the encrypted result is - * statically allocated. (see MAX_PASS_LEN below). This is necessary, - * as the returned pointer points to "static data that are overwritten - * by each call", (XPG3: XSI System Interface + Headers pg 109), and - * this is a drop in replacement for crypt(); - * - * Andy Phillips - */ - -/* - * Max cleartext password length in segments of 8 characters this - * function can deal with (16 segments of 8 chars= max 128 character - * password). - */ - -#define MAX_PASS_LEN 16 -#define SEGMENT_SIZE 8 -#define SALT_SIZE 2 -#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE) -#define ESEGMENT_SIZE 11 -#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1) - -static char *bigcrypt(const char *key, const char *salt) -{ - static char dec_c2_cryptbuf[CBUF_SIZE]; /* static storage area */ - - unsigned long int keylen,n_seg,j; - char *cipher_ptr,*plaintext_ptr,*tmp_ptr,*salt_ptr; - char keybuf[KEYBUF_SIZE+1]; - - D(("called with key='%s', salt='%s'.", key, salt)); - - /* reset arrays */ - memset(keybuf, 0, KEYBUF_SIZE+1); - memset(dec_c2_cryptbuf, 0, CBUF_SIZE); - - /* fill KEYBUF_SIZE with key */ - strncpy(keybuf, key, KEYBUF_SIZE); - - /* deal with case that we are doing a password check for a - conventially encrypted password: the salt will be - SALT_SIZE+ESEGMENT_SIZE long. */ - if (strlen(salt) == (SALT_SIZE+ESEGMENT_SIZE)) - keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */ - - keylen = strlen(keybuf); - - if (!keylen) { - n_seg = 1; - } else { - /* work out how many segments */ - n_seg = 1 + ((keylen-1)/SEGMENT_SIZE); - } - - if (n_seg > MAX_PASS_LEN) - n_seg = MAX_PASS_LEN; /* truncate at max length */ - - /* set up some pointers */ - cipher_ptr = dec_c2_cryptbuf; - plaintext_ptr = keybuf; - - /* do the first block with supplied salt */ - tmp_ptr = crypt(plaintext_ptr,salt); /* libc crypt() */ - - /* and place in the static area */ - strncpy(cipher_ptr, tmp_ptr, 13); - cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; - plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ - - /* change the salt (1st 2 chars of previous block) - this was found - by dowsing */ - - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - - /* so far this is identical to "return crypt(key, salt);", if - there is more than one block encrypt them... */ - - if (n_seg > 1) { - for (j=2; j <= n_seg; j++) { - - tmp_ptr = crypt(plaintext_ptr, salt_ptr); - - /* skip the salt for seg!=0 */ - strncpy(cipher_ptr, (tmp_ptr+SALT_SIZE), ESEGMENT_SIZE); - - cipher_ptr += ESEGMENT_SIZE; - plaintext_ptr += SEGMENT_SIZE; - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - } - } - - D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); - - /* this is the terminated encrypted password */ - - return dec_c2_cryptbuf; -} diff --git a/contrib/libpam/modules/pam_pwdb/md5.c b/contrib/libpam/modules/pam_pwdb/md5.c deleted file mode 100644 index fdfbdd88f389..000000000000 --- a/contrib/libpam/modules/pam_pwdb/md5.c +++ /dev/null @@ -1,259 +0,0 @@ -/* $Id: md5.c,v 1.1 1996/09/05 06:43:31 morgan Exp $ - * - * This code implements the MD5 message-digest algorithm. - * The algorithm is due to Ron Rivest. This code was - * written by Colin Plumb in 1993, no copyright is claimed. - * This code is in the public domain; do with it what you wish. - * - * Equivalent code is available from RSA Data Security, Inc. - * This code has been tested against that, and is equivalent, - * except that you don't need to include two pages of legalese - * with every copy. - * - * To compute the message digest of a chunk of bytes, declare an - * MD5Context structure, pass it to MD5Init, call MD5Update as - * needed on buffers full of bytes, and then call MD5Final, which - * will fill a supplied 16-byte array with the digest. - * - * $Log: md5.c,v $ - * Revision 1.1 1996/09/05 06:43:31 morgan - * Initial revision - * - */ - -#include -#include "md5.h" - -#ifndef HIGHFIRST -#define byteReverse(buf, len) /* Nothing */ -#else -void byteReverse(unsigned char *buf, unsigned longs); - -#ifndef ASM_MD5 -/* - * Note: this code is harmless on little-endian machines. - */ -void byteReverse(unsigned char *buf, unsigned longs) -{ - uint32 t; - do { - t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - *(uint32 *) buf = t; - buf += 4; - } while (--longs); -} -#endif -#endif - -/* - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -void MD5Init(struct MD5Context *ctx) -{ - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; - - ctx->bits[0] = 0; - ctx->bits[1] = 0; -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void MD5Update(struct MD5Context *ctx, unsigned const char *buf, unsigned len) -{ - uint32 t; - - /* Update bitcount */ - - t = ctx->bits[0]; - if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) - ctx->bits[1]++; /* Carry from low to high */ - ctx->bits[1] += len >> 29; - - t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ - - /* Handle any leading odd-sized chunks */ - - if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; - - t = 64 - t; - if (len < t) { - memcpy(p, buf, len); - return; - } - memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - buf += t; - len -= t; - } - /* Process data in 64-byte chunks */ - - while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - - memcpy(ctx->in, buf, len); -} - -/* - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -void MD5Final(unsigned char digest[16], struct MD5Context *ctx) -{ - unsigned count; - unsigned char *p; - - /* Compute number of bytes mod 64 */ - count = (ctx->bits[0] >> 3) & 0x3F; - - /* Set the first char of padding to 0x80. This is safe since there is - always at least one byte free */ - p = ctx->in + count; - *p++ = 0x80; - - /* Bytes of padding needed to make 64 bytes */ - count = 64 - 1 - count; - - /* Pad out to 56 mod 64 */ - if (count < 8) { - /* Two lots of padding: Pad the first block to 64 bytes */ - memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - - /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); - } else { - /* Pad block to 56 bytes */ - memset(p, 0, count - 8); - } - byteReverse(ctx->in, 14); - - /* Append length in bits and transform */ - ((uint32 *) ctx->in)[14] = ctx->bits[0]; - ((uint32 *) ctx->in)[15] = ctx->bits[1]; - - MD5Transform(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ -} - -#ifndef ASM_MD5 - -/* The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) - -/* This is the central step in the MD5 algorithm. */ -#define MD5STEP(f, w, x, y, z, data, s) \ - ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) - -/* - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -void MD5Transform(uint32 buf[4], uint32 const in[16]) -{ - register uint32 a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -#endif diff --git a/contrib/libpam/modules/pam_pwdb/md5.h b/contrib/libpam/modules/pam_pwdb/md5.h deleted file mode 100644 index 4949ade27e1f..000000000000 --- a/contrib/libpam/modules/pam_pwdb/md5.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef MD5_H -#define MD5_H - -#ifdef __alpha -typedef unsigned int uint32; -#else -typedef unsigned long uint32; -#endif - -struct MD5Context { - uint32 buf[4]; - uint32 bits[2]; - unsigned char in[64]; -}; - -void MD5Init(struct MD5Context *); -void MD5Update(struct MD5Context *, unsigned const char *, unsigned); -void MD5Final(unsigned char digest[16], struct MD5Context *); -void MD5Transform(uint32 buf[4], uint32 const in[16]); -int i64c(int i); - -char *crypt_md5(const char *pw, const char *salt); - -/* -* This is needed to make RSAREF happy on some MS-DOS compilers. -*/ - -typedef struct MD5Context MD5_CTX; - -#endif /* MD5_H */ diff --git a/contrib/libpam/modules/pam_pwdb/md5_crypt.c b/contrib/libpam/modules/pam_pwdb/md5_crypt.c deleted file mode 100644 index 88be13b7f001..000000000000 --- a/contrib/libpam/modules/pam_pwdb/md5_crypt.c +++ /dev/null @@ -1,164 +0,0 @@ -/* $Id: md5_crypt.c,v 1.1 1996/09/05 06:43:31 morgan Exp $ - * - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp - * ---------------------------------------------------------------------------- - * - * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp - * - * $Log: md5_crypt.c,v $ - * Revision 1.1 1996/09/05 06:43:31 morgan - * Initial revision - * - */ - -#include -#include "md5.h" - -static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -static void -to64(char *s, unsigned long v, int n) -{ - while (--n >= 0) { - *s++ = itoa64[v&0x3f]; - v >>= 6; - } -} - -/* - * i64c - convert an integer to a radix 64 character - */ -int i64c(int i) -{ - if (i < 0) - return ('.'); - else if (i > 63) - return ('z'); - if (i == 0) - return ('.'); - if (i == 1) - return ('/'); - if (i >= 2 && i <= 11) - return ('0' - 2 + i); - if (i >= 12 && i <= 37) - return ('A' - 12 + i); - if (i >= 38 && i <= 63) - return ('a' - 38 + i); - return ('\0'); -} - -/* - * UNIX password - * - * Use MD5 for what it is best at... - */ - -char * crypt_md5(const char *pw, const char *salt) -{ - const char *magic = "$1$"; - /* This string is magic for this algorithm. Having - * it this way, we can get get better later on */ - static char passwd[120], *p; - static const char *sp,*ep; - unsigned char final[16]; - int sl,pl,i,j; - MD5_CTX ctx,ctx1; - unsigned long l; - - /* Refine the Salt first */ - sp = salt; - - /* If it starts with the magic string, then skip that */ - if(!strncmp(sp,magic,strlen(magic))) - sp += strlen(magic); - - /* It stops at the first '$', max 8 chars */ - for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) - continue; - - /* get the length of the true salt */ - sl = ep - sp; - - MD5Init(&ctx); - - /* The password first, since that is what is most unknown */ - MD5Update(&ctx,(unsigned const char *)pw,strlen(pw)); - - /* Then our magic string */ - MD5Update(&ctx,(unsigned const char *)magic,strlen(magic)); - - /* Then the raw salt */ - MD5Update(&ctx,(unsigned const char *)sp,sl); - - /* Then just as many characters of the MD5(pw,salt,pw) */ - MD5Init(&ctx1); - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Update(&ctx1,(unsigned const char *)sp,sl); - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - for(pl = strlen(pw); pl > 0; pl -= 16) - MD5Update(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - /* Then something really weird... */ - for (j=0,i = strlen(pw); i ; i >>= 1) - if(i&1) - MD5Update(&ctx, (unsigned const char *)final+j, 1); - else - MD5Update(&ctx, (unsigned const char *)pw+j, 1); - - /* Now make the output string */ - strcpy(passwd,magic); - strncat(passwd,sp,sl); - strcat(passwd,"$"); - - MD5Final(final,&ctx); - - /* - * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would - * need 30 seconds to build a 1000 entry dictionary... - */ - for(i=0;i<1000;i++) { - MD5Init(&ctx1); - if(i & 1) - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - else - MD5Update(&ctx1,(unsigned const char *)final,16); - - if(i % 3) - MD5Update(&ctx1,(unsigned const char *)sp,sl); - - if(i % 7) - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - - if(i & 1) - MD5Update(&ctx1,(unsigned const char *)final,16); - else - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - } - - p = passwd + strlen(passwd); - - l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; - l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; - l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; - l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; - l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; - l = final[11] ; to64(p,l,2); p += 2; - *p = '\0'; - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - return passwd; -} - diff --git a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c b/contrib/libpam/modules/pam_pwdb/pam_pwdb.c deleted file mode 100644 index a612f74037b4..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c +++ /dev/null @@ -1,257 +0,0 @@ -/* - * $Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $ - * - * This is the single file that will be compiled for pam_unix. - * it includes each of the modules that have beed defined in the .-c - * files in this directory. - * - * It is a little ugly to do it this way, but it is a simple way of - * defining static functions only once, and yet keeping the separate - * files modular. If you can think of something better, please email - * Andrew Morgan - * - * See the end of this file for Copyright information. - */ - -/* - * $Log: pam_pwdb.c,v $ - * Revision 1.3 1997/01/04 20:38:33 morgan - * this is not the unix module! - * - * Revision 1.2 1996/12/01 03:03:43 morgan - * debugging code uses _pam_malloc - * - * Revision 1.1 1996/11/10 21:21:24 morgan - * Initial revision - * - * Revision 1.3 1996/09/05 06:44:33 morgan - * more debugging, fixed static structure name - * - * Revision 1.2 1996/09/01 01:05:12 morgan - * Cristian Gafton's patches. - * - * Revision 1.1 1996/08/29 13:22:19 morgan - * Initial revision - * - */ - -static const char rcsid[] = -"$Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $\n" -" - PWDB Pluggable Authentication module. " -; - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include /* for time() */ -#include -#include - -#define _SVID_SOURCE -#define __USE_BSD -#define _BSD_COMPAT -#include -#include - -#include - -/* indicate the following groups are defined */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include -#include - -#ifndef LINUX_PAM -#include -#endif /* LINUX_PAM */ - -#include "./support.-c" - -/* - * PAM framework looks for these entry-points to pass control to the - * authentication module. - */ - -#include "./pam_unix_auth.-c" - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_auth( pamh, ctrl ); - pwdb_end(); - - return retval; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_set_credentials(pamh, ctrl) ; - pwdb_end(); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * account management module. - */ - -#include "./pam_unix_acct.-c" - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_acct_mgmt(pamh, ctrl); - pwdb_end(); - - D(("done.")); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * session module. - */ - -#include "./pam_unix_sess.-c" - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_open_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_close_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * password changing module. - */ - -#include "./pam_unix_passwd.-c" - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_chauthtok(pamh, ctrl); - pwdb_end(); - - return retval; -} - -/* static module data */ - -#ifdef PAM_STATIC -struct pam_module _pam_pwdb_modstruct = { - "pam_pwdb", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif - -/* - * Copyright (c) Andrew G. Morgan, 1996. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c deleted file mode 100644 index dbd13855ed3c..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c +++ /dev/null @@ -1,292 +0,0 @@ -/* - * $Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $ - * - * $Log: pam_unix_acct.-c,v $ - * Revision 1.6 1997/01/04 20:37:15 morgan - * extra debugging - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:03:57 morgan - * pwdb conversion - * - * Revision 1.3 1996/09/05 06:45:45 morgan - * tidied shadow acct management - * - * Revision 1.2 1996/09/01 01:13:14 morgan - * Cristian Gafton's patches - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * - * See end of file for copyright information - */ - -static const char rcsid_acct[] = -"$Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $\n" -" - PAM_PWDB account management "; - -/* the shadow suite has accout managment.. */ - -static int _shadow_acct_mgmt_exp(pam_handle_t *pamh, unsigned int ctrl, - const struct pwdb *pw, const char *uname) -{ - const struct pwdb_entry *pwe = NULL; - time_t curdays; - int last_change, max_change; - int retval; - - D(("called.")); - - /* Now start the checks */ - - curdays = time(NULL)/(60*60*24); /* today */ - - /* First: has account expired ? (CG) - * - expire < curdays - * - or (last_change + max_change + defer_change) < curdays - * - in both cases, deny access - */ - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "expire", &pwe); - if (retval == PWDB_SUCCESS) { - int expire; - - expire = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); /* no longer needed */ - - if ((curdays > expire) && (expire > 0)) { - - _log_err(LOG_NOTICE - , "acct: account %s has expired (account expired)" - , uname); - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your account has expired; " - "please contact your system administrator"); - - D(("account expired")); - return PAM_ACCT_EXPIRED; - } - } - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "last_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - last_change = *( (const int *) pwe->value ); - } else { - last_change = curdays; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "max_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - max_change = *( (const int *) pwe->value ); - } else { - max_change = -1; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "defer_change", &pwe); - if (retval == PWDB_SUCCESS) { - int defer_change; - - defer_change = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); - - if ((curdays > (last_change + max_change + defer_change)) - && (max_change != -1) && (defer_change != -1) - && (last_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE, "acct: account %s has expired " - "(failed to change password)", uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; " - "please see your system administrator"); - - D(("account expired2")); - return PAM_ACCT_EXPIRED; - } - } - - /* Now test if the password is expired, but the user still can - * change their password. (CG) - * - last_change = 0 - * - last_change + max_change < curdays - */ - - D(("when was the last change")); - if (last_change == 0) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE - , "acct: expired password for user %s (root enforced)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "You are required to change your password immediately" - ); - - D(("need a new password")); - return PAM_NEW_AUTHTOK_REQD; - } - - if (((last_change + max_change) < curdays) && - (max_change < 99999) && (max_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: expired password for user %s (password aged)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; please change it!"); - - D(("need a new password 2")); - return PAM_NEW_AUTHTOK_REQD; - } - - /* - * Now test if the password is about to expire (CG) - * - last_change + max_change - curdays <= warn_change - */ - - retval = pwdb_get_entry(pw, "warn_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - int warn_days, daysleft; - - daysleft = last_change + max_change - curdays; - warn_days = *((const int *) pwe->value); - (void) pwdb_entry_delete(&pwe); - - if ((daysleft <= warn_days) && (warn_days > 0)) { - char *s; - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: password for user %s will expire in %d days" - , uname, daysleft); - } - -#define LocalComment "Warning: your password will expire in %d day%s" - if ((s = (char *) malloc(30+sizeof(LocalComment))) == NULL) { - _log_err(LOG_CRIT, "malloc failure in " __FILE__); - retval = PAM_BUF_ERR; - } else { - - sprintf(s, LocalComment, daysleft, daysleft == 1 ? "":"s"); - - make_remark(pamh, ctrl, PAM_TEXT_INFO, s); - free(s); - } -#undef LocalComment - } - } else { - retval = PAM_SUCCESS; - } - - D(("all done")); - return retval; -} - - -/* - * this function checks for the account details. The user may not be - * permitted to log in at this time etc.. Within the context of - * vanilla Unix, this function simply does nothing. The shadow suite - * added password/account expiry, but PWDB takes care of this - * transparently. - */ - -static int _unix_acct_mgmt(pam_handle_t *pamh, unsigned int ctrl) -{ - const struct pwdb *pw = NULL; - - char *uname=NULL; - int retval; - - D(("called.")); - - /* identify user */ - - retval = pam_get_item(pamh,PAM_USER,(const void **)&uname); - D(("user = `%s'", uname)); - if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT - , "acct; could not identify user (from uid=%d)" - , getuid()); - return PAM_USER_UNKNOWN; - } - - /* get database information for user */ - - retval = pwdb_locate("user", PWDB_DEFAULT, uname, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL) { - - _log_err(LOG_ALERT, "acct; %s (%s from uid=%d)" - , pwdb_strerror(retval), uname, getuid()); - if ( pw ) { - (void) pwdb_delete(&pw); - } - return PAM_USER_UNKNOWN; - } - - /* now check the user's times etc.. */ - - retval = _shadow_acct_mgmt_exp(pamh, ctrl, pw, uname); - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "expiry check failed for '%s'", uname); - } - - /* Done with pw */ - - (void) pwdb_delete(&pw); - - /* all done */ - - D(("done.")); - return retval; -} - -/* - * Copyright (c) Elliot Lee, 1996. - * Copyright (c) Andrew Morgan 1996. - * Copyright (c) Cristian Gafton 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c deleted file mode 100644 index 4a1eed0d6387..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * $Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $ - * - * $Log: pam_unix_auth.-c,v $ - * Revision 1.4 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.3 1996/11/10 21:04:29 morgan - * pwdb conversion - * - * Revision 1.2 1996/09/05 06:46:53 morgan - * fixed comments. Added check for null passwd. - * changed data item name - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * See end of file for Copyright information. - */ - -static const char rcsid_auth[] = -"$Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $: pam_unix_auth.-c,v 1.2 1996/09/05 06:46:53 morgan Exp morgan $\n" -" - PAM_PWDB authentication functions. "; - -/* - * _unix_auth() is a front-end for UNIX/shadow authentication - * - * First, obtain the password from the user. Then use a - * routine in 'support.-c' to authenticate the user. - */ - -#define _UNIX_AUTHTOK "-UN*X-PASS" - -static int _unix_auth(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - const char *name, *p; - - D(("called.")); - - /* get the user'name' */ - - retval = _unix_get_user(pamh, ctrl, NULL, &name); - if (retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "auth could not identify user"); - } - return retval; - } - - /* if this user does not have a password... */ - - if ( _unix_blankpasswd(ctrl, name) ) { - D(("user '%s' has blank passwd", name)); - name = NULL; - return PAM_SUCCESS; - } - - /* get this user's authentication token */ - - retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL - , _UNIX_AUTHTOK, &p); - if (retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "auth could not identify password for [%s]" - , name); - name = NULL; - return retval; - } - - /* verify the password of this user */ - - retval = _unix_verify_password(pamh, name, p, ctrl); - name = p = NULL; - - return retval; -} - -/* - * This function is for setting unix credentials. Sun has indicated - * that there are *NO* authentication credentials for unix. The - * obvious credentials would be the group membership of the user as - * listed in the /etc/group file. However, Sun indicates that it is - * the responsibility of the application to set these. - */ - -static int _unix_set_credentials(pam_handle_t *pamh, unsigned int ctrl) -{ - D(("called returning.")); - - return PAM_SUCCESS; -} - -/******************************************************************** - * Copyright (c) Alexander O. Yuriev, 1996. - * Copyright (c) Andrew G. Morgan 1996 - * Copyright (c) Cristian Gafton 1996, 1997 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c deleted file mode 100644 index cd90b0ff339b..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * This function is a front-end for the message digest algorithms used - * to compute the user's encrypted passwords. No reversible encryption - * is used here and I intend to keep it that way. - * - * While there are many sources of encryption outside the United - * States, it *may* be illegal to re-export reversible encryption - * computer code. Until such time as it is legal to export encryption - * software freely from the US, please do not send me any. (AGM) - */ - -/* this should have been defined in a header file.. Why wasn't it? AGM */ -extern char *crypt(const char *key, const char *salt); - -#include "md5.h" -#include "bigcrypt.-c" - -struct cfns { - const char *salt; - int len; - char * (* mdfn)(const char *key, const char *salt); -}; - -/* array of non-standard digest algorithms available */ - -#define N_MDS 1 -const static struct cfns cfn_list[N_MDS] = { - { "$1$", 3, crypt_md5 }, -}; - -static char *_pam_md(const char *key, const char *salt) -{ - char *x,*e=NULL; - int i; - - D(("called with key='%s', salt='%s'", key, salt)); - - /* check for non-standard salts */ - - for (i=0; i= N_MDS ) { - e = bigcrypt(key, salt); /* (defaults to standard algorithm) */ - } - - x = x_strdup(e); /* put e in malloc()ed memory */ - _pam_overwrite(e); /* clean up */ - return x; /* this must be deleted elsewhere */ -} - diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c deleted file mode 100644 index 402f7f349f88..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c +++ /dev/null @@ -1,371 +0,0 @@ -/* $Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $ */ - -/* - * $Log: pam_unix_passwd.-c,v $ - * Revision 1.6 1997/04/05 06:31:06 morgan - * mostly a reformat. - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:04:51 morgan - * pwdb conversion - * - * Revision 1.3 1996/09/05 06:48:15 morgan - * A lot has changed. I'd recommend you study the diff. - * - * Revision 1.2 1996/09/01 16:33:27 morgan - * Cristian Gafton's changes - * - * Revision 1.1 1996/08/29 13:21:27 morgan - * Initial revision - * - */ - -static const char rcsid_pass[] = -"$Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $\n" -" - PAM_PWDB password module " -; - -#include "pam_unix_pwupd.-c" - -/* passwd/salt conversion macros */ - -#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.') -#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.') - -/* data tokens */ - -#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" -#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" - -/* Implementation */ - -/* - * FUNCTION: _pam_unix_chauthtok() - * - * this function works in two passes. The first, when UNIX__PRELIM is - * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item - * or stores it as a data item. The second function obtains a new - * password (verifying if necessary, that the user types it the same a - * second time.) depending on the 'ctrl' flags this new password may - * be stored in the PAM_AUTHTOK item or a private data item. - * - * Having obtained a new password. The function updates the - * /etc/passwd (and optionally the /etc/shadow) file(s). - * - * Provision is made for the creation of a blank shadow file if none - * is available, but one is required to update the shadow file -- the - * intention being for shadow passwords to be seamlessly implemented - * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included - * in this release (.52) mostly for the purpose of discussion. - */ - -static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - unsigned int lctrl; - - /* */ - const char *user; - const char *pass_old, *pass_new; - /* */ - - D(("called")); - - /* - * First get the name of a user - */ - - retval = _unix_get_user( pamh, ctrl, "Username: ", &user ); - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "password - could not identify user"); - } - return retval; - } - - if ( on(UNIX__PRELIM, ctrl) ) { - /* - * obtain and verify the current password (OLDAUTHTOK) for - * the user. - */ - - char *Announce; - - D(("prelim check")); - - if ( _unix_blankpasswd(ctrl, user) ) { - - return PAM_SUCCESS; - - } else if ( off(UNIX__IAMROOT, ctrl) ) { - - /* instruct user what is happening */ -#define greeting "Changing password for " - Announce = (char *) malloc(sizeof(greeting)+strlen(user)); - if (Announce == NULL) { - _log_err(LOG_CRIT, "password - out of memory"); - return PAM_BUF_ERR; - } - (void) strcpy(Announce, greeting); - (void) strcpy(Announce+sizeof(greeting)-1, user); -#undef greeting - - lctrl = ctrl; - set(UNIX__OLD_PASSWD, lctrl); - retval = _unix_read_password( pamh, lctrl - , Announce - , "(current) UNIX password: " - , NULL - , _UNIX_OLD_AUTHTOK - , &pass_old ); - free(Announce); - - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_NOTICE - , "password - (old) token not obtained"); - return retval; - } - - /* verify that this is the password for this user */ - - retval = _unix_verify_password(pamh, user, pass_old, ctrl); - } else { - D(("process run by root so do nothing this time around")); - pass_old = NULL; - retval = PAM_SUCCESS; /* root doesn't have too */ - } - - if ( retval != PAM_SUCCESS ) { - D(("Authentication failed")); - pass_old = NULL; - return retval; - } - - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); - pass_old = NULL; - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); - } - - } else if ( on( UNIX__UPDATE, ctrl ) ) { - /* tpass is used below to store the _pam_md() return; it - * should be _pam_delete()'d. */ - - char *tpass=NULL; - - /* - * obtain the proposed password - */ - - D(("do update")); - - /* - * get the old token back. NULL was ok only if root [at this - * point we assume that this has already been enforced on a - * previous call to this function]. - */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - retval = pam_get_item(pamh, PAM_OLDAUTHTOK - , (const void **)&pass_old); - } else { - retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK - , (const void **)&pass_old); - if (retval == PAM_NO_MODULE_DATA) { - retval = PAM_SUCCESS; - pass_old = NULL; - } - } - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "user not authenticated"); - return retval; - } - - D(("get new password now")); - - lctrl = ctrl; - - /* - * use_authtok is to force the use of a previously entered - * password -- needed for pluggable password strength checking - */ - - if ( on(UNIX_USE_AUTHTOK, lctrl) ) { - set(UNIX_USE_FIRST_PASS, lctrl); - } - - retval = _unix_read_password( pamh, lctrl - , NULL - , "Enter new UNIX password: " - , "Retype new UNIX password: " - , _UNIX_NEW_AUTHTOK - , &pass_new ); - - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_ALERT - , "password - new password not obtained"); - } - pass_old = NULL; /* tidy up */ - return retval; - } - - D(("returned to _unix_chauthtok")); - - /* - * At this point we know who the user is and what they - * propose as their new password. Verify that the new - * password is acceptable. - */ - - if (pass_new[0] == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } - - retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "new password not acceptable"); - pass_new = pass_old = NULL; /* tidy up */ - return retval; - } - - /* - * By reaching here we have approved the passwords and must now - * rebuild the password database file. - */ - - /* - * First we encrypt the new password. - * - * XXX - this is where we might need some code for RADIUS types - * of password handling... no encryption needed.. - */ - - if ( on(UNIX_MD5_PASS, ctrl) ) { - - /* - * Code lifted from Marek Michalkiewicz's shadow suite. (CG) - * removed use of static variables (AGM) - */ - - struct timeval tv; - MD5_CTX ctx; - unsigned char result[16]; - char *cp = (char *)result; - unsigned char tmp[16]; - int i; - - MD5Init(&ctx); - gettimeofday(&tv, (struct timezone *) 0); - MD5Update(&ctx, (void *) &tv, sizeof tv); - i = getpid(); - MD5Update(&ctx, (void *) &i, sizeof i); - i = clock(); - MD5Update(&ctx, (void *) &i, sizeof i); - MD5Update(&ctx, result, sizeof result); - MD5Final(tmp, &ctx); - strcpy(cp, "$1$"); /* magic for the MD5 */ - cp += strlen(cp); - for (i = 0; i < 8; i++) - *cp++ = i64c(tmp[i] & 077); - *cp = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md(pass_new, (const char *)result); - - } else { - /* - * Salt manipulation is stolen from Rick Faith's passwd - * program. Sorry Rick :) -- alex - */ - - time_t tm; - char salt[3]; - - time(&tm); - salt[0] = bin_to_ascii(tm & 0x3f); - salt[1] = bin_to_ascii((tm >> 6) & 0x3f); - salt[2] = '\0'; - - if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) { - /* to avoid using the _extensions_ of the bigcrypt() - function we truncate the newly entered password */ - char *temp = malloc(9); - - if (temp == NULL) { - _log_err(LOG_CRIT, "out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ - return PAM_BUF_ERR; - } - - /* copy first 8 bytes of password */ - strncpy(temp, pass_new, 8); - temp[8] = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md( temp, salt ); - - _pam_delete(temp); /* tidy up */ - } else { - /* no longer need cleartext */ - pass_new = tpass = _pam_md( pass_new, salt ); - } - } - - D(("password processed")); - - /* update the password database(s) -- race conditions..? */ - - retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new); - pass_old = pass_new = NULL; - - } else { /* something has broken with the module */ - - _log_err(LOG_ALERT, "password received unknown request"); - retval = PAM_ABORT; - - } - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996. - * Copyright (c) Andrew Morgan 1996, 1997. - * Copyright (c) Cristian Gafton, 1996, 1997. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c deleted file mode 100644 index d50031dcb919..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * $Id: pam_unix_pwupd.-c,v 1.4 1997/01/04 20:35:32 morgan Exp morgan $ - * - * This file contains the routines to update the passwd databases. - * - * $Log: pam_unix_pwupd.-c,v $ - * Revision 1.4 1997/01/04 20:35:32 morgan - * minor comment change - * - * Revision 1.3 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.2 1996/11/10 21:05:09 morgan - * pwdb conversion - * - * - */ - -/* Implementation */ - -static int unix_update_db(pam_handle_t *pamh, int ctrl, const char *user, - const char *pass_old, const char *pass_new) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - pwdb_flag flag; - int retval, i; - - D(("called.")); - - /* obtain default user record */ - - retval = pwdb_locate("user", PWDB_DEFAULT, user, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - retval = pwdb_set_entry(pw, "pass_phrase" - , pass_old, 1+strlen(pass_old) - , NULL, NULL, 0); - if (retval == PWDB_SUCCESS) - retval = pwdb_locate("user", pw->source, user - , PWDB_ID_UNKNOWN, &pw); - } - pass_old = NULL; - - if ( retval != PWDB_SUCCESS ) { - _log_err(LOG_ALERT, "cannot identify user %s (uid=%d)" - , user, getuid() ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* check that we can update all of the default databases */ - - retval = pwdb_flags("user", pw->source, &flag); - - if ( retval != PWDB_SUCCESS || ( pwdb_on(flag,PWDB_F_NOUPDATE) ) ) { - _log_err(LOG_ERR, "cannot update default database for user %s" - , user ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_PERM_DENIED; - } - - /* If there was one, we delete the "last_change" entry */ - retval = pwdb_get_entry(pw, "last_change", &pwe); - if (retval == PWDB_SUCCESS) { - (void) pwdb_entry_delete(&pwe); - pwdb_set_entry(pw, "last_change", NULL, -1, NULL, NULL, 0); - } - - /* - * next check for pam.conf specified databases: shadow etc... [In - * other words, pam.conf indicates which database the password is - * to be subsequently placed in: this is password migration]. - */ - - if ( on(UNIX__SET_DB, ctrl) ) { - const char *db_token; - pwdb_type pt = _PWDB_MAX_TYPES; - - if ( on(UNIX_UNIX, ctrl) ) { - db_token = "U"; /* XXX - should be macro */ - pt = PWDB_UNIX; - } else if ( on(UNIX_SHADOW, ctrl) ) { - db_token = "x"; /* XXX - should be macro */ - pt = PWDB_SHADOW; - } else if ( on(UNIX_RADIUS, ctrl) ) { - db_token = "R"; /* XXX - is this ok? */ - pt = PWDB_RADIUS; - } else { - _log_err(LOG_ALERT - , "cannot determine database to use for authtok"); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_ABORT; /* we're in trouble */ - } - - /* - * Attempt to update the indicated database (only) - */ - - { - pwdb_type tpt[2]; - tpt[0] = pt; - tpt[1] = _PWDB_MAX_TYPES; - - /* Can we set entry in database? */ - retval = pwdb_flags("user", tpt, &flag); - if (retval == PWDB_SUCCESS && !pwdb_on(flag,PWDB_F_NOUPDATE)) { - /* YES. This database is available.. */ - - /* Only update if it is not already in the default list */ - for (i=0; pw->source[i] != _PWDB_MAX_TYPES - && pw->source[i] != pt ; ++i); - if (pw->source[i] == _PWDB_MAX_TYPES) { - const struct pwdb *tpw=NULL; - - /* copy database entry */ - if ((retval = pwdb_new(&tpw, 10)) != PWDB_SUCCESS - || (retval = pwdb_merge(tpw, pw, PWDB_TRUE)) - != PWDB_SUCCESS) { - _log_err(LOG_CRIT, "failed to obtain new pwdb: %s" - , pwdb_strerror(retval)); - retval = PAM_ABORT; - } else - retval = PAM_SUCCESS; - - /* set db_token */ - if (retval == PAM_SUCCESS) { - retval = pwdb_set_entry(tpw, "defer_pass", db_token - , 1+strlen(db_token) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set defer_pass -> %s" - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else - retval = PAM_SUCCESS; - } - - /* update specific database */ - if (retval == PAM_SUCCESS) { - retval = pwdb_replace("user", tpt - , user, PWDB_ID_UNKNOWN, &tpw); - if (retval != PWDB_SUCCESS) { - const char *service=NULL; - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_ALERT - , "(%s) specified database failed: %s" - , service - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else { - retval = PAM_SUCCESS; - } - } - - /* clean up temporary pwdb */ - if (tpw) - (void) pwdb_delete(&tpw); - } - - /* we can properly adopt new defer_pass */ - if (retval == PAM_SUCCESS) { - /* failing here will mean we go back to former - password location */ - (void) pwdb_set_entry(pw, "defer_pass", db_token - , 1+strlen(db_token), NULL, NULL, 0); - } - } - } - } - - /* - * the password will now be placed in appropriate (perhaps original) db - */ - - retval = pwdb_get_entry(pw, "uid", &pwe); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "no uid!? (%s); %s", user, pwdb_strerror(retval)); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* insert the passwd into the 'pw' structure */ - - retval = pwdb_set_entry(pw, "passwd", pass_new, 1+strlen(pass_new) - , NULL, NULL, 0); - pass_new = NULL; - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set2 failed; %s", pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - return PAM_AUTHTOK_LOCK_BUSY; - } - - retval = pwdb_replace("user", pw->source, user - , *((uid_t *)pwe->value), &pw); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - (void) pwdb_entry_delete(&pwe); - return PAM_ABORT; - } - - if (retval != PWDB_SUCCESS) { - - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - retval = PAM_ABORT; - - } else { - /* password updated */ - - _log_err(LOG_INFO, "password for (%s/%d) changed by (%s/%d)" - , user, *((uid_t *)pwe->value), getlogin(), getuid()); - retval = PAM_SUCCESS; - } - - /* tidy up */ - - (void) pwdb_entry_delete(&pwe); - if (pw) - (void) pwdb_delete(&pw); - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Andrew Morgan 1996,1997. - * Copyright (c) Cristian Gafton, 1996, 1997. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c deleted file mode 100644 index 49ce96cbd16c..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * $Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $ - * - * $Log: pam_unix_sess.-c,v $ - * Revision 1.4 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.3 1996/11/10 21:05:33 morgan - * pwdb conversion - * - * Revision 1.2 1996/09/05 06:49:02 morgan - * more informative logging - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * - * See end for Copyright information - */ - -static const char rcsid_sess[] = -"$Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $\n" -" - PAM_PWDB session management. morgan@parc.power.net"; - -/* Define internal functions */ - -static int _unix_open_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void *) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)" - , service, user_name - , getlogin() == NULL ? "":getlogin(), getuid() ); - - return PAM_SUCCESS; -} - -static int _unix_close_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session closed for user %s" - , service, user_name ); - - return PAM_SUCCESS; -} - -/* - * Copyright (c) Alexander O. Yuriev, 1996. All rights reserved. - * Copyright (c) Andrew G. Morgan, 1996, - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c b/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c deleted file mode 100644 index 6332eaa7e865..000000000000 --- a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - * $Id: pwdb_chkpwd.c,v 1.1 1997/02/15 17:26:18 morgan Exp $ - * - * This program is designed to run setuid(root) or with sufficient - * privilege to read all of the unix password databases. It is designed - * to provide a mechanism for the current user (defined by this - * process' real uid) to verify their own password. - * - * The password is read from the standard input. The exit status of - * this program indicates whether the user is authenticated or not. - * - * Copyright information is located at the end of the file. - * - * $Log: pwdb_chkpwd.c,v $ - * Revision 1.1 1997/02/15 17:26:18 morgan - * Initial revision - * - * Revision 1.1 1996/11/10 21:20:51 morgan - * Initial revision - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include - -#include - -#define MAXPASS 200 /* the maximum length of a password */ - -#define UNIX_PASSED (PWDB_SUCCESS) -#define UNIX_FAILED (PWDB_SUCCESS+1) - -#include - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pwdb_chkpwd", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#include "pam_unix_md.-c" - -static int _unix_verify_passwd(const char *salt, const char *p) -{ - char *pp=NULL; - int retval; - - if (p == NULL) { - if (*salt == '\0') { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } else { - pp = _pam_md(p, salt); - p = NULL; /* no longer needed here */ - - if ( strcmp( pp, salt ) == 0 ) { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } - - /* clean up */ - { - char *tp = pp; - if (pp != NULL) { - while(tp && *tp) - *tp++ = '\0'; - free(pp); - pp = tp = NULL; - } - } - - return retval; -} - -void main(void) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - char pass[MAXPASS+1]; - int npass; - int retval=UNIX_FAILED; - - /* - * we establish that this program is running with non-tty stdin. - * this is to discourage casual use. It does *NOT* prevent an - * intruder from repeatadly running this program to determine the - * password of the current user (brute force attack, but one for - * which the attacker must already have gained access to the user's - * account). - */ - - if ( isatty(STDIN_FILENO) ) { - _log_err(LOG_NOTICE - , "inappropriate use of PWDB helper binary [UID=%d]" - , getuid() ); - fprintf(stderr, - "This program is not designed for running in this way\n" - "-- the system administrator has been informed\n"); - exit(UNIX_FAILED); - } - - /* - * determine the current user's name: - */ - - retval = pwdb_start(); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "failed to open pwdb"); - retval = UNIX_FAILED; - } - if (retval != UNIX_FAILED) { - retval = pwdb_locate("user", PWDB_DEFAULT, PWDB_NAME_UNKNOWN - , getuid(), &pw); - } - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "could not identify user"); - while (pwdb_end() != PWDB_SUCCESS); - exit(UNIX_FAILED); - } - - /* read the password from stdin (a pipe from the pam_pwdb module) */ - - npass = read(STDIN_FILENO, pass, MAXPASS); - - if (npass < 0) { /* is it a valid password? */ - _log_err(LOG_DEBUG, "no password supplied"); - retval = UNIX_FAILED; - } else if (npass >= MAXPASS-1) { - _log_err(LOG_DEBUG, "password too long"); - retval = UNIX_FAILED; - } else if (pwdb_get_entry(pw, "passwd", &pwe) != PWDB_SUCCESS) { - _log_err(LOG_WARNING, "password not found"); - retval = UNIX_FAILED; - } else { - if (npass <= 0) { - /* the password is NULL */ - - retval = _unix_verify_passwd((const char *)(pwe->value), NULL); - } else { - /* does pass agree with the official one? */ - - pass[npass] = '\0'; /* NUL terminate */ - retval = _unix_verify_passwd((const char *)(pwe->value), pass); - } - } - - memset(pass, '\0', MAXPASS); /* clear memory of the password */ - while (pwdb_end() != PWDB_SUCCESS); - - /* return pass or fail */ - - exit(retval); -} - -/* - * Copyright (c) Andrew G. Morgan, 1997. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/support.-c b/contrib/libpam/modules/pam_pwdb/support.-c deleted file mode 100644 index 71e212d64195..000000000000 --- a/contrib/libpam/modules/pam_pwdb/support.-c +++ /dev/null @@ -1,910 +0,0 @@ -/* - * $Id: support.-c,v 1.7 1997/04/05 06:32:06 morgan Exp morgan $ - * - * $Log: support.-c,v $ - * Revision 1.7 1997/04/05 06:32:06 morgan - * new option and also deleted _readto - * - * Revision 1.6 1997/02/15 17:27:20 morgan - * added helper binary to password checking - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:06:07 morgan - * pwdb conversion - * - * Copyright information at end of file. - */ - -/* - * here is the string to inform the user that the new passwords they - * typed were not the same. - */ - -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* type definition for the control options */ - -typedef struct { - const char *token; - unsigned int mask; /* shall assume 32 bits of flags */ - unsigned int flag; -} UNIX_Ctrls; - -/* - * macro to determine if a given flag is on - */ - -#define on(x,ctrl) (unix_args[x].flag & ctrl) - -/* - * macro to determine that a given flag is NOT on - */ - -#define off(x,ctrl) (!on(x,ctrl)) - -/* - * macro to turn on/off a ctrl flag manually - */ - -#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag) -#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag)) - -/* the generic mask */ - -#define _ALL_ON_ (~0U) - -/* end of macro definitions definitions for the control flags */ - -/* ****************************************************************** * - * ctrl flags proper.. - */ - -/* - * here are the various options recognized by the unix module. They - * are enumerated here and then defined below. Internal arguments are - * given NULL tokens. - */ - -#define UNIX__OLD_PASSWD 0 /* internal */ -#define UNIX__VERIFY_PASSWD 1 /* internal */ -#define UNIX__IAMROOT 2 /* internal */ - -#define UNIX_AUDIT 3 /* print more things than debug.. - some information may be sensitive */ -#define UNIX_USE_FIRST_PASS 4 -#define UNIX_TRY_FIRST_PASS 5 -#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */ - -#define UNIX__PRELIM 7 /* internal */ -#define UNIX__UPDATE 8 /* internal */ -#define UNIX__NONULL 9 /* internal */ -#define UNIX__QUIET 10 /* internal */ -#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */ -#define UNIX_SHADOW 12 /* signal shadow on */ -#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */ -#define UNIX__NULLOK 14 /* Null token ok */ -#define UNIX_RADIUS 15 /* wish to use RADIUS for password */ -#define UNIX__SET_DB 16 /* internal - signals redirect to db */ -#define UNIX_DEBUG 17 /* send more info to syslog(3) */ -#define UNIX_NODELAY 18 /* admin does not want a fail-delay */ -#define UNIX_UNIX 19 /* wish to use /etc/passwd for pwd */ -#define UNIX_BIGCRYPT 20 /* use DEC-C2 crypt()^x function */ -/* -------------- */ -#define UNIX_CTRLS_ 21 /* number of ctrl arguments defined */ - - -static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * ------------------ ------------------ -------------- ---------- */ - -/* UNIX__OLD_PASSWD */ { NULL, _ALL_ON_, 01 }, -/* UNIX__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 }, -/* UNIX__IAMROOT */ { NULL, _ALL_ON_, 04 }, -/* UNIX_AUDIT */ { "audit", _ALL_ON_, 010 }, -/* UNIX_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(060), 020 }, -/* UNIX_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(060), 040 }, -/* UNIX_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 0100 }, -/* UNIX__PRELIM */ { NULL, _ALL_ON_^(0600), 0200 }, -/* UNIX__UPDATE */ { NULL, _ALL_ON_^(0600), 0400 }, -/* UNIX__NONULL */ { NULL, _ALL_ON_, 01000 }, -/* UNIX__QUIET */ { NULL, _ALL_ON_, 02000 }, -/* UNIX_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 04000 }, -/* UNIX_SHADOW */ { "shadow", _ALL_ON_^(0140000), 010000 }, -/* UNIX_MD5_PASS */ { "md5", _ALL_ON_^(02000000), 020000 }, -/* UNIX__NULLOK */ { "nullok", _ALL_ON_^(01000), 0 }, -/* UNIX_RADIUS */ { "radius", _ALL_ON_^(0110000), 040000 }, -/* UNIX__SET_DB */ { NULL, _ALL_ON_, 0100000 }, -/* UNIX_DEBUG */ { "debug", _ALL_ON_, 0200000 }, -/* UNIX_NODELAY */ { "nodelay", _ALL_ON_, 0400000 }, -/* UNIX_UNIX */ { "unix", _ALL_ON_^(050000), 01000000 }, -/* UNIX_BIGCRYPT */ { "bigcrypt", _ALL_ON_^(020000), 02000000 }, -}; - -#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM_pwdb", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* this is a front-end for module-application conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl - , int type, const char *text) -{ - int retval=PAM_SUCCESS; - - if ( off(UNIX__QUIET, ctrl) ) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - - if (resp) { - _pam_drop_reply(resp, 1); - } - } - return retval; -} - -/* - * set the control flags for the UNIX module. - */ - -static int set_ctrl(int flags, int argc, const char **argv) -{ - unsigned int ctrl; - - D(("called.")); - - ctrl = UNIX_DEFAULTS; /* the default selection of options */ - - /* set some flags manually */ - - if ( getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK) ) { - set(UNIX__IAMROOT, ctrl); - } - if ( flags & PAM_UPDATE_AUTHTOK ) { - set(UNIX__UPDATE, ctrl); - } - if ( flags & PAM_PRELIM_CHECK ) { - set(UNIX__PRELIM, ctrl); - } - if ( flags & PAM_DISALLOW_NULL_AUTHTOK ) { - set(UNIX__NONULL, ctrl); - } - if ( flags & PAM_SILENT ) { - set(UNIX__QUIET, ctrl); - } - - /* now parse the arguments to this module */ - - while (argc-- > 0) { - int j; - - D(("pam_pwdb arg: %s",*argv)); - - for (j=0; j= UNIX_CTRLS_ ) { - _log_err(LOG_ERR, "unrecognized option [%s]",*argv); - } else { - ctrl &= unix_args[j].mask; /* for turning things off */ - ctrl |= unix_args[j].flag; /* for turning things on */ - } - - ++argv; /* step to next argument */ - } - - /* these are used for updating passwords in specific places */ - - if (on(UNIX_SHADOW,ctrl) || on(UNIX_RADIUS,ctrl) || on(UNIX_UNIX,ctrl)) { - set(UNIX__SET_DB, ctrl); - } - - /* auditing is a more sensitive version of debug */ - - if ( on(UNIX_AUDIT,ctrl) ) { - set(UNIX_DEBUG, ctrl); - } - - /* return the set of flags */ - - D(("done.")); - return ctrl; -} - -/* use this to free strings. ESPECIALLY password strings */ - -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - _pam_drop(xx); - return NULL; -} - -static void _cleanup(pam_handle_t *pamh, void *x, int error_status) -{ - x = _pam_delete( (char *) x ); -} - -/* ************************************************************** * - * Useful non-trivial functions * - * ************************************************************** */ - -#include "pam_unix_md.-c" - -/* - * the following is used to keep track of the number of times a user fails - * to authenticate themself. - */ - -#define FAIL_PREFIX "-UN*X-FAIL-" -#define UNIX_MAX_RETRIES 3 - -struct _pam_failed_auth { - char *user; /* user that's failed to be authenticated */ - char *name; /* attempt from user with name */ - int id; /* uid of name'd user */ - int count; /* number of failures so far */ -}; - -#ifndef PAM_DATA_REPLACE -#error "Need to get an updated libpam 0.52 or better" -#endif - -static void _cleanup_failures(pam_handle_t *pamh, void *fl, int err) -{ - int quiet; - const char *service=NULL; - struct _pam_failed_auth *failure; - - D(("called")); - - quiet = err & PAM_DATA_SILENT; /* should we log something? */ - err &= PAM_DATA_REPLACE; /* are we just replacing data? */ - failure = (struct _pam_failed_auth *) fl; - - if ( failure != NULL ) { - - if ( !quiet && !err ) { /* under advisement from Sun,may go away */ - - /* log the number of authentication failures */ - if ( failure->count != 0 ) { - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_NOTICE - , "%d authentication failure%s; %s(uid=%d) -> " - "%s for %s service" - , failure->count, failure->count==1 ? "":"s" - , failure->name - , failure->id - , failure->user - , service == NULL ? "**unknown**":service - ); - if ( failure->count > UNIX_MAX_RETRIES ) { - _log_err(LOG_ALERT - , "service(%s) ignoring max retries; %d > %d" - , service == NULL ? "**unknown**":service - , failure->count - , UNIX_MAX_RETRIES ); - } - } - } - failure->user = _pam_delete(failure->user); /* tidy up */ - failure->name = _pam_delete(failure->name); /* tidy up */ - free(failure); - } -} - -/* - * verify the password of a user - */ - -#include -#include - -static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd) -{ - int retval, child, fds[2]; - - D(("called.")); - /* create a pipe for the password */ - if (pipe(fds) != 0) { - D(("could not make pipe")); - return PAM_AUTH_ERR; - } - - /* fork */ - child = fork(); - if (child == 0) { - static char *args[] = { NULL, NULL }; - static char *envp[] = { NULL }; - - /* XXX - should really tidy up PAM here too */ - while (pwdb_end() == PWDB_SUCCESS); - - /* reopen stdin as pipe */ - close(fds[1]); - dup2(fds[0], STDIN_FILENO); - - /* exec binary helper */ - args[0] = x_strdup(CHKPWD_HELPER); - execve(CHKPWD_HELPER, args, envp); - - /* should not get here: exit with error */ - D(("helper binary is not available")); - exit(PWDB_SUCCESS+1); - } else if (child > 0) { - /* wait for child */ - close(fds[0]); - if (passwd != NULL) { /* send the password to the child */ - write(fds[1], passwd, strlen(passwd)+1); - passwd = NULL; - } else { - write(fds[1], "", 1); /* blank password */ - } - close(fds[1]); - (void) waitpid(child, &retval, 0); /* wait for helper to complete */ - retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR; - } else { - D(("fork failed")); - retval = PAM_AUTH_ERR; - } - - D(("returning %d", retval)); - return retval; -} - -static int _unix_verify_password(pam_handle_t *pamh, const char *name - , const char *p, unsigned int ctrl) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - - const char *salt; - char *pp; - char *data_name; - int retval; - - D(("called")); - -#ifdef HAVE_PAM_FAIL_DELAY - if ( off(UNIX_NODELAY, ctrl) ) { - D(("setting delay")); - (void) pam_fail_delay(pamh, 1000000); /* 1 sec delay for on failure */ - } -#endif - - /* locate the entry for this user */ - - D(("locating user's record")); - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - /* - * give the password to the pwdb library. It may be needed to - * access the database - */ - - retval = pwdb_set_entry( pw, "pass_phrase", p, 1+strlen(p) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "find pass; %s", pwdb_strerror(retval)); - (void) pwdb_delete(&pw); - p = NULL; - return PAM_CRED_INSUFFICIENT; - } - - retval = pwdb_locate("user", pw->source, name, PWDB_ID_UNKNOWN, &pw); - } - - if (retval != PWDB_SUCCESS) { - D(("user's record unavailable")); - if ( on(UNIX_AUDIT, ctrl) ) { - /* this might be a typo and the user has given a password - instead of a username. Careful with this. */ - _log_err(LOG_ALERT, "check pass; user (%s) unknown", name); - } else { - _log_err(LOG_ALERT, "check pass; user unknown"); - } - (void) pwdb_delete(&pw); - p = NULL; - return PAM_USER_UNKNOWN; - } - - /* - * courtesy of PWDB the password for the user is stored in - * encrypted form in the "passwd" entry of pw. - */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if (retval != PWDB_SUCCESS) { - if (geteuid()) { - /* we are not root perhaps this is the reason? Run helper */ - D(("running helper binary")); - retval = pwdb_run_helper_binary(pamh, p); - } else { - retval = PAM_AUTHINFO_UNAVAIL; - _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval)); - } - (void) pwdb_delete(&pw); - p = NULL; - return retval; - } - salt = (const char *) pwe->value; - - /* - * XXX: Cristian, the above is not the case for RADIUS(?) Some - * lines should be added for RADIUS to verify the password in - * clear text... - */ - - if ( ( !salt ) && ( !p ) ) { - - /* the stored password is NULL */ - - (void) pwdb_entry_delete(&pwe); - (void) pwdb_delete(&pw); - - if ( off(UNIX__NONULL, ctrl ) ) { /* this means we've succeeded */ - return PAM_SUCCESS; - } else { - return PAM_AUTH_ERR; - } - } - - pp = _pam_md(p, salt); - p = NULL; /* no longer needed here */ - - data_name = (char *) malloc(sizeof(FAIL_PREFIX)+strlen(name)); - if ( data_name == NULL ) { - _log_err(LOG_CRIT, "no memory for data-name"); - } - strcpy(data_name, FAIL_PREFIX); - strcpy(data_name + sizeof(FAIL_PREFIX)-1, name); - - /* the moment of truth -- do we agree with the password? */ - - if ( strcmp( pp, salt ) == 0 ) { - - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data(pamh, data_name, NULL, _cleanup_failures); - } - - } else { - - retval = PAM_AUTH_ERR; - if (data_name != NULL) { - struct _pam_failed_auth *new=NULL; - const struct _pam_failed_auth *old=NULL; - - /* get a failure recorder */ - - new = (struct _pam_failed_auth *) - malloc(sizeof(struct _pam_failed_auth)); - - if (new != NULL) { - - /* any previous failures for this user ? */ - pam_get_data(pamh, data_name, (const void **)&old ); - - if (old != NULL) { - new->count = old->count +1; - if (new->count >= UNIX_MAX_RETRIES) { - retval = PAM_MAXTRIES; - } - } else { - new->count = 1; - } - new->user = x_strdup(name); - new->id = getuid(); - new->name = x_strdup(getlogin() ? getlogin():"" ); - - pam_set_data(pamh, data_name, new, _cleanup_failures); - - } else { - _log_err(LOG_CRIT, "no memory for failure recorder"); - } - } - - } - - (void) pwdb_entry_delete(&pwe); - (void) pwdb_delete(&pw); - salt = NULL; - _pam_delete(data_name); - _pam_delete(pp); - - return retval; -} - -/* - * this function obtains the name of the current user and ensures - * that the PAM_USER item is set to this value - */ - -static int _unix_get_user(pam_handle_t *pamh, unsigned int ctrl - , const char *prompt, const char **user) -{ - int retval; - - D(("called")); - - retval = pam_get_user(pamh, user, prompt); - if (retval != PAM_SUCCESS) { - D(("trouble reading username")); - return retval; - } - - /* - * Various libraries at various times have had bugs related to - * '+' or '-' as the first character of a user name. Don't take - * any chances here. Require that the username starts with an - * alphanumeric character. - */ - - if (!isalnum(**user)) { - if (on(UNIX_DEBUG,ctrl) || **user) { - _log_err(LOG_ERR, "bad username [%s]", *user); - } - return PAM_USER_UNKNOWN; - } - - if (retval == PAM_SUCCESS && on(UNIX_DEBUG,ctrl)) { - _log_err(LOG_DEBUG, "username [%s] obtained", *user); - } - - return retval; -} - -/* - * _unix_blankpasswd() is a quick check for a blank password - * - * returns TRUE if user does not have a password - * - to avoid prompting for one in such cases (CG) - */ - -static int _unix_blankpasswd(unsigned int ctrl, const char *name) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - int retval; - - D(("called")); - - /* - * This function does not have to be too smart if something goes - * wrong, return FALSE and let this case to be treated somewhere - * else (CG) - */ - - if ( on(UNIX__NONULL, ctrl) ) - return 0; /* will fail but don't let on yet */ - - /* find the user's database entry */ - - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL ) { - - retval = 0; - - } else { - - /* Does this user have a password? */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if ( retval != PWDB_SUCCESS || pwe == NULL ) - retval = 0; - else if ( pwe->value == NULL || ((char *)pwe->value)[0] == '\0' ) - retval = 1; - else - retval = 0; - - } - - /* tidy up */ - - if ( pw ) { - (void) pwdb_delete(&pw); - if ( pwe ) - (void) pwdb_entry_delete(&pwe); - } - - return retval; -} - -/* - * obtain a password from the user - */ - -static int _unix_read_password( pam_handle_t *pamh - , unsigned int ctrl - , const char *comment - , const char *prompt1 - , const char *prompt2 - , const char *data_name - , const char **pass ) -{ - int authtok_flag; - int retval; - const char *item; - char *token; - - D(("called")); - - /* - * make sure nothing inappropriate gets returned - */ - - *pass = token = NULL; - - /* - * which authentication token are we getting? - */ - - authtok_flag = on(UNIX__OLD_PASSWD,ctrl) ? PAM_OLDAUTHTOK:PAM_AUTHTOK ; - - /* - * should we obtain the password from a PAM item ? - */ - - if ( on(UNIX_TRY_FIRST_PASS,ctrl) || on(UNIX_USE_FIRST_PASS,ctrl) ) { - retval = pam_get_item(pamh, authtok_flag, (const void **) &item); - if (retval != PAM_SUCCESS ) { - /* very strange. */ - _log_err(LOG_ALERT - , "pam_get_item returned error to unix-read-password" - ); - return retval; - } else if (item != NULL) { /* we have a password! */ - *pass = item; - item = NULL; - return PAM_SUCCESS; - } else if (on(UNIX_USE_FIRST_PASS,ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ - } else if (on(UNIX_USE_AUTHTOK, ctrl) - && off(UNIX__OLD_PASSWD, ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* - * getting here implies we will have to get the password from the - * user directly. - */ - - { - struct pam_message msg[3],*pmsg[3]; - struct pam_response *resp; - int i, replies; - - /* prepare to converse */ - - if ( comment != NULL && off(UNIX__QUIET, ctrl) ) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - replies = 1; - - if ( prompt2 != NULL ) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - ++replies; - } - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, ctrl, i, pmsg, &resp); - - if (resp != NULL) { - - /* interpret the response */ - - if (retval == PAM_SUCCESS) { /* a good conversation */ - - token = x_strdup(resp[i-replies].resp); - if (token != NULL) { - if (replies == 2) { - - /* verify that password entered correctly */ - if (!resp[i-1].resp - || strcmp(token,resp[i-1].resp)) { - token = _pam_delete(token); /* mistyped */ - retval = PAM_AUTHTOK_RECOVER_ERR; - make_remark(pamh, ctrl - , PAM_ERROR_MSG, MISTYPED_PASS); - } - } - - } else { - _log_err(LOG_NOTICE - , "could not recover authentication token"); - } - - } - - /* - * tidy up the conversation (resp_retcode) is ignored - * -- what is it for anyway? AGM - */ - - _pam_drop_reply(resp, i); - - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } - } - - if (retval != PAM_SUCCESS) { - if ( on(UNIX_DEBUG,ctrl) ) - _log_err(LOG_DEBUG,"unable to obtain a password"); - return retval; - } - - /* 'token' is the entered password */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - - /* we store this password as an item */ - - retval = pam_set_item(pamh, authtok_flag, token); - token = _pam_delete(token); /* clean it up */ - if ( retval != PAM_SUCCESS - || (retval = pam_get_item(pamh, authtok_flag - , (const void **)&item)) - != PAM_SUCCESS ) { - - _log_err(LOG_CRIT, "error manipulating password"); - return retval; - - } - - } else { - /* - * then store it as data specific to this module. pam_end() - * will arrange to clean it up. - */ - - retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); - if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "error manipulating password data [%s]" - , pam_strerror(pamh, retval) ); - token = _pam_delete(token); - return retval; - } - item = token; - token = NULL; /* break link to password */ - } - - *pass = item; - item = NULL; /* break link to password */ - - return PAM_SUCCESS; -} - -static int _pam_unix_approve_pass(pam_handle_t *pamh - , unsigned int ctrl - , const char *pass_old - , const char *pass_new) -{ - D(("&new=%p, &old=%p",pass_old,pass_new)); - D(("new=[%s]",pass_new)); - D(("old=[%s]",pass_old)); - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG, "bad authentication token"); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - "No password supplied":"Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - AGM - */ - - return PAM_SUCCESS; -} - -/* ****************************************************************** * - * Copyright (c) Andrew G. Morgan, 1996. - * Copyright (c) Alex O. Yuriev, 1996. - * Copyright (c) Cristian Gafton 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/contrib/libpam/modules/pam_radius/Makefile b/contrib/libpam/modules/pam_radius/Makefile deleted file mode 100644 index a74b911f4e3b..000000000000 --- a/contrib/libpam/modules/pam_radius/Makefile +++ /dev/null @@ -1,99 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton 1996/09/10 -# -# STATIC modules are not supported -# - -TITLE=pam_radius -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/radius.conf -export CONFILE - -ifeq ($(HAVE_PWDBLIB),yes) - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o - -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/%.o : %.c -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -#ifdef STATIC -# $(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -lpwdb -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) -lpwdb -#endif - -install: all -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else - -include ../dont_makefile - -endif diff --git a/contrib/libpam/modules/pam_radius/README b/contrib/libpam/modules/pam_radius/README deleted file mode 100644 index 253308fdbdda..000000000000 --- a/contrib/libpam/modules/pam_radius/README +++ /dev/null @@ -1,58 +0,0 @@ - -pam_radius module: - RADIUS session module. - -WHAT IT DOES: - This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only option -supported is the use of the RADIUS server as an accounting server. There are -few things which needs to be cleared out first in the PAM project until one -will be able to use this module and expect it to magically start pppd in -response to a RADIUS server command to use PPP for this user, or to initiate -a telnet connection to another host, or to hang and call back the user using -parameters provided in the RADIUS server response. Most of these things are -better suited for the radius login application. I hope to make available -Real Soon (tm) patches for the login apps to make it work this way. - - -ARGUMENTS RECOGNIZED: - debug verbose logging - -MODULE SERVICES PROVIDED: - session _open_session and _close_session - - When opening a session, this module sends an Accounting-Start -message to the RADIUS server, which will log/update/whatever a database for -this user. On close, an Accounting-Stop message is sent to the RADIUS -server. - -This module have no other pre-requisites for making it work. One can install -a RADIUS server just for fun and use it as a centralized accounting server and -forget about wtmp/last/sac&comp :-) - -USAGE: - For the services you need this module (login for example) put - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line): - - login session required /lib/security/pam_radius.so - - Replace "login" for each service you are using this module. - - This module make extensive use of the API provided in libpwdb - 0.54preB or later. By default, it will read the radius server - configuration (hostname and secret) from /etc/raddb/server. This is - a default compiled into libpwdb, and curently there is no way to - modify this default without recompiling libpwdb. I am working on - extending the radius support from libpwdb to provide a possibility - to make this runtime-configurable. - - Also please note that libpwdb will require also the RADIUS - dictionary to be present (/etc/raddb/dictionary). - -TODO: - The work is far from complete. Deal with "real" session things. - -AUTHOR: - Cristian Gafton - diff --git a/contrib/libpam/modules/pam_radius/pam_radius.c b/contrib/libpam/modules/pam_radius/pam_radius.c deleted file mode 100644 index b412edf95828..000000000000 --- a/contrib/libpam/modules/pam_radius/pam_radius.c +++ /dev/null @@ -1,193 +0,0 @@ -/* - * pam_radius - * Process an user session according to a RADIUS server response - * - * 1.0 - initial release - Linux ONLY - * 1.1 - revised and reorganized for libpwdb 0.54preB or higher - * - removed the conf= parameter, since we use libpwdb exclusively now - * - * See end for Copyright information - */ - -#if !(defined(linux)) -#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! -#endif - -/* Module defines */ -#define BUFFER_SIZE 1024 -#define LONG_VAL_PTR(ptr) ((*(ptr)<<24)+(*((ptr)+1)<<16)+(*((ptr)+2)<<8)+(*((ptr)+3))) - -#define PAM_SM_SESSION - -#include "pam_radius.h" - -#include -#include - -static time_t session_time; - -/* we need to save these from open_session to close_session, since - * when close_session will be called we won't be root anymore and - * won't be able to access again the radius server configuration file - * -- cristiang */ - -static RADIUS_SERVER rad_server; -static char hostname[BUFFER_SIZE]; -static char secret[BUFFER_SIZE]; - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_radius", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - char *user_name; - int ctrl; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "starting RADIUS user session for '%s'", - user_name); - - retval = get_server_entries(hostname, secret); - if ((retval != PWDB_RADIUS_SUCCESS) || - !strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - session_time = time(NULL); - rad_server.hostname = hostname; - rad_server.secret = secret; - retval = radius_acct_start(rad_server, user_name); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl; - char *user_name; - int retval; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "closing RADIUS user session for '%s'", - user_name); - - if (!strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - retval = radius_acct_stop(rad_server, user_name, - time(NULL) - session_time); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_radius_modstruct = { - "pam_radius", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - -/* - * Copyright (c) Cristian Gafton, 1996, - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_radius/pam_radius.h b/contrib/libpam/modules/pam_radius/pam_radius.h deleted file mode 100644 index 72b1da8aa0cb..000000000000 --- a/contrib/libpam/modules/pam_radius/pam_radius.h +++ /dev/null @@ -1,35 +0,0 @@ - -#ifndef PAM_RADIUS_H -#define PAM_RADIUS_H - -#define _GNU_SOURCE -#include - -#include -#define __USE_POSIX2 - -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -#include -#include - -/******************************************************************/ - -#endif /* PAM_RADIUS_H */ diff --git a/contrib/libpam/modules/pam_rhosts/Makefile b/contrib/libpam/modules/pam_rhosts/Makefile deleted file mode 100644 index 93addbb68119..000000000000 --- a/contrib/libpam/modules/pam_rhosts/Makefile +++ /dev/null @@ -1,94 +0,0 @@ -# This Makefile controls a build process of the pam_rhosts modules -# for Linux-PAM. You should not modify this Makefile. - -LIBAUTHOBJ = pam_rhosts_auth.o -LIBAUTHSRC = pam_rhosts_auth.c -LIBSESSOBJ = -LIBSESSSRC = -LIBPASSWDSRC = -LIBPASSWDOBJ = -LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ) -LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC) - -ifdef STATIC -LIBSTATIC = libpam_rhosts.o -LIBOBJS = $(addprefix static/,$(LIBOBJ)) -endif - -ifdef DYNAMIC -LIBSESSSH = -LIBAUTHSH = pam_rhosts_auth.so -LIBPASSWDSH = -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH) -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; \ - ./register_static pam_rhosts_auth pam_rhosts/libpam_rhosts.o ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) - -endif - -#.c.o: -# $(CC) -c $(CFLAGS) $< - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -# tidy up - -remove: - cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~ - -extraclean: - rm -f *.a *.out *.o *.so *.bak dynamic/* static/* - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ diff --git a/contrib/libpam/modules/pam_rhosts/README b/contrib/libpam/modules/pam_rhosts/README deleted file mode 100644 index 527dfd3864d9..000000000000 --- a/contrib/libpam/modules/pam_rhosts/README +++ /dev/null @@ -1,57 +0,0 @@ -arguments recognized: - -"no_hosts_equiv" -"no_rhosts" -"debug" -"nowarn" -"suppress" -"promiscuous" - -.rhosts/hosts.equiv format: - -There are positive entries, when one is matched authentication -succeeds and terminates. There are negative entries, when one is -matched authentication fails and terminates. Thus order is -significant. - -Entry hosts.equiv .rhosts - All users on are ok Same username from is ok - from is ok ditto -- No users from are ok ditto - - from is not ok ditto - - can be ip (IPv4) numbers. - -Netgroups may be used in either host or user fields, and then applies -to all hosts, or users, in the netgroup. The syntax is - - +@ - -The entries - - +@ - +@ +@ - +@ - -means exactly what you think it does. Negative entries are of the -form - - -@ - -When the "promiscuous" option is given the special character + may be -used as a wildcard in any field. - - + Allow anyone from any host to connect. DANGEROUS. - + + Ditto. - + Allow the user to connect from anywhere. DANGEROUS. - + Allow any user from the host. Dangerous. - -These, perhaps more usefull, forms of the + form is also disallowed -unless "promiscuous" is specified: - - + - Disallow the user from any host - + -@ Disallow all members of the netgroup from any host - -When "promiscuous" is not specified a '+' is handled as a negative -match. - diff --git a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c b/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c deleted file mode 100644 index 10dfcf797119..000000000000 --- a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c +++ /dev/null @@ -1,788 +0,0 @@ -/*---------------------------------------------------------------------- - * Modified for Linux-PAM by Al Longyear 96/5/5 - * Modifications, Cristian Gafton 97/2/8 - * Modifications, Peter Allgeyer 97/3 - * Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21 - * Security fix: 97/10/2 - gethostbyname called repeatedly without care - * Modification (added privategroup option) Andrew - *---------------------------------------------------------------------- - * Copyright (c) 1983, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define _BSD_SOURCE - -#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */ - -#ifdef linux -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include /* This is supposed(?) to contain the following */ -int innetgr(const char *, const char *, const char *,const char *); - -#include -#include -#include -#include - -#ifndef MAXDNAME -#define MAXDNAME 256 -#endif - -#include -#include - -#include -#ifdef linux -# include -# ifndef __USE_MISC -# define __USE_MISC -# include -# endif /* __USE_MISC */ -#endif - -#include -#include -#include -#include -#include -#include -#ifndef _PATH_HEQUIV -#define _PATH_HEQUIV "/etc/hosts.equiv" -#endif /* _PATH_HEQUIV */ - -#define PAM_SM_AUTH /* only defines this management group */ - -#include -#include - -/* to the best of my knowledge, all modern UNIX boxes have 32 bit integers */ -#define U32 unsigned int - - -/* - * Options for this module - */ - -struct _options { - int opt_no_hosts_equiv; - int opt_no_rhosts; - int opt_debug; - int opt_nowarn; - int opt_disallow_null_authtok; - int opt_silent; - int opt_promiscuous; - int opt_suppress; - int opt_private_group; - const char *last_error; -}; - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_rhosts_auth", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static void set_option (struct _options *opts, const char *arg) -{ - if (strcmp(arg, "no_hosts_equiv") == 0) { - opts->opt_no_hosts_equiv = 1; - return; - } - - if (strcmp(arg, "no_rhosts") == 0) { - opts->opt_no_rhosts = 1; - return; - } - - if (strcmp(arg, "debug") == 0) { - D(("debugging enabled")); - opts->opt_debug = 1; - return; - } - - if (strcmp(arg, "no_warn") == 0) { - opts->opt_nowarn = 1; - return; - } - - if (strcmp(arg, "promiscuous") == 0) { - opts->opt_promiscuous = 1; /* used to permit '+' in ...hosts file */ - return; - } - - if (strcmp(arg, "suppress") == 0) { - opts->opt_suppress = 1; /* used to suppress failure warning message */ - return; - } - - if (strcmp(arg, "privategroup") == 0) { - opts->opt_private_group = 1; /* used to permit group write on .rhosts - file if group has same name as owner */ - return; - } - - /* - * All other options are ignored at the present time. - */ - _pam_log(LOG_WARNING, "unrecognized option '%s'", arg); -} - -static void set_parameters (struct _options *opts, int flags, - int argc, const char **argv) -{ - opts->opt_silent = flags & PAM_SILENT; - opts->opt_disallow_null_authtok = flags & PAM_DISALLOW_NULL_AUTHTOK; - - while (argc-- > 0) { - set_option (opts, *argv); - ++argv; - } -} - -/* - * Obtain the name of the remote host. Currently, this is simply by - * requesting the contents of the PAM_RHOST item. - */ - -static int pam_get_rhost(pam_handle_t *pamh, const char **rhost - , const char *prompt) -{ - int retval; - const char *current; - - retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t); - if (retval != PAM_SUCCESS) - return retval; - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *rhost = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Obtain the name of the remote user. Currently, this is simply by - * requesting the contents of the PAM_RUSER item. - */ - -static int pam_get_ruser(pam_handle_t *pamh, const char **ruser - , const char *prompt) -{ - int retval; - const char *current; - - retval = pam_get_item (pamh, PAM_RUSER, (const void **)¤t); - if (retval != PAM_SUCCESS) - return retval; - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *ruser = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Returns 1 if positive match, 0 if no match, -1 if negative match. - */ - -static int -__icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr - , register char *lhost, const char *rhost) -{ - struct hostent *hp; - U32 laddr; - int negate=1; /* Multiply return with this to get -1 instead of 1 */ - char **pp, *user; - - /* Check nis netgroup. We assume that pam has done all needed - paranoia checking before we are handed the rhost */ - if (strncmp("+@",lhost,2) == 0) - return(innetgr(&lhost[2],rhost,NULL,NULL)); - - if (strncmp("-@",lhost,2) == 0) - return(-innetgr(&lhost[2],rhost,NULL,NULL)); - - /* -host */ - if (strncmp("-",lhost,1) == 0) { - negate=-1; - lhost++; - } else if (strcmp("+",lhost) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); - D(("user %s has a `+' host entry", user)); - if (opts->opt_promiscuous) - return (1); /* asking for trouble, but ok.. */ - /* If not promiscuous: handle as negative */ - return (-1); - } - - /* Try for raw ip address first. */ - if (isdigit(*lhost) && (long)(laddr = inet_addr(lhost)) != -1) - return (negate*(! (raddr ^ laddr))); - - /* Better be a hostname. */ - hp = gethostbyname(lhost); - if (hp == NULL) - return (0); - - /* Spin through ip addresses. */ - for (pp = hp->h_addr_list; *pp; ++pp) - if (!memcmp (&raddr, *pp, sizeof (U32))) - return (negate); - - /* No match. */ - return (0); -} - -/* Returns 1 on positive match, 0 on no match, -1 on negative match */ - -static int __icheckuser(pam_handle_t *pamh, struct _options *opts - , const char *luser, const char *ruser - , const char *rhost) -{ - /* - luser is user entry from .rhosts/hosts.equiv file - ruser is user id on remote host - rhost is the remote host name - */ - char *user; - - /* [-+]@netgroup */ - if (strncmp("+@",luser,2) == 0) - return (innetgr(&luser[2],NULL,ruser,NULL)); - - if (strncmp("-@",luser,2) == 0) - return (-innetgr(&luser[2],NULL,ruser,NULL)); - - /* -user */ - if (strncmp("-",luser,1) == 0) - return(-(strcmp(&luser[1],ruser) == 0)); - - /* + */ - if (strcmp("+",luser) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); - _pam_log(LOG_WARNING, "user %s has a `+' user entry", user); - if (opts->opt_promiscuous) - return(1); - /* If not promiscuous we handle it as a negative match */ - return(-1); - } - - /* simple string match */ - return (strcmp(ruser, luser) == 0); -} - -/* - * Returns 1 for blank lines (or only comment lines) and 0 otherwise - */ - -static int __isempty(char *p) -{ - while (*p && isspace(*p)) { - ++p; - } - - return (*p == '\0' || *p == '#') ? 1:0 ; -} - -/* - * Returns 0 if positive match, 1 if _not_ ok. - */ - -static int -__ivaliduser (pam_handle_t *pamh, struct _options *opts, - FILE *hostf, U32 raddr, - const char *luser, const char *ruser, const char *rhost) -{ - register const char *user; - register char *p; - int hcheck, ucheck; - char buf[MAXHOSTNAMELEN + 128]; /* host + login */ - - buf[sizeof (buf)-1] = '\0'; /* terminate line */ - - while (fgets(buf, sizeof(buf), hostf) != NULL) { /* hostf file line */ - p = buf; /* from beginning of file.. */ - - /* Skip empty or comment lines */ - if (__isempty(p)) { - continue; - } - - /* Skip lines that are too long. */ - if (strchr(p, '\n') == NULL) { - int ch = getc(hostf); - - while (ch != '\n' && ch != EOF) - ch = getc(hostf); - continue; - } - - /* - * If there is a hostname at the start of the line. Set it to - * lower case. A leading ' ' or '\t' indicates no hostname - */ - - for (;*p && !isspace(*p); ++p) { - *p = tolower(*p); - } - - /* - * next we want to find the permitted name for the remote user - */ - - if (*p == ' ' || *p == '\t') { - - /* terminate hostname and skip spaces */ - for (*p++='\0'; *p && isspace(*p); ++p); - - user = p; /* this is the user's name */ - while (*p && !isspace(*p)) - ++p; /* find end of user's name */ - } else - user = p; - - *p = '\0'; /* terminate username (+host?) */ - - /* buf -> host(?) ; user -> username(?) */ - - /* First check host part */ - hcheck=__icheckhost(pamh, opts, raddr, buf, rhost); - - if (hcheck<0) - return(1); - - if (hcheck) { - /* Then check user part */ - if (! (*user)) - user = luser; - - ucheck=__icheckuser(pamh, opts, user, ruser, rhost); - - /* Positive 'host user' match? */ - if (ucheck>0) - return(0); - - /* Negative 'host -user' match? */ - if (ucheck<0) - return(1); - - /* Neither, go on looking for match */ - } - } - - return (1); -} - -/* - * New .rhosts strategy: We are passed an ip address. We spin through - * hosts.equiv and .rhosts looking for a match. When the .rhosts only - * has ip addresses, we don't have to trust a nameserver. When it - * contains hostnames, we spin through the list of addresses the nameserver - * gives us and look for a match. - * - * Returns 0 if ok, -1 if not ok. - */ - -static int -pam_iruserok(pam_handle_t *pamh, - struct _options *opts, U32 raddr, int superuser, - const char *ruser, const char *luser, const char *rhost) -{ - const char *cp; - struct stat sbuf; - struct passwd *pwd; - FILE *hostf; - uid_t uid; - int answer; - char pbuf[MAXPATHLEN]; /* potential buffer overrun */ - - if ( !superuser && !opts->opt_no_hosts_equiv ) { - - /* try to open system hosts.equiv file */ - hostf = fopen (_PATH_HEQUIV, "r"); - if (hostf) { - answer = __ivaliduser(pamh, opts, hostf, raddr, luser - , ruser, rhost); - (void) fclose(hostf); - if (answer == 0) - return 0; /* remote host is equivalent to localhost */ - } /* else { - No hosts.equiv file on system. - } */ - } - - if ( opts->opt_no_rhosts ) - return 1; - - /* - * Identify user's local .rhosts file - */ - - pwd = getpwnam(luser); - if (pwd == NULL) { - /* - * luser is assumed to be valid because of an earlier check for uid = 0 - * we don't log this error twice. However, this shouldn't happen ! - * --cristiang - */ - return(1); - } - - /* check for buffer overrun */ - if (strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE) + 2 >= MAXPATHLEN) { - if (opts->opt_debug) - _pam_log(LOG_DEBUG,"home directory for `%s' is too long", luser); - return 1; /* to dangerous to try */ - } - - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, USER_RHOSTS_FILE); - - /* - * Change effective uid while _reading_ .rhosts. (not just - * opening). If root and reading an NFS mounted file system, - * can't read files that are 0600 as .rhosts files should be. - */ - - /* We are root, this will not fail */ -#ifdef linux - /* If we are on linux the better way is setfsuid */ - uid = setfsuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); -#else - uid = geteuid(); - (void) seteuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); -#endif - - if (hostf == NULL) { - if (opts->opt_debug) - _pam_log(LOG_DEBUG,"Could not open %s file",pbuf); - answer = 1; - goto exit_function; - } - - /* - * If not a regular file, or is owned by someone other than - * user or root or if writeable by anyone but the owner, quit. - */ - - cp = NULL; - if (lstat(pbuf, &sbuf) < 0 || !S_ISREG(sbuf.st_mode)) - cp = ".rhosts not regular file"; - else if (fstat(fileno(hostf), &sbuf) < 0) - cp = ".rhosts fstat failed"; - else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) - cp = "bad .rhosts owner"; - else if (sbuf.st_mode & S_IWOTH) - cp = ".rhosts writable by other!"; - else if (sbuf.st_mode & S_IWGRP) { - - /* private group caveat */ - if (opts->opt_private_group) { - struct group *grp = getgrgid(sbuf.st_gid); - - if (NULL == grp || NULL == grp->gr_name - || strcmp(luser,grp->gr_name)) { - cp = ".rhosts writable by public group"; - } else if (grp->gr_mem) { - int gcount; - - /* require at most one member (luser) of this group */ - for (gcount=0; grp->gr_mem[gcount]; ++gcount) { - if (strcmp(grp->gr_mem[gcount], luser)) { - gcount = -1; - break; - } - } - if (gcount < 0) { - cp = ".rhosts writable by other members of group"; - } - } - } else { - cp = ".rhosts writable by group"; - } - - } /* It is _NOT_ safe to append an else here... Do so prior to - * S_IWGRP check */ - - /* If there were any problems, quit. */ - if (cp) { - opts->last_error = cp; - answer = 1; - goto exit_function; - } - - answer = __ivaliduser (pamh, opts, hostf, raddr, luser, ruser, rhost); - -exit_function: - /* - * Go here to exit after the fsuid/euid has been adjusted so that - * they are reset before we exit. - */ - -#ifdef linux - setfsuid(uid); -#else - (void)seteuid(uid); -#endif - - if (hostf != NULL) - (void) fclose(hostf); - - return answer; -} - -static int -pam_ruserok (pam_handle_t *pamh, - struct _options *opts, const char *rhost, int superuser, - const char *ruser, const char *luser) -{ - struct hostent *hp; - int answer = 1; /* default to failure */ - U32 *addrs; - int n, i; - - opts->last_error = (char *) 0; - hp = gethostbyname(rhost); /* identify host */ - - if (hp != NULL) { - /* First of all check the address length */ - if (hp->h_length != 4) { - _pam_log(LOG_ALERT, "pam_rhosts module can't work with not IPv4 " - "addresses"); - return 1; /* not allowed */ - } - - /* loop though address list */ - for (n = 0; hp->h_addr_list[n]; n++); - D(("rhosts: %d addresses", n)); - - if (n) { - addrs = calloc (n, hp->h_length); - for (i = 0; i < n; i++) - memcpy (addrs+i, hp->h_addr_list[i], hp->h_length); - - for (i = 0; i < n && answer; i++) { - D(("rhosts: address %d is %04x", i, addrs[i])); - answer = pam_iruserok(pamh, opts, addrs[i], superuser, - ruser, luser, rhost); - /* answer == 0 means success */ - } - - free (addrs); - } - } - - return answer; -} - -/* - * Internal function to do authentication - */ - -static int _pam_auth_rhosts (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - const char *luser; - const char *ruser,*rhost; - struct _options opts; - int as_root = 0; - /* - * Look at the options and set the flags accordingly. - */ - memset (&opts, 0, sizeof (opts)); - set_parameters (&opts, flags, argc, argv); - /* - * Obtain the parameters for the various items - */ - for (;;) { /* abuse loop to avoid goto */ - - /* get the remotehost */ - retval = pam_get_rhost(pamh, &rhost, NULL); - (void) pam_set_item(pamh, PAM_RHOST, rhost); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) { - _pam_log(LOG_DEBUG, "could not get the remote host name"); - } - break; - } - - /* get the remote user */ - retval = pam_get_ruser(pamh, &ruser, NULL); - (void) pam_set_item(pamh, PAM_RUSER, ruser); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not get the remote username"); - break; - } - - /* get the local user */ - retval = pam_get_user(pamh, &luser, NULL); - - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not determine name of local user"); - break; - } - - /* check if the luser uid == 0... --cristiang */ - { - struct passwd *luser_pwd; - - luser_pwd = getpwnam(luser); - if (luser_pwd == NULL) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "user '%s' unknown to this system", - luser); - retval = PAM_AUTH_ERR; - break; - } - if (luser_pwd->pw_uid == 0) - as_root = 1; - luser_pwd = NULL; /* forget */ - } -/* - * Validate the account information. - */ - if (pam_ruserok (pamh, &opts, rhost, as_root, ruser, luser) != 0) { - if ( !opts.opt_suppress ) { - _pam_log(LOG_WARNING, "denied to %s@%s as %s: %s", - ruser, rhost, luser, (opts.last_error==NULL) ? - "access not allowed":opts.last_error); - } - retval = PAM_AUTH_ERR; - } else { - _pam_log(LOG_NOTICE, "allowed to %s@%s as %s", - ruser, rhost, luser); - } - break; - } - - return retval; -} - -/* --- authentication management functions --- */ - -PAM_EXTERN -int pam_sm_authenticate (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - - if (sizeof(U32) != 4) { - _pam_log (LOG_ALERT, "pam_rhosts module can\'t work on this hardware " - "(yet)"); - return PAM_AUTH_ERR; - } - sethostent(1); - retval = _pam_auth_rhosts (pamh, flags, argc, argv); - endhostent(); - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc, - const char **argv) -{ - return PAM_SUCCESS; -} - -/* end of module definition */ - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_rhosts_auth_modstruct = { - "pam_rhosts_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* - * $Log: pam_rhosts_auth.c,v $ - * Revision 1.12 1997/09/27 14:34:01 morgan - * fixed comment and renamed iruserok to pam_iruserok. - * - * Revision 1.11 1997/04/05 06:26:39 morgan - * fairly major fixes and enhancements (see CHANGELOG for 0.57 release) - * - * Revision 1.10 1997/02/09 02:09:30 morgan - * - implementation of 'debug' argument (Cristian Gafton) - * - we check for uid=0 accounts instead of hardcoded 'root' (Cristian Gafton) - * - * Revision 1.9 1996/12/01 03:09:47 morgan - * *** empty log message *** - * - * Revision 1.8 1996/11/12 06:08:59 morgan - * Oliver Crow's "rootok" patch plus a little clean up of set_option - * (AGM) - * - * Revision 1.7 1996/11/10 20:15:56 morgan - * cross platform support - * - * Revision 1.6 1996/08/09 05:46:29 morgan - * removed code for manually setting the remote username etc.. - * - */ diff --git a/contrib/libpam/modules/pam_rootok/Makefile b/contrib/libpam/modules/pam_rootok/Makefile deleted file mode 100644 index b37870801193..000000000000 --- a/contrib/libpam/modules/pam_rootok/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:25:20 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:25:20 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 19:15:50 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:16:10 morgan -# cross platform support -# -# Revision 1.4 1996/09/05 06:29:36 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:47:46 morgan -# make dynamic/static dirs! -# -# Revision 1.2 1996/05/26 04:04:53 morgan -# automated static support -# -# Revision 1.1 1996/05/05 17:14:15 morgan -# Initial revision -# -# -# Created by Andrew Morgan 1996/5/5 -# - -TITLE=pam_rootok - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_rootok/README b/contrib/libpam/modules/pam_rootok/README deleted file mode 100644 index d7010dd9738d..000000000000 --- a/contrib/libpam/modules/pam_rootok/README +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: README,v 1.1 1996/05/10 04:15:31 morgan Exp $ -# - -this module is an authentication module that performs one task: if the -id of the user is '0' then it returns 'PAM_SUCCESS' with the -'sufficient' /etc/pam.conf control flag it can be used to allow -password free access to some service for 'root' - -Recognized arguments: - - debug write a message to syslog indicating success or - failure. - -module services provided: - - auth _authetication and _setcred (blank) - -Andrew Morgan diff --git a/contrib/libpam/modules/pam_rootok/pam_rootok.c b/contrib/libpam/modules/pam_rootok/pam_rootok.c deleted file mode 100644 index 21327d42e5ea..000000000000 --- a/contrib/libpam/modules/pam_rootok/pam_rootok.c +++ /dev/null @@ -1,118 +0,0 @@ -/* pam_rootok module */ - -/* - * $Id: pam_rootok.c,v 1.5 1997/02/15 17:32:47 morgan Exp $ - * - * Written by Andrew Morgan 1996/3/11 - * - * $Log: pam_rootok.c,v $ - * Revision 1.5 1997/02/15 17:32:47 morgan - * removed fixed syslog buffer - * - * Revision 1.4 1996/12/01 03:10:14 morgan - * reformatted - * - * Revision 1.3 1996/06/02 08:11:01 morgan - * updated for new static protocol - * - */ - -#include -#include -#include -#include - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-rootok", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int ctrl; - int retval = PAM_AUTH_ERR; - - ctrl = _pam_parse(argc, argv); - if (getuid() == 0) - retval = PAM_SUCCESS; - - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "authetication %s" - , retval==PAM_SUCCESS ? "succeeded":"failed" ); - } - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_rootok_modstruct = { - "pam_rootok", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_securetty/Makefile b/contrib/libpam/modules/pam_securetty/Makefile deleted file mode 100644 index d8a09ea13377..000000000000 --- a/contrib/libpam/modules/pam_securetty/Makefile +++ /dev/null @@ -1,83 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_securetty - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< diff --git a/contrib/libpam/modules/pam_securetty/README b/contrib/libpam/modules/pam_securetty/README deleted file mode 100644 index 1df095c96f95..000000000000 --- a/contrib/libpam/modules/pam_securetty/README +++ /dev/null @@ -1,9 +0,0 @@ -pam_securetty: - Allows root logins only if the user is logging in on a - "secure" tty, as defined by the listing in /etc/securetty - - Also checks to make sure that /etc/securetty is a plain - file and not world writable. - - - Elliot Lee , Red Hat Software. - July 25, 1996. diff --git a/contrib/libpam/modules/pam_securetty/pam_securetty.c b/contrib/libpam/modules/pam_securetty/pam_securetty.c deleted file mode 100644 index 369fb03dd060..000000000000 --- a/contrib/libpam/modules/pam_securetty/pam_securetty.c +++ /dev/null @@ -1,204 +0,0 @@ -/* pam_securetty module */ - -#define SECURETTY_FILE "/etc/securetty" -#define TTY_PREFIX "/dev/" - -/* - * by Elliot Lee , Red Hat Software. - * July 25, 1996. - * This code shamelessly ripped from the pam_rootok module. - * Slight modifications AGM. 1996/12/3 - * $Log: pam_securetty.c,v $ - * Revision 1.7 1997/04/05 06:24:23 morgan - * changed return value on user unknown error - * - * Revision 1.6 1997/02/15 17:30:36 morgan - * removed fixed length syslog buffer - * - * Revision 1.5 1997/02/09 02:22:24 morgan - * added "debug" flag handling (Cristian Gafton) - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval = PAM_AUTH_ERR; - const char *username; - char *uttyname; - char ttyfileline[256]; - struct stat ttyfileinfo; - struct passwd *user_pwd; - FILE *ttyfile; - int ctrl; - - /* parse the arguments */ - ctrl = _pam_parse(argc, argv); - - retval = pam_get_item(pamh,PAM_USER,(const void **)&username); - if (retval == PAM_SUCCESS) - retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname); - if (retval != PAM_SUCCESS || uttyname == NULL) { - /* If we couldn't get the username or the tty return error */ - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "can not determine tty I'm running on !"); - return PAM_SERVICE_ERR; - } - - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) - uttyname += sizeof(TTY_PREFIX)-1; - - /* If we didn't get a username, get one */ - if(!username || (strlen(username) <= 0)) { - /* Don't let them use a NULL username... */ - (void) pam_set_item(pamh, PAM_USER, NULL); - pam_get_user(pamh,&username,NULL); - if (retval != PAM_SUCCESS || username == NULL || *username == '\0') { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, - "can not determine username for this service!"); - return PAM_SERVICE_ERR; - } - } - - user_pwd = getpwnam(username); - if (user_pwd == NULL) - return PAM_IGNORE; - else if (user_pwd->pw_uid != 0) /* If the user is not root, - securetty's does not apply to them */ - return PAM_SUCCESS; - - if(stat(SECURETTY_FILE,&ttyfileinfo)) { - _pam_log(LOG_NOTICE, - "Couldn't open " SECURETTY_FILE); - return PAM_SUCCESS; /* for compatibility with old securetty handling, - this needs to succeed. But we still log the - error. */ - } - - if((ttyfileinfo.st_mode & S_IWOTH) - || !S_ISREG(ttyfileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR, SECURETTY_FILE - " is either world writable or not a normal file"); - return PAM_AUTH_ERR; - } - - ttyfile = fopen(SECURETTY_FILE,"r"); - if(ttyfile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SECURETTY_FILE); - return PAM_SERVICE_ERR; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ - while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) - && retval) { - if(ttyfileline[strlen(ttyfileline) - 1] == '\n') - ttyfileline[strlen(ttyfileline) - 1] = '\0'; - retval = strcmp(ttyfileline,uttyname); - } - fclose(ttyfile); - if(retval) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); - retval = PAM_AUTH_ERR; - } - if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) - _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", - username, uttyname); - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_securetty_modstruct = { - "pam_securetty", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_shells/Makefile b/contrib/libpam/modules/pam_shells/Makefile deleted file mode 100644 index 121b19a00863..000000000000 --- a/contrib/libpam/modules/pam_shells/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_shells - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_shells/README b/contrib/libpam/modules/pam_shells/README deleted file mode 100644 index cbd5bfb55655..000000000000 --- a/contrib/libpam/modules/pam_shells/README +++ /dev/null @@ -1,10 +0,0 @@ -pam_shells: - Authentication is granted if the users shell is listed in - /etc/shells. If no shell is in /etc/passwd (empty), the - /bin/sh is used (following ftpd's convention). - - Also checks to make sure that /etc/shells is a plain - file and not world writable. - - - Erik Troan , Red Hat Software. - August 5, 1996. diff --git a/contrib/libpam/modules/pam_shells/pam_shells.c b/contrib/libpam/modules/pam_shells/pam_shells.c deleted file mode 100644 index edc9134b3274..000000000000 --- a/contrib/libpam/modules/pam_shells/pam_shells.c +++ /dev/null @@ -1,131 +0,0 @@ -/* pam_securetty module */ - -#define SHELL_FILE "/etc/shells" - -/* - * by Erik Troan , Red Hat Software. - * August 5, 1996. - * This code shamelessly ripped from the pam_securetty module. - */ - -#include -#include -#include -#include -#include -#include -#include - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-shells", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval = PAM_AUTH_ERR; - const char *userName; - char *userShell; - char shellFileLine[256]; - struct stat sb; - struct passwd * pw; - FILE * shellFile; - - retval = pam_get_user(pamh,&userName,NULL); - if(retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - - if(!userName || (strlen(userName) <= 0)) { - /* Don't let them use a NULL username... */ - pam_get_user(pamh,&userName,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - } - - pw = getpwnam(userName); - if (!pw) - return PAM_AUTH_ERR; /* user doesn't exist */ - userShell = pw->pw_shell; - - if(stat(SHELL_FILE,&sb)) { - _pam_log(LOG_ERR, SHELL_FILE, " cannot be stat'd (it probably does " - "not exist)"); - return PAM_AUTH_ERR; /* must have /etc/shells */ - } - - if((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { - _pam_log(LOG_ERR, - SHELL_FILE " is either world writable or not a normal file"); - return PAM_AUTH_ERR; - } - - shellFile = fopen(SHELL_FILE,"r"); - if(shellFile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SHELL_FILE); - return PAM_SERVICE_ERR; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ - while((fgets(shellFileLine,255,shellFile) != NULL) - && retval) { - if (shellFileLine[strlen(shellFileLine) - 1] == '\n') - shellFileLine[strlen(shellFileLine) - 1] = '\0'; - retval = strcmp(shellFileLine, userShell); - } - fclose(shellFile); - if(retval) - retval = PAM_AUTH_ERR; - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_shells_modstruct = { - "pam_shells", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_stress/Makefile b/contrib/libpam/modules/pam_stress/Makefile deleted file mode 100644 index 52e8e21881a3..000000000000 --- a/contrib/libpam/modules/pam_stress/Makefile +++ /dev/null @@ -1,109 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:23:08 morgan Exp $ -# -# Created by Andrew Morgan 1996/3/11 -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:23:08 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 19:05:55 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:17:55 morgan -# cross platform support -# -# Revision 1.4 1996/09/05 06:31:09 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:50:43 morgan -# make dynamic and static dirs -# -# Revision 1.2 1996/05/26 04:11:56 morgan -# automated static support -# -# -# - -TITLE=pam_stress - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_stress/README b/contrib/libpam/modules/pam_stress/README deleted file mode 100644 index 1cb7c14b73c3..000000000000 --- a/contrib/libpam/modules/pam_stress/README +++ /dev/null @@ -1,66 +0,0 @@ -# -# $Id: README,v 1.7 1997/02/15 19:07:08 morgan Exp $ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan -# - -This module recognizes the following arguments. - -debug put lots of information in syslog. - *NOTE* this option writes passwords to syslog, so - don't use anything sensitive when testing. - -no_warn don't give warnings about things (otherwise warnings are issued - via the conversation function) - -use_first_pass don't prompt for a password, for pam_sm_authentication - function just use item PAM_AUTHTOK. - -try_first_pass don't prompt for a password unless there has been no - previous authentication token (item PAM_AUTHTOK is NULL) - -rootok This is intended for the pam_sm_chauthtok function and - it instructs this function to permit root to change - the user's password without entering the old password. - -The following arguments are acted on by the module. They are intended -to make the module give the impression of failing as a fully -functioning module might. - -expired an argument intended for the account and chauthtok module - parts. It instructs the module to act as if the user's - password has expired - -fail_1 this instructs the module to make its first function fail. - -fail_2 this instructs the module to make its second function (if there - is one) fail. - - The function break up is indicated in the Module - Developers' Guide. Listed here it is: - - service function 1 function 2 - ------- ---------- ---------- - auth pam_sm_authenticate pam_sm_setcred - password pam_sm_chauthtok - session pam_sm_open_session pam_sm_close_session - account pam_sm_acct_mgmt - -prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. - -required for pam_sm_chauthtok, means fail if the user hasn't already - been authenticated by this module. (See stress_new_pwd data - item below.) - -# -# data strings that this module uses are the following: -# - -data name value(s) Comments ---------- -------- -------- -stress_new_pwd yes tells pam_sm_chauthtok that - pam_sm_acct_mgmt says we need a new - password diff --git a/contrib/libpam/modules/pam_stress/pam_stress.c b/contrib/libpam/modules/pam_stress/pam_stress.c deleted file mode 100644 index 501541850461..000000000000 --- a/contrib/libpam/modules/pam_stress/pam_stress.c +++ /dev/null @@ -1,581 +0,0 @@ -/* pam_stress module */ - -/* $Id: pam_stress.c,v 1.12 1997/02/15 19:06:30 morgan Exp morgan $ - * - * created by Andrew Morgan 1996/3/12 - * - * $Log: pam_stress.c,v $ - * Revision 1.12 1997/02/15 19:06:30 morgan - * fixed email - * - * Revision 1.11 1997/02/15 17:33:24 morgan - * removed fixed syslog buffer - * - * Revision 1.10 1996/12/01 03:11:35 morgan - * using _pam_macros.h now - * - * Revision 1.9 1996/11/10 20:18:10 morgan - * changes for .53 compilation - * - * Revision 1.8 1996/09/05 06:31:59 morgan - * changed return value of wipe_up from int to void - * - * Revision 1.7 1996/06/02 08:12:28 morgan - * updated for new static protocol, added STRESS to various user prompts - * and added rootok flag for pam_sm_chauthtok to look out for - * - */ - -#include -#include -#include -#include -#include -#include - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include -#include - -static char *_strdup(const char *x) -{ - char *new; - new = malloc(strlen(x)+1); - strcpy(new,x); - return new; -} - -/* log errors */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-stress", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* ---------- */ - -/* an internal function to turn all possible test arguments into bits - of a ctrl number */ - -/* generic options */ - -#define PAM_ST_DEBUG 01 -#define PAM_ST_NO_WARN 02 -#define PAM_ST_USE_PASS1 04 -#define PAM_ST_TRY_PASS1 010 -#define PAM_ST_ROOTOK 020 - -/* simulation options */ - -#define PAM_ST_EXPIRED 040 -#define PAM_ST_FAIL_1 0100 -#define PAM_ST_FAIL_2 0200 -#define PAM_ST_PRELIM 0400 -#define PAM_ST_REQUIRE_PWD 01000 - -/* some syslogging */ - -static void _pam_report(int ctrl, const char *name, int flags, - int argc, const char **argv) -{ - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG, "CALLED: %s", name); - _pam_log(LOG_DEBUG, "FLAGS : 0%o%s", flags, - (flags & PAM_SILENT) ? " (silent)":""); - _pam_log(LOG_DEBUG, "CTRL = 0%o",ctrl); - _pam_log(LOG_DEBUG, "ARGV :"); - while (argc--) { - _pam_log(LOG_DEBUG, " \"%s\"", *argv++); - } - } -} - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_ST_DEBUG; - else if (!strcmp(*argv,"no_warn")) - ctrl |= PAM_ST_NO_WARN; - else if (!strcmp(*argv,"use_first_pass")) - ctrl |= PAM_ST_USE_PASS1; - else if (!strcmp(*argv,"try_first_pass")) - ctrl |= PAM_ST_TRY_PASS1; - else if (!strcmp(*argv,"rootok")) - ctrl |= PAM_ST_ROOTOK; - - /* simulation options */ - - else if (!strcmp(*argv,"expired")) /* signal password needs - renewal */ - ctrl |= PAM_ST_EXPIRED; - else if (!strcmp(*argv,"fail_1")) /* instruct fn 1 to fail */ - ctrl |= PAM_ST_FAIL_1; - else if (!strcmp(*argv,"fail_2")) /* instruct fn 2 to fail */ - ctrl |= PAM_ST_FAIL_2; - else if (!strcmp(*argv,"prelim")) /* instruct pam_sm_setcred - to fail on first call */ - ctrl |= PAM_ST_PRELIM; - else if (!strcmp(*argv,"required")) /* module is fussy about the - user being authenticated */ - ctrl |= PAM_ST_REQUIRE_PWD; - - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -static int converse(pam_handle_t *pamh, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - if ((retval = pam_get_item(pamh,PAM_CONV,(const void **)&conv)) - == PAM_SUCCESS) { - retval = conv->conv(nargs, (const struct pam_message **) message - , response, conv->appdata_ptr); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR,"(pam_stress) converse returned %d",retval); - _pam_log(LOG_ERR,"that is: %s",pam_strerror(pamh, retval)); - } - } else { - _pam_log(LOG_ERR,"(pam_stress) converse failed to get pam_conv"); - } - - return retval; -} - -/* authentication management functions */ - -static int stress_get_password(pam_handle_t *pamh, int flags - , int ctrl, char **password) -{ - char *pass; - - if ( (ctrl & (PAM_ST_TRY_PASS1|PAM_ST_USE_PASS1)) - && (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass) - == PAM_SUCCESS) - && (pass != NULL) ) { - pass = _strdup(pass); - } else if ((ctrl & PAM_ST_USE_PASS1)) { - _pam_log(LOG_WARNING, "pam_stress: no forwarded password"); - return PAM_PERM_DENIED; - } else { /* we will have to get one */ - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - int retval; - - /* set up conversation call */ - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "STRESS Password: "; - resp = NULL; - - if ((retval = converse(pamh,1,pmsg,&resp)) != PAM_SUCCESS) { - return retval; - } - - if (resp) { - if ((resp[0].resp == NULL) && (ctrl & PAM_ST_DEBUG)) { - _pam_log(LOG_DEBUG, - "pam_sm_authenticate: NULL authtok given"); - } - if ((flags & PAM_DISALLOW_NULL_AUTHTOK) - && resp[0].resp == NULL) { - free(resp); - return PAM_AUTH_ERR; - } - - pass = resp[0].resp; /* remember this! */ - - resp[0].resp = NULL; - } else if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_authenticate: no error reported"); - _pam_log(LOG_DEBUG,"getting password, but NULL returned!?"); - return PAM_CONV_ERR; - } - free(resp); - } - - *password = pass; /* this *MUST* be free()'d by this module */ - - return PAM_SUCCESS; -} - -/* function to clean up data items */ - -static void wipe_up(pam_handle_t *pamh, void *data, int error) -{ - free(data); -} - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - const char *username; - int retval=PAM_SUCCESS; - char *pass; - int ctrl; - - D(("called.")); - - ctrl = _pam_parse(argc,argv); - _pam_report(ctrl, "pam_sm_authenticate", flags, argc, argv); - - /* try to get the username */ - - retval = pam_get_user(pamh, &username, "username: "); - if ((ctrl & PAM_ST_DEBUG) && (retval == PAM_SUCCESS)) { - _pam_log(LOG_DEBUG, "pam_sm_authenticate: username = %s", username); - } else if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: failed to get username"); - return retval; - } - - /* now get the password */ - - retval = stress_get_password(pamh,flags,ctrl,&pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to get a password"); - return retval; - } - - /* try to set password item */ - - retval = pam_set_item(pamh,PAM_AUTHTOK,pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to store new password"); - _pam_overwrite(pass); - free(pass); - return retval; - } - - /* clean up local copy of password */ - - _pam_overwrite(pass); - free(pass); - pass = NULL; - - /* if we are debugging then we print the password */ - - if (ctrl & PAM_ST_DEBUG) { - (void) pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass); - _pam_log(LOG_DEBUG, - "pam_st_authenticate: password entered is: [%s]\n",pass); - pass = NULL; - } - - /* if we signal a fail for this function then fail */ - - if ((ctrl & PAM_ST_FAIL_1) && retval == PAM_SUCCESS) - return PAM_PERM_DENIED; - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl, "pam_sm_setcred", flags, argc, argv); - - if (ctrl & PAM_ST_FAIL_2) - return PAM_CRED_ERR; - - return PAM_SUCCESS; -} - -/* account management functions */ - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_acct_mgmt", flags, argc, argv); - - if (ctrl & PAM_ST_FAIL_1) - return PAM_PERM_DENIED; - else if (ctrl & PAM_ST_EXPIRED) { - void *text = malloc(sizeof("yes")+1); - strcpy(text,"yes"); - pam_set_data(pamh,"stress_new_pwd",text,wipe_up); - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_acct_mgmt: need a new password"); - } - return PAM_NEW_AUTHTOK_REQD; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - char *username,*service; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_open_session", flags, argc, argv); - - if ((pam_get_item(pamh, PAM_USER, (const void **) &username) - != PAM_SUCCESS) - || (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) - != PAM_SUCCESS)) { - _pam_log(LOG_WARNING,"pam_sm_open_session: for whom?"); - return PAM_SESSION_ERR; - } - - _pam_log(LOG_NOTICE,"pam_stress: opened [%s] session for user [%s]" - , service, username); - - if (ctrl & PAM_ST_FAIL_1) - return PAM_SESSION_ERR; - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - const char *username,*service; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_close_session", flags, argc, argv); - - if ((pam_get_item(pamh, PAM_USER, (const void **)&username) - != PAM_SUCCESS) - || (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS)) { - _pam_log(LOG_WARNING,"pam_sm_close_session: for whom?"); - return PAM_SESSION_ERR; - } - - _pam_log(LOG_NOTICE,"pam_stress: closed [%s] session for user [%s]" - , service, username); - - if (ctrl & PAM_ST_FAIL_2) - return PAM_SESSION_ERR; - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_chauthtok", flags, argc, argv); - - /* this function should be called twice by the Linux-PAM library */ - - if (flags & PAM_PRELIM_CHECK) { /* first call */ - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: prelim check"); - } - if (ctrl & PAM_ST_PRELIM) - return PAM_TRY_AGAIN; - - return PAM_SUCCESS; - } else if (flags & PAM_UPDATE_AUTHTOK) { /* second call */ - struct pam_message msg[3],*pmsg[3]; - struct pam_response *resp; - const char *text; - char *txt=NULL; - int i; - - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: alter password"); - } - - if (ctrl & PAM_ST_FAIL_1) - return PAM_AUTHTOK_LOCK_BUSY; - - if ( !(ctrl && PAM_ST_EXPIRED) - && (flags & PAM_CHANGE_EXPIRED_AUTHTOK) - && (pam_get_data(pamh,"stress_new_pwd",(const void **)&text) - != PAM_SUCCESS || strcmp(text,"yes"))) { - return PAM_SUCCESS; /* the token has not expired */ - } - - /* the password should be changed */ - - if ((ctrl & PAM_ST_REQUIRE_PWD) - && !(getuid() == 0 && (ctrl & PAM_ST_ROOTOK)) - ) { /* first get old one? */ - char *pass; - - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: getting old password"); - } - retval = stress_get_password(pamh,flags,ctrl,&pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: no password obtained"); - return retval; - } - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: could not set OLDAUTHTOK"); - _pam_overwrite(pass); - free(pass); - return retval; - } - _pam_overwrite(pass); - free(pass); - } - - /* set up for conversation */ - - if (!(flags & PAM_SILENT)) { - char *username; - - if ( pam_get_item(pamh, PAM_USER, (const void **)&username) - || username == NULL ) { - _pam_log(LOG_ERR,"no username set"); - return PAM_USER_UNKNOWN; - } - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; -#define _LOCAL_STRESS_COMMENT "Changing STRESS password for " - txt = (char *) malloc(sizeof(_LOCAL_STRESS_COMMENT) - +strlen(username)+1); - strcpy(txt, _LOCAL_STRESS_COMMENT); -#undef _LOCAL_STRESS_COMMENT - strcat(txt, username); - msg[0].msg = txt; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Enter new STRESS password: "; - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Retype new STRESS password: "; - resp = NULL; - - retval = converse(pamh,i,pmsg,&resp); - if (txt) { - free(txt); - txt = NULL; /* clean up */ - } - if (retval != PAM_SUCCESS) { - return retval; - } - - if (resp == NULL) { - _pam_log(LOG_ERR, "pam_sm_chauthtok: no response from conv"); - return PAM_CONV_ERR; - } - - /* store the password */ - - if (resp[i-2].resp && resp[i-1].resp) { - if (strcmp(resp[i-2].resp,resp[i-1].resp)) { - /* passwords are not the same; forget and return error */ - - _pam_drop_reply(resp, i); - - if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = "Verification mis-typed; " - "password unchaged"; - resp = NULL; - (void) converse(pamh,1,pmsg,&resp); - if (resp) { - _pam_drop_reply(resp, 1); - } - } - return PAM_AUTHTOK_ERR; - } - - if (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&text) - == PAM_SUCCESS) { - (void) pam_set_item(pamh,PAM_OLDAUTHTOK,text); - text = NULL; - } - (void) pam_set_item(pamh,PAM_AUTHTOK,resp[0].resp); - } else { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: problem with resp"); - retval = PAM_SYSTEM_ERR; - } - - _pam_drop_reply(resp, i); /* clean up the passwords */ - } else { - _pam_log(LOG_ERR,"pam_sm_chauthtok: this must be a Linux-PAM error"); - return PAM_SYSTEM_ERR; - } - - return retval; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_stress_modstruct = { - "pam_stress", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif diff --git a/contrib/libpam/modules/pam_tally/Makefile b/contrib/libpam/modules/pam_tally/Makefile deleted file mode 100644 index ec17ff31fa8e..000000000000 --- a/contrib/libpam/modules/pam_tally/Makefile +++ /dev/null @@ -1,93 +0,0 @@ -# -# $Id: Makefile,v 1.1 1997/04/05 06:19:04 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/04/05 06:19:04 morgan -# Initial revision -# -# - -TITLE=pam_tally - -# -## Should add some more rules to make the application too. -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_tally/README b/contrib/libpam/modules/pam_tally/README deleted file mode 100644 index aaa8512bade4..000000000000 --- a/contrib/libpam/modules/pam_tally/README +++ /dev/null @@ -1,51 +0,0 @@ - -SUMMARY: - pam_tally: - - Maintains a count of attempted accesses, can reset count on success, - can deny access if too many attempts fail. - - Options: - - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * file=/where/to/keep/counts (default /var/log/faillog) - - (auth) - * no_magic_root (root DOES increment counter. Use for - daemon-based stuff, like telnet/rsh/login) - - (account) - * deny=n (deny access if tally for this user exceeds n; - The presence of deny=n changes the default for - reset/no_reset to reset, unless the user trying to - gain access is root and the no_magic_root option - has NOT been specified.) - - * no_magic_root (access attempts by root DON'T ignore deny. - Use this for daemon-based stuff, like telnet/rsh/login) - * even_deny_root_account (Root can become unavailable. BEWARE. - Note that magic root trying to gain root bypasses this, - but normal users can be locked out.) - - * reset (reset count to 0 on successful entry, even for - magic root) - * no_reset (don't reset count on successful entry) - This is the default unless deny exists and the - user attempting access is NOT magic root. - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Tim Baverstock , Multi Media Machine Ltd. - v0.1 5 March 1997 - -BUGS: - -pam_tally is very dependant on getpw*(): a database of usernames -would be much more flexible. - -The (4.0 Redhat) utilities seem to do funny things with uid, and I'm -not wholly sure I understood what I should have been doing anyway so -the `keep a count of current logins' bit has been #ifdef'd out and you -can only reset the counter on successful authentication, for now. diff --git a/contrib/libpam/modules/pam_tally/pam_tally.c b/contrib/libpam/modules/pam_tally/pam_tally.c deleted file mode 100644 index a1b65c04e958..000000000000 --- a/contrib/libpam/modules/pam_tally/pam_tally.c +++ /dev/null @@ -1,634 +0,0 @@ -/* - * pam_tally.c - * - * Revision history? :) 0.1 - */ - - -/* By Tim Baverstock , Multi Media Machine Ltd. - * 5 March 1997 - * - * Stuff stolen from pam_rootok and pam_listfile - */ - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -#ifndef TRUE -#define TRUE 1L -#define FALSE 0L -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - -#include - -/*---------------------------------------------------------------------*/ - -#define DEFAULT_LOGFILE "/var/log/faillog" -#define MODULE_NAME "pam_tally" - -enum TALLY_RESET { - TALLY_RESET_DEFAULT, - TALLY_RESET_RESET, - TALLY_RESET_NO_RESET -}; - -#define tally_t unsigned short int -#define TALLY_FMT "%hu" -#define TALLY_HI ((tally_t)~0L) - -#define UID_FMT "%hu" - -#ifndef FILENAME_MAX -# define FILENAME_MAX MAXPATHLEN -#endif - -/*---------------------------------------------------------------------*/ - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - va_start(args, format); - -#ifdef MAIN - vfprintf(stderr,format,args); -#else - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - closelog(); -#endif - va_end(args); -} - -/*---------------------------------------------------------------------*/ - -/* --- Support function: get uid (and optionally username) from PAM or - cline_user --- */ - -#ifdef MAIN -static char *cline_user=0; /* cline_user is used in the administration prog */ -#endif - -static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) - { - const char *user; - struct passwd *pw; - -#ifdef MAIN - user = cline_user; -#else - pam_get_user( pamh, &user, NULL ); -#endif - - if ( !user || !*user ) { - _pam_log(LOG_ERR, MODULE_NAME ": pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - - if ( ! ( pw = getpwnam( user ) ) ) { - _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user); - return PAM_USER_UNKNOWN; - } - - if ( uid ) *uid = pw->pw_uid; - if ( userp ) *userp = user; - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- Support function: open/create tallyfile and return tally for uid --- */ - -/* If on entry *tally==TALLY_HI, tallyfile is opened READONLY */ -/* Otherwise, if on entry tallyfile doesn't exist, creation is attempted. */ - -static int get_tally( tally_t *tally, - uid_t uid, - const char *filename, - FILE **TALLY ) - { - struct stat fileinfo; - int lstat_ret = lstat(filename,&fileinfo); - - if ( lstat_ret && *tally!=TALLY_HI ) { - if ( ( *TALLY=fopen(filename, "a") ) ) { - /* Create file, or append-open in pathological case. */ - _pam_log(LOG_ALERT, "Couldn't create %s",filename); - return PAM_AUTH_ERR; - } - fclose(*TALLY); - lstat_ret = lstat(filename,&fileinfo); - } - - if ( lstat_ret ) { - _pam_log(LOG_ALERT, "Couldn't stat %s",filename); - return PAM_AUTH_ERR; - } - - if((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ALERT, - "%s is either world writable or not a normal file", - filename); - return PAM_AUTH_ERR; - } - - if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) { - _pam_log(LOG_ALERT, "Error opening %s for update", filename); - -/* Discovering why account service fails: e/uid are target user. - * - * perror(MODULE_NAME); - * fprintf(stderr,"uid %d euid %d\n",getuid(), geteuid()); - */ - return PAM_AUTH_ERR; - } - - if ( fseek( *TALLY, uid * sizeof (tally_t), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); - return PAM_AUTH_ERR; - } - - if ( ( fread(tally, sizeof(tally_t), 1, *TALLY) )==0 ) { - *tally=0; /* Assuming a gappy filesystem */ - } - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */ - -static int set_tally( tally_t tally, - uid_t uid, - const char *filename, - FILE **TALLY ) - { - if ( tally!=TALLY_HI ) - { - if ( fseek( *TALLY, uid * sizeof(tally_t), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); - return PAM_AUTH_ERR; - } - - if ( fwrite(&tally, sizeof(tally_t), 1, *TALLY)==0 ) { - _pam_log(LOG_ALERT, "tally update (fputc) failed.", filename); - return PAM_AUTH_ERR; - } - } - - if ( fclose(*TALLY) ) { - _pam_log(LOG_ALERT, "tally update (fclose) failed.", filename); - return PAM_AUTH_ERR; - } - *TALLY=NULL; - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- PAM bits --- */ - -#ifndef MAIN - -#define PAM_FUNCTION(name) \ - PAM_EXTERN int name (pam_handle_t *pamh,int flags,int argc,const char **argv) - -#define RETURN_ERROR(i) return ((fail_on_error)?(i):(PAM_SUCCESS)) - -/*---------------------------------------------------------------------*/ - -/* --- tally bump function: bump tally for uid by (signed) inc --- */ - -static int tally_bump (int inc, - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) { - uid_t uid; - - int - fail_on_error = FALSE; - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - char - no_magic_root = FALSE; - - char - filename[ FILENAME_MAX ] = DEFAULT_LOGFILE; - - /* Should probably decode the parameters before anything else. */ - - { - for ( ; argc-- > 0; ++argv ) { - - /* generic options.. um, ignored. :] */ - - if ( ! strcmp( *argv, "no_magic_root" ) ) { - no_magic_root = TRUE; - } - else if ( ! strncmp( *argv, "file=", 5 ) ) { - char const - *from = (*argv)+5; - char - *to = filename; - if ( *from!='/' || strlen(from)>FILENAME_MAX-1 ) { - _pam_log(LOG_ERR, - MODULE_NAME ": filename not /rooted or too long; ", - *argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - while ( ( *to++ = *from++ ) ); - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - fail_on_error=TRUE; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - fail_on_error=FALSE; - } - else { - _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); - } - } /* for() */ - } - - { - FILE - *TALLY = NULL; - const char - *user = NULL; - - int i=pam_get_uid(pamh, &uid, &user); - if ( i != PAM_SUCCESS ) RETURN_ERROR( i ); - - i=get_tally( &tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - - if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */ - - tally+=inc; - - if ( tally==TALLY_HI ) { /* Overflow *and* underflow. :) */ - tally-=inc; - _pam_log(LOG_ALERT,"Tally %sflowed for user %s", - (inc<0)?"under":"over",user); - } - } - - i=set_tally( tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - } - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_AUTH - -PAM_FUNCTION( pam_sm_authenticate ) { - return tally_bump( 1, pamh, flags, argc, argv); -} - -/* --- Seems to need this function. Ho hum. --- */ - -PAM_FUNCTION( pam_sm_setcred ) { return PAM_SUCCESS; } - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- session management functions (only) --- */ - -/* - * Unavailable until .so files can be suid - */ - -#ifdef PAM_SM_SESSION - -/* To maintain a balance-tally of successful login/outs */ - -PAM_FUNCTION( pam_sm_open_session ) { - return tally_bump( 1, pamh, flags, argc, argv); -} - -PAM_FUNCTION( pam_sm_close_session ) { - return tally_bump(-1, pamh, flags, argc, argv); -} - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_AUTH - -/* To lock out a user with an unacceptably high tally */ - -PAM_FUNCTION( pam_sm_acct_mgmt ) { - uid_t - uid; - - int - fail_on_error = FALSE; - tally_t - deny = 0; - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - char - no_magic_root = FALSE, - even_deny_root_account = FALSE; - - const char - *user = NULL; - - enum TALLY_RESET - reset = TALLY_RESET_DEFAULT; - - char - filename[ FILENAME_MAX ] = DEFAULT_LOGFILE; - - /* Should probably decode the parameters before anything else. */ - - { - for ( ; argc-- > 0; ++argv ) { - - /* generic options.. um, ignored. :] */ - - if ( ! strcmp( *argv, "no_magic_root" ) ) { - no_magic_root = TRUE; - } - else if ( ! strcmp( *argv, "even_deny_root_account" ) ) { - even_deny_root_account = TRUE; - } - else if ( ! strcmp( *argv, "reset" ) ) { - reset = TALLY_RESET_RESET; - } - else if ( ! strcmp( *argv, "no_reset" ) ) { - reset = TALLY_RESET_NO_RESET; - } - else if ( ! strncmp( *argv, "file=", 5 ) ) { - char const - *from = (*argv)+5; - char - *to = filename; - if ( *from != '/' || strlen(from) > FILENAME_MAX-1 ) { - _pam_log(LOG_ERR, - MODULE_NAME ": filename not /rooted or too long; ", - *argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - while ( ( *to++ = *from++ ) ); - } - else if ( ! strncmp( *argv, "deny=", 5 ) ) { - if ( sscanf((*argv)+5,TALLY_FMT,&deny) != 1 ) { - _pam_log(LOG_ERR,"bad number supplied; %s",*argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - fail_on_error=TRUE; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - fail_on_error=FALSE; - } - else { - _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); - } - } /* for() */ - } - - { - FILE *TALLY=0; - int i=pam_get_uid(pamh, &uid, &user); - if ( i != PAM_SUCCESS ) RETURN_ERROR( i ); - - i=get_tally( &tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - - if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */ - - /* To deny or not to deny; that is the question */ - - if ( - ( deny != 0 ) && /* deny==0 means no deny */ - ( tally > deny ) && /* tally>deny means exceeded */ - ( even_deny_root_account || uid ) /* even_deny stops uid check */ - ) { - _pam_log(LOG_NOTICE,"user %s ("UID_FMT") tally "TALLY_FMT", deny "TALLY_FMT, - user, uid, tally, deny); - return PAM_AUTH_ERR; /* Only unconditional failure */ - } - - /* resets for explicit reset - * or by default if deny exists and not magic-root - */ - - if ( ( reset == TALLY_RESET_RESET ) || - ( reset == TALLY_RESET_DEFAULT && deny ) ) { tally=0; } - } - else /* is magic root */ { - - /* Magic root skips deny test... */ - - /* Magic root only resets on explicit reset, regardless of deny */ - - if ( reset == TALLY_RESET_RESET ) { tally=0; } - } - - i=set_tally( tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - } - - return PAM_SUCCESS; -} - -#endif /* #ifdef PAM_SM_AUTH */ - -/*-----------------------------------------------------------------------*/ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_tally_modstruct = { - MODULE_NAME, -#ifdef PAM_SM_AUTH - pam_sm_authenticate, - pam_sm_setcred, -#else - NULL, - NULL, -#endif -#ifdef PAM_SM_ACCOUNT - pam_sm_acct_mgmt, -#else - NULL, -#endif -#ifdef PAM_SM_SESSION - pam_sm_open_session, - pam_sm_close_session, -#else - NULL, - NULL, -#endif -#ifdef PAM_SM_PASSWORD - pam_sm_chauthtok, -#else - NULL, -#endif -}; - -#endif /* #ifdef PAM_STATIC */ - -/*-----------------------------------------------------------------------*/ - -#else /* #ifndef MAIN */ - -static const char *cline_filename = DEFAULT_LOGFILE; -static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ -static int cline_quiet = 0; - -/* - * Not going to link with pamlib just for these.. :) - */ - -static const char * pam_errors( int i ) { - switch (i) { - case PAM_AUTH_ERR: return "Authentication error"; - case PAM_SERVICE_ERR: return "Service error"; - case PAM_USER_UNKNOWN: return "Unknown user"; - default: return "Unknown error"; - } -} - -static int getopts( int argc, char **argv ) { - const char *pname = *argv; - for ( ; *argv ; (void)(*argv && ++argv) ) { - if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; - else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; - else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; - else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; - else if ( !strcmp (*argv,"--reset") ) cline_reset=0; - else if ( !strncmp(*argv,"--reset=",8)) { - if ( sscanf(*argv+8,TALLY_FMT,&cline_reset) != 1 ) - fprintf(stderr,"%s: Bad number given to --reset=\n",pname), exit(0); - } - else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; - else { - fprintf(stderr,"%s: Unrecognised option %s\n",pname,*argv); - return FALSE; - } - } - return TRUE; -} - -int main ( int argc, char **argv ) { - - if ( ! getopts( argc, argv+1 ) ) { - printf("%s: [--file rooted-filename] [--user username] " - "[--reset[=n]] [--quiet]\n", - *argv); - exit(0); - } - - /* - * Major difference between individual user and all users: - * --user just handles one user, just like PAM. - * --user=* handles all users, sniffing cline_filename for nonzeros - */ - - if ( cline_user ) { - uid_t uid; - tally_t tally=cline_reset; - FILE *TALLY=0; - int i=pam_get_uid( NULL, &uid, NULL); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - i=get_tally( &tally, uid, cline_filename, &TALLY ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - if ( !cline_quiet ) - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",cline_user,uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - - i=set_tally( cline_reset, uid, cline_filename, &TALLY ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - } - else /* !cline_user (ie, operate on all users) */ { - FILE *TALLY=fopen(cline_filename, "r"); - uid_t uid=0; - if ( !TALLY ) perror(*argv), exit(0); - - for ( ; !feof(TALLY); uid++ ) { - tally_t tally; - struct passwd *pw; - if ( ! fread(&tally, sizeof(tally_t), 1, TALLY) || ! tally ) continue; - - if ( ( pw=getpwuid(uid) ) ) { - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",pw->pw_name,uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - else { - printf("User [NONAME]\t("UID_FMT")\t%s "TALLY_FMT"\n",uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - } - fclose(TALLY); - if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { - fprintf(stderr,"%s: Can't reset all users to non-zero\n",*argv); - } - else if ( !cline_reset ) { - TALLY=fopen(cline_filename, "w"); - if ( !TALLY ) perror(*argv), exit(0); - fclose(TALLY); - } - } - return 0; -} - - -#endif diff --git a/contrib/libpam/modules/pam_time/Makefile b/contrib/libpam/modules/pam_time/Makefile deleted file mode 100644 index bc297d4f9853..000000000000 --- a/contrib/libpam/modules/pam_time/Makefile +++ /dev/null @@ -1,121 +0,0 @@ -# -# $Id: Makefile,v 1.6 1997/04/05 06:22:32 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.6 1997/04/05 06:22:32 morgan -# fakeroot -# -# Revision 1.5 1997/02/15 19:16:16 morgan -# fixed email -# -# Revision 1.4 1996/11/10 20:18:21 morgan -# cross platform support -# -# Revision 1.3 1996/09/05 06:27:37 morgan -# ld --> gcc -# -# Revision 1.2 1996/08/09 05:48:19 morgan -# inherit installation files from parent -# -# Revision 1.1 1996/07/07 23:42:48 morgan -# Initial revision -# -# Revision 1.1 1996/06/24 05:48:49 morgan -# Initial revision -# -# -# Created by Andrew Morgan 1996/6/11 -# - -TITLE=pam_time -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/time.conf -export CONFILE - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_time/README b/contrib/libpam/modules/pam_time/README deleted file mode 100644 index 0c3f976b4012..000000000000 --- a/contrib/libpam/modules/pam_time/README +++ /dev/null @@ -1,37 +0,0 @@ -$Id: README,v 1.3 1997/01/04 20:42:43 morgan Exp $ - -This is a help file for the pam_time module. It explains the need for -pam_time and also the syntax of the /etc/security/time.conf file. -[a lot of the syntax is freely adapted from the porttime file of the -shadow suite.] - -1. Introduction -=============== - -It is desirable to restrict access to a system and or specific -applications at various times of the day and on specific days or over -various terminal lines. - -The pam_time module is intended to offer a configurable module that -satisfies this purpose, within the context of Linux-PAM. - -2. the /etc/security/time.conf file -=================================== - -This file is the configuration script for defining time/port access -control to the system/applications. - -Its syntax is described in the sample ./time.conf provided in this -directory. - -unrecognised rules are ignored (but an error is logged to syslog(3)) - --------------------- -Bugs to Andrew or the list - -######################################################################## -# $Log: README,v $ -# Revision 1.3 1997/01/04 20:42:43 morgan -# I want email on parc now -# -# \ No newline at end of file diff --git a/contrib/libpam/modules/pam_time/install_conf b/contrib/libpam/modules/pam_time/install_conf deleted file mode 100755 index 051d8b7013d7..000000000000 --- a/contrib/libpam/modules/pam_time/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./time.conf -MODULE=pam_time - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_time/pam_time.c b/contrib/libpam/modules/pam_time/pam_time.c deleted file mode 100644 index 489c1d734ae0..000000000000 --- a/contrib/libpam/modules/pam_time/pam_time.c +++ /dev/null @@ -1,614 +0,0 @@ -/* pam_time module */ - -/* - * $Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $ - * - * Written by Andrew Morgan 1996/6/22 - * (File syntax and much other inspiration from the shadow package - * shadow-960129) - * - * $Log: pam_time.c,v $ - * Revision 1.7 1997/02/15 17:32:21 morgan - * time parsing more robust - * - * Revision 1.6 1997/01/04 20:43:15 morgan - * fixed buffer underflow, reformatted to 4 spaces - * - */ - -const static char rcsid[] = -"$Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $;\n" -"\t\tVersion 0.22 for Linux-PAM\n" -"Copyright (C) Andrew G. Morgan 1996 \n"; - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define PAM_TIME_CONF CONFILE /* from external define */ -#define PAM_TIME_BUFLEN 1000 -#define FIELD_SEPARATOR ';' /* this is new as of .02 */ - -typedef enum { FALSE, TRUE } boolean; -typedef enum { AND, OR } operator; - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include -#include - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_time", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - -static void shift_bytes(char *mem, int from, int by) -{ - while (by-- > 0) { - *mem = mem[from]; - ++mem; - } -} - -static int read_field(int fd, char **buf, int *from, int *to) -{ - /* is buf set ? */ - - if (! *buf) { - *buf = (char *) malloc(PAM_TIME_BUFLEN); - if (! *buf) { - _log_err("out of memory"); - D(("no memory")); - return -1; - } - *from = *to = 0; - fd = open(PAM_TIME_CONF, O_RDONLY); - } - - /* do we have a file open ? return error */ - - if (fd < 0 && *to <= 0) { - _log_err( PAM_TIME_CONF " not opened"); - memset(*buf, 0, PAM_TIME_BUFLEN); - _pam_drop(*buf); - return -1; - } - - /* check if there was a newline last time */ - - if ((*to > *from) && (*to > 0) - && ((*buf)[*from] == '\0')) { /* previous line ended */ - (*from)++; - (*buf)[0] = '\0'; - return fd; - } - - /* ready for more data: first shift the buffer's remaining data */ - - *to -= *from; - shift_bytes(*buf, *from, *to); - *from = 0; - (*buf)[*to] = '\0'; - - while (fd >= 0 && *to < PAM_TIME_BUFLEN) { - int i; - - /* now try to fill the remainder of the buffer */ - - i = read(fd, *to + *buf, PAM_TIME_BUFLEN - *to); - if (i < 0) { - _log_err("error reading " PAM_TIME_CONF); - return -1; - } else if (!i) { - fd = -1; /* end of file reached */ - } else - *to += i; - - /* - * contract the buffer. Delete any comments, and replace all - * multiple spaces with single commas - */ - - i = 0; -#ifdef DEBUG_DUMP - D(("buffer=<%s>",*buf)); -#endif - while (i < *to) { - if ((*buf)[i] == ',') { - int j; - - for (j=++i; j<*to && (*buf)[j] == ','; ++j); - if (j!=i) { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - } - } - switch ((*buf)[i]) { - int j,c; - case '#': - for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); - if (j >= *to) { - (*buf)[*to = ++i] = '\0'; - } else if (c == '\n') { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - ++i; - } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); - return -1; - } - break; - case '\\': - if ((*buf)[i+1] == '\n') { - shift_bytes(i + *buf, 2, *to - (i+2)); - *to -= 2; - } - break; - case '!': - case ' ': - case '\t': - if ((*buf)[i] != '!') - (*buf)[i] = ','; - /* delete any trailing spaces */ - for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' - || c == '\t' ); ++j); - shift_bytes(i + *buf, j-i, (*to)-j ); - *to -= j-i; - break; - default: - ++i; - } - } - } - - (*buf)[*to] = '\0'; - - /* now return the next field (set the from/to markers) */ - { - int i; - - for (i=0; i<*to; ++i) { - switch ((*buf)[i]) { - case '#': - case '\n': /* end of the line/file */ - (*buf)[i] = '\0'; - *from = i; - return fd; - case FIELD_SEPARATOR: /* end of the field */ - (*buf)[i] = '\0'; - *from = ++i; - return fd; - } - } - *from = i; - (*buf)[*from] = '\0'; - } - - if (*to <= 0) { - D(("[end of text]")); - *buf = NULL; - } - - return fd; -} - -/* read a member from a field */ - -static int logic_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -typedef enum { VAL, OP } expect; - -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) -{ - boolean left=FALSE, right, not=FALSE; - operator oper=OR; - int at=0, l; - expect next=VAL; - - while ((l = logic_member(x,&at))) { - int c = x[at]; - - if (next == VAL) { - if (c == '!') - not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); - if (oper == AND) - left &= right; - else - left |= right; - next = OP; - } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); - return FALSE; - } - } else { /* OP */ - switch (c) { - case '&': - oper = AND; - break; - case '|': - oper = OR; - break; - default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); - D(("%c at %d",c,at)); - return FALSE; - } - next = VAL; - } - at += l; - } - - return left; -} - -static boolean is_same(const void *A, const char *b, int len, int rule) -{ - int i; - const char *a; - - a = A; - for (i=0; len > 0; ++i, --len) { - if (b[i] != a[i]) { - if (b[i++] == '*') { - return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); - } else - return FALSE; - } - } - return ( !len ); -} - -typedef struct { - int day; /* array of 7 bits, one set for today */ - int minute; /* integer, hour*100+minute for now */ -} TIME; - -struct day { - const char *d; - int bit; -} static const days[11] = { - { "su", 01 }, - { "mo", 02 }, - { "tu", 04 }, - { "we", 010 }, - { "th", 020 }, - { "fr", 040 }, - { "sa", 0100 }, - { "wk", 076 }, - { "wd", 0101 }, - { "al", 0177 }, - { NULL, 0 } -}; - -static TIME time_now(void) -{ - struct tm *local; - time_t the_time; - TIME this; - - the_time = time((time_t *)0); /* get the current time */ - local = localtime(&the_time); - this.day = days[local->tm_wday].bit; - this.minute = local->tm_hour*100 + local->tm_min; - - D(("day: 0%o, time: %.4d", this.day, this.minute)); - return this; -} - -/* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) -{ - boolean not,pass; - int marked_day, time_start, time_end; - const TIME *at; - int i,j=0; - - at = AT; - D(("chcking: 0%o/%.4d vs. %s", at->day, at->minute, times)); - - if (times == NULL) { - /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); - return FALSE; - } - - if (times[j] == '!') { - ++j; - not = TRUE; - } else { - not = FALSE; - } - - for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { - int this_day=-1; - - D(("%c%c ?", times[j], times[j+1])); - for (i=0; days[i].d != NULL; ++i) { - if (tolower(times[j]) == days[i].d[0] - && tolower(times[j+1]) == days[i].d[1] ) { - this_day = days[i].bit; - break; - } - } - j += 2; - if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); - return FALSE; - } - marked_day ^= this_day; - } - if (marked_day == 0) { - _log_err("no day specified"); - return FALSE; - } - D(("day range = 0%o", marked_day)); - - time_start = 0; - for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { - time_start *= 10; - time_start += times[i+j]-'0'; /* is this portable? */ - } - j += i; - - if (times[j] == '-') { - time_end = 0; - for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { - time_end *= 10; - time_end += times[i+j]-'0'; /* is this portable */ - } - j += i; - } else - time_end = -1; - - D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); - if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); - return TRUE; - } - D(("times(%d to %d)", time_start,time_end)); - D(("marked_day = 0%o", marked_day)); - - /* compare with the actual time now */ - - pass = FALSE; - if (time_start < time_end) { /* start < end ? --> same day */ - if ((at->day & marked_day) && (at->minute >= time_start) - && (at->minute < time_end)) { - D(("time is listed")); - pass = TRUE; - } - } else { /* spans two days */ - if ((at->day & marked_day) && (at->minute >= time_start)) { - D(("caught on first day")); - pass = TRUE; - } else { - marked_day <<= 1; - marked_day |= (marked_day & 0200) ? 1:0; - D(("next day = 0%o", marked_day)); - if ((at->day & marked_day) && (at->minute <= time_end)) { - D(("caught on second day")); - pass = TRUE; - } - } - } - - return (not ^ pass); -} - -static int check_account(const char *service - , const char *tty, const char *user) -{ - int from=0,to=0,fd=-1; - char *buffer=NULL; - int count=0; - TIME here_and_now; - int retval=PAM_SUCCESS; - - here_and_now = time_now(); /* find current time */ - do { - boolean good=TRUE,intime; - - /* here we get the service name field */ - - fd = read_field(fd,&buffer,&from,&to); - - if (!buffer || !buffer[0]) { - /* empty line .. ? */ - continue; - } - ++count; - - good = logic_field(service, buffer, count, is_same); - D(("with service: %s", good ? "passes":"fails" )); - - /* here we get the terminal name field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no tty entry #%d", count); - continue; - } - good &= logic_field(tty, buffer, count, is_same); - D(("with tty: %s", good ? "passes":"fails" )); - - /* here we get the username field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no user entry #%d", count); - continue; - } - good &= logic_field(user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); - - /* here we get the time field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no time entry #%d", count); - continue; - } - - intime = logic_field(&here_and_now, buffer, count, check_time); - D(("with time: %s", intime ? "passes":"fails" )); - - fd = read_field(fd,&buffer,&from,&to); - if (buffer && buffer[0]) { - _log_err(PAM_TIME_CONF "; poorly terminated rule #%d", count); - continue; - } - - if (good && !intime) { - /* - * for security parse whole file.. also need to ensure - * that the buffer is free()'d and the file is closed. - */ - retval = PAM_PERM_DENIED; - } else { - D(("rule passed")); - } - } while (buffer); - - return retval; -} - -/* --- public account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - const char *service=NULL, *tty=NULL; - const char *user=NULL; - - /* set service name */ - - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); - return PAM_ABORT; - } - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - _log_err("cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - /* set tty name */ - - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { - D(("PAM_TTY not set, probing stdin")); - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; - } - - /* good, now we have the service name, the user and the terminal name */ - - D(("service=%s", service)); - D(("user=%s", user)); - D(("tty=%s", tty)); - - return check_account(service,tty,user); -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_time_modstruct = { - "pam_time", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif diff --git a/contrib/libpam/modules/pam_time/time.conf b/contrib/libpam/modules/pam_time/time.conf deleted file mode 100644 index d2062fdb5a37..000000000000 --- a/contrib/libpam/modules/pam_time/time.conf +++ /dev/null @@ -1,64 +0,0 @@ -# this is an example configuration file for the pam_time module. Its syntax -# was initially based heavily on that of the shadow package (shadow-960129). -# -# the syntax of the lines is as follows: -# -# services;ttys;users;times -# -# white space is ignored and lines maybe extended with '\\n' (escaped -# newlines). As should be clear from reading these comments, -# text following a '#' is ignored to the end of the line. -# -# the combination of individual users/terminals etc is a logic list -# namely individual tokens that are optionally prefixed with '!' (logical -# not) and separated with '&' (logical and) and '|' (logical or). -# -# services -# is a logic list of PAM service names that the rule applies to. -# -# ttys -# is a logic list of terminal names that this rule applies to. -# -# users -# is a logic list of users to whom this rule applies. -# -# NB. For these items the simple wildcard '*' may be used only once. -# -# times -# the format here is a logic list of day/time-range -# entries the days are specified by a sequence of two character -# entries, MoTuSa for example is Monday Tuesday and Saturday. Note -# that repeated days are unset MoMo = no day, and MoWk = all weekdays -# bar Monday. The two character combinations accepted are -# -# Mo Tu We Th Fr Sa Su Wk Wd Al -# -# the last two being week-end days and all 7 days of the week -# respectively. As a final example, AlFr means all days except Friday. -# -# each day/time-range can be prefixed with a '!' to indicate "anything -# but" -# -# The time-range part is two 24-hour times HHMM separated by a hyphen -# indicating the start and finish time (if the finish time is smaller -# than the start time it is deemed to apply on the following day). -# -# for a rule to be active, ALL of service+ttys+users must be satisfied -# by the applying process. -# - -# -# Here is a simple example: running blank on tty* (any ttyXXX device), -# the users 'you' and 'me' are denied service all of the time -# - -#blank;tty* & !ttyp*;you|me;!Al0000-2400 - -# Another silly example, user 'root' is denied xsh access -# from pseudo terminals at the weekend and on mondays. - -#xsh;ttyp*;root;!WdMo0000-2400 - -# -# End of example file. -# \ No newline at end of file diff --git a/contrib/libpam/modules/pam_unix/CHANGELOG b/contrib/libpam/modules/pam_unix/CHANGELOG deleted file mode 100644 index 37e4c8501c9d..000000000000 --- a/contrib/libpam/modules/pam_unix/CHANGELOG +++ /dev/null @@ -1,6 +0,0 @@ -$Id: CHANGELOG,v 1.1 1996/11/09 19:42:41 morgan Exp $ - -$Log: CHANGELOG,v $ -Revision 1.1 1996/11/09 19:42:41 morgan -Initial revision - diff --git a/contrib/libpam/modules/pam_unix/Makefile b/contrib/libpam/modules/pam_unix/Makefile deleted file mode 100644 index ad1f47f185e4..000000000000 --- a/contrib/libpam/modules/pam_unix/Makefile +++ /dev/null @@ -1,155 +0,0 @@ -# $Header$ -# -# This Makefile controls a build process of the pam_unix modules -# for Linux-PAM. You should not modify this Makefile. -# -# $Log$ -# Revision 1.1.1.2 1998/06/03 03:43:56 adam -# Import from archive -# -# Revision 1.3 1998/05/31 23:48:13 adam -# Link crypt library as necessary. -# -# Revision 1.3 1997/04/05 06:20:58 morgan -# fakeroot and also lockpwdf is in libc now -# -# Revision 1.2 1996/11/10 20:18:59 morgan -# cross platform support -# -# Revision 1.1 1996/11/09 19:44:16 morgan -# Initial revision -# -# - -######################################################################## -# some options... uncomment to take effect -######################################################################## - -# do you want shadow? -USE_SHADOW=-D"HAVE_SHADOW_H" - -# do you want cracklib? -ifeq ($(HAVE_CRACKLIB),yes) -USE_CRACKLIB=-D"USE_CRACKLIB" -endif - -# do you want to use lckpwdf? -USE_LCKPWDF=-D"USE_LCKPWDF" - -# do you need to include the locking functions in the source? -#NEED_LCKPWDF=-D"NEED_LCKPWDF" - -######################################################################## - -CFLAGS += $(USE_SHADOW) $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) - -ifdef DYNAMIC -LIBSESSSH = pam_unix_session.so -LIBAUTHSH = pam_unix_auth.so -LIBPASSWDSH = pam_unix_passwd.so -LIBACCOUNT = pam_unix_acct.so -endif - -ifdef STATIC -LIBSTATIC = libpam_unix.o -endif - -ifdef USE_CRACKLIB -CRACKLIB = -lcrack -endif - -LIBAUTHOBJ = pam_unix_auth.o support.o -LIBAUTHSRC = pam_unix_auth.c support.c -LIBSESSOBJ = pam_unix_sess.o -LIBSESSSRC = pam_unix_sess.c -LIBPASSWDSRC = pam_unix_passwd.c -LIBPASSWDOBJ = pam_unix_passwd.o -LIBACCOUNTSRC = pam_unix_acct.c -LIBACCOUNTOBJ = pam_unix_acct.o -LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ) $(LIBACCOUNTOBJ) -LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC) $(LIBACCOUNTSRC) - -LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH) $(LIBACCOUNT) - -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) -c $< -o $@ - -static/%.o: %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) -c $< -o $@ - - -########################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -info: - @echo - @echo "*** Building pam-unix(alpha) module of the framework..." - @echo - -all: dirs info $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - mkdir -p ./dynamic -endif -ifdef STATIC - mkdir -p ./static -endif - -register: -ifdef STATIC - ( cd .. ; \ - ./register_static pam_unix_auth pam_unix/$(LIBSTATIC) ; \ - ./register_static pam_unix_acct "" ; \ - ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBAUTHSH): $(LIBAUTHSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBAUTHOBJ)) -lcrypt - -$(LIBSESSSH): $(LIBSESSSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBSESSOBJ)) - -$(LIBPASSWDSH): $(LIBPASSWDSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBPASSWDOBJ)) $(CRACKLIB) -lcrypt - -$(LIBACCOUNT): $(LIBACCOUNTSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBACCOUNTOBJ)) -endif - - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - mkdir -p $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - install -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~ - -extraclean: clean - rm -f *.a *.out *.o *.so *.bak - -.c.o: - $(CC) -c $(CFLAGS) $< - diff --git a/contrib/libpam/modules/pam_unix/README b/contrib/libpam/modules/pam_unix/README deleted file mode 100644 index 082e99697da2..000000000000 --- a/contrib/libpam/modules/pam_unix/README +++ /dev/null @@ -1,39 +0,0 @@ -This is the README for pam_unix in Linux-PAM-0.53. --------------------------------------------------- - -pam_unix comes as four separate modules: - -pam_unix_auth: authentication module providing - pam_authenticate() and pam_setcred() hooks - - NO options are recognized. Credential facilities are trivial - (function simply returns) - -pam_unix_sess: session module, providing session logging - - "debug" and "trace" arguments are accepted, which indicate the - logging-level for syslog. - - "debug" -> LOG_DEBUG [ also default ] - "trace" -> LOG_AUTHPRIV - -pam_unix_acct: account management, providing shadow account - managment features, password aging etc.. - - NO options are recognized. Account managment trivial without - shadow active. - -pam_unix_passwd: password updating facilities providing - cracklib password strength checking facilities. - - if compiled, the default behavior is to check passwords - strictly using CrackLib. This behavior can be turned off - with the argument - - "strict=false" - - invalid arguments are logged to syslog. - ------------------------------- -- Andrew 1996/11/9 ------------------------------- diff --git a/contrib/libpam/modules/pam_unix/pam_unix_acct.c b/contrib/libpam/modules/pam_unix/pam_unix_acct.c deleted file mode 100644 index 5c0546aa1f8f..000000000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_acct.c +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright Elliot Lee, 1996. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pam_unix_acct.c module, different track */ - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#define __USE_MISC -#include -#include -#include -#include -#ifdef HAVE_SHADOW_H -#include -#endif -#include - -#define PAM_SM_ACCOUNT - -#ifndef LINUX -# include -#endif - -#define _PAM_EXTERN_FUNCTIONS -#include - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ -#ifdef HAVE_SHADOW_H - const char *uname; - int retval; - time_t curdays; - struct spwd *spent; - struct passwd *pwent; - - setpwent(); - setspent(); - retval = pam_get_item(pamh,PAM_USER,(const void **)&uname); - if(retval != PAM_SUCCESS || uname == NULL) { - return PAM_SUCCESS; /* Couldn't get username, just ignore this - (i.e. they don't have any expiry info available */ - } - pwent = getpwnam(uname); - if(!pwent) - return PAM_USER_UNKNOWN; - if(strcmp(pwent->pw_passwd,"x")) - return PAM_SUCCESS; /* They aren't using shadow passwords & expiry - info */ - spent = getspnam(uname); - if(!spent) - return PAM_SUCCESS; /* Couldn't get username from shadow, just ignore this - (i.e. they don't have any expiry info available */ - curdays = time(NULL)/(60*60*24); - if((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact)) - && (spent->sp_max != -1) && (spent->sp_inact != -1)) - return PAM_ACCT_EXPIRED; - if((curdays > spent->sp_expire) && (spent->sp_expire != -1)) - return PAM_ACCT_EXPIRED; - endspent(); - endpwent(); -#endif - return PAM_SUCCESS; -} - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_acct_modstruct = { - "pam_unix_acct", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL, -}; -#endif diff --git a/contrib/libpam/modules/pam_unix/pam_unix_auth.c b/contrib/libpam/modules/pam_unix/pam_unix_auth.c deleted file mode 100644 index 65c2229b2808..000000000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_auth.c +++ /dev/null @@ -1,309 +0,0 @@ -/* $Header: /home/morgan/pam/Linux-PAM-0.59/modules/pam_unix/RCS/pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ */ - -/* - * Copyright Alexander O. Yuriev, 1996. All rights reserved. - * NIS+ support by Thorsten Kukuk - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: pam_unix_auth.c,v $ - * - * Revision 1.9 1996/05/26 04:13:04 morgan - * added static support - * - * Revision 1.8 1996/05/21 03:51:58 morgan - * added "const" to rcsid[] definition - * - * Revision 1.7 1996/04/19 03:25:57 alex - * minor corrections. - * - * Revision 1.6 1996/04/17 01:05:05 alex - * _pam_auth_unix() cleaned up - non-authentication code is made into funcs - * and mostly moved out to support.c. - * - * Revision 1.5 1996/04/16 21:12:46 alex - * unix authentication works on Bach again. This is a tranitional stage. - * I really don't like that _pam_unix_auth() grew into a monster that does - * prompts etc etc. They should go into other functions. - * - * Revision 1.4 1996/04/07 08:06:12 morgan - * tidied up a little - * - * Revision 1.3 1996/04/07 07:34:07 morgan - * added conversation support. Now the module is capable of obtaining a - * username and a password all by itself. - * - * Revision 1.2 1996/03/29 02:31:19 morgan - * Marek Michalkiewicz's small patches for shadow support. - * - * Revision 1.1 1996/03/09 09:10:57 morgan - * Initial revision - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include -#endif - -#include -#include -#include -#define __USE_BSD -#include -#include -#include - -#ifndef NDEBUG - -#include - -#endif /* NDEBUG */ - -#ifdef HAVE_SHADOW_H - -#include - -#endif /* HAVE_SHADOW_H */ - -#ifndef LINUX - -#include - -#endif /* LINUX */ - -#define _PAM_EXTERN_FUNCTIONS -#include - -static const char rcsid[] = "$Id: pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ pam_unix authentication functions. alex@bach.cis.temple.edu"; - -/* Define function phototypes */ - -extern char *crypt(const char *key, const char *salt); /* This should have - been in unistd.h - but it is not */ -extern int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ); - -extern int _set_auth_tok( pam_handle_t *pamh, - int flags, int argc, - const char **argv ); - -static int _pam_auth_unix( pam_handle_t *pamh, - int flags, int argc, - const char **argv ); - -static int _pam_set_credentials_unix ( pam_handle_t *pamh, - int flags, - int argc, - const char ** argv ) ; - - -/* Fun starts here :) - * - * _pam_auth_unix() actually performs UNIX/shadow authentication - * - * First, if shadow support is available, attempt to perform - * authentication using shadow passwords. If shadow is not - * available, or user does not have a shadow password, fallback - * onto a normal UNIX authentication - */ - -static int _pam_auth_unix( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int retval; - struct passwd *pw; - const char *name; - char *p, *pp; - const char *salt; - -#ifdef HAVE_SHADOW_H - - struct spwd *sp; - -#endif - - /* get the user'name' */ - - if ( (retval = pam_get_user( pamh, &name, "login: ") ) != PAM_SUCCESS ) - return retval; - - /* - * at some point we will have to make this module pay - * attention to arguments, like 'pam_first_pass' etc... - */ - - pw = getpwnam ( name ); - -#ifndef __FreeBSD__ - /* For NIS+, root cannot get password for lesser user */ - if (pw) { - uid_t save_euid, save_uid; - - save_uid = getuid (); - save_euid = geteuid(); - if (setreuid (0,pw->pw_uid) >= 0) { - pw = getpwnam ( name ); - setreuid (save_uid,save_euid); - } - } -#endif - - if ( pw && (!pw->pw_passwd || pw->pw_passwd[0] == '\0') && - !(flags & PAM_DISALLOW_NULL_AUTHTOK)) { - return PAM_SUCCESS; - } - pam_get_item( pamh, PAM_AUTHTOK, (void*) &p ); - - if ( !p ) - { - retval = _set_auth_tok( pamh, flags, argc, argv ); - if ( retval != PAM_SUCCESS ) - return retval; - } - - /* - We have to call pam_get_item() again because value of p should - change - */ - - pam_get_item( pamh, PAM_AUTHTOK, (void*) &p ); - - - if (pw) - { - -#ifdef HAVE_SHADOW_H - - /* - * Support for shadow passwords on Linux and SVR4-based - * systems. Shadow passwords are optional on Linux - if - * there is no shadow password, use the non-shadow one. - */ - - sp = getspnam( name ); - if (sp && (!strcmp(pw->pw_passwd,"x"))) - { - /* TODO: check if password has expired etc. */ - salt = sp->sp_pwdp; - } - else -#endif - salt = pw->pw_passwd; - } - else - return PAM_USER_UNKNOWN; - - /* The 'always-encrypt' method does not make sense in PAM - because the framework requires return of a different - error code for non-existant users -- alex */ - - if ( ( !pw->pw_passwd ) && ( !p ) ) - if ( flags && PAM_DISALLOW_NULL_AUTHTOK ) - return PAM_SUCCESS; - else - return PAM_AUTH_ERR; - - pp = crypt(p, salt); - - if ( strcmp( pp, salt ) == 0 ) - return PAM_SUCCESS; - - return PAM_AUTH_ERR; -} - -/* - * The only thing _pam_set_credentials_unix() does is initialization of - * UNIX group IDs. - * - * Well, everybody but me on linux-pam is convinced that it should not - * initialize group IDs, so I am not doing it but don't say that I haven't - * warned you. -- AOY - */ - -static int _pam_set_credentials_unix ( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) - -{ /* FIX ME: incorrect error code */ - - return PAM_SUCCESS; /* This is a wrong result code. From what I - remember from reafing one of the guides - there's an error-level saying 'N/A func' - -- AOY - */ -} - -/* - * PAM framework looks for these entry-points to pass control to the - * authentication module. - */ - -PAM_EXTERN -int pam_sm_authenticate( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - return _pam_auth_unix( pamh, flags, argc, argv ); -} - -PAM_EXTERN -int pam_sm_setcred( pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - return _pam_set_credentials_unix ( pamh, flags, argc, argv ) ; -} - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_auth_modstruct = { - "pam_unix_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; -#endif diff --git a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c b/contrib/libpam/modules/pam_unix/pam_unix_passwd.c deleted file mode 100644 index de1345e85285..000000000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c +++ /dev/null @@ -1,813 +0,0 @@ - -/* Main coding by Elliot Lee , Red Hat Software. - Copyright (C) 1996. */ - -/* - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - How it works: - Gets in username (has to be done) from the calling program - Does authentication of user (only if we are not running as root) - Gets new password/checks for sanity - Sets it. - */ - -#define PAM_SM_PASSWORD - -/* #define DEBUG 1 */ - -#include -#include -#define _BSD_SOURCE -#define _SVID_SOURCE -#include -#define __USE_BSD -#define _BSD_SOURCE -#include -#include - -/* why not defined? */ -void setpwent(void); -void endpwent(void); -int chmod(const char *path, mode_t mode); -struct passwd *fgetpwent(FILE *stream); -int putpwent(const struct passwd *p, FILE *stream); - -#include -char *crypt(const char *key, const char *salt); -#ifdef USE_CRACKLIB -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef LINUX /* AGM added this as of 0.2 */ -#include -#endif /* ditto */ -#include -#ifdef HAVE_SHADOW_H -#include -#endif - -#define MAX_PASSWD_TRIES 3 -#define OLD_PASSWORD_PROMPT "Password: " -#define NEW_PASSWORD_PROMPT "New password: " -#define AGAIN_PASSWORD_PROMPT "New password (again): " -#define PW_TMPFILE "/etc/npasswd" -#define SH_TMPFILE "/etc/nshadow" -#define CRACKLIB_DICTS "/usr/lib/cracklib_dict" - -/* Various flags for the getpass routine to send back in... */ -#define PPW_EXPIRED 1 -#define PPW_EXPIRING 2 -#define PPW_WILLEXPIRE 4 -#define PPW_NOSUCHUSER 8 -#define PPW_SHADOW 16 -#define PPW_TOOEARLY 32 -#define PPW_ERROR 64 - -#ifndef DO_TEST -#define STATIC static -#else -#define STATIC -#endif -/* Sets a password for the specified user to the specified password - Returns flags PPW_*, or'd. */ -STATIC int _do_setpass(char *forwho, char *towhat, int flags); -/* Gets a password for the specified user - Returns flags PPW_*, or'd. */ -STATIC int _do_getpass(char *forwho, char **theirpass); -/* Checks whether the password entered is same as listed in the database - 'entered' should not be crypt()'d or anything (it should be as the - user entered it...), 'listed' should be as it is listed in the - password database file */ -STATIC int _do_checkpass(const char *entered, char *listed); - -/* sends a one-way message to the user, either error or info... */ -STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style); -/* sends a message and returns the results of the conversation */ -STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style, - char **result); - -PAM_EXTERN -int pam_sm_chauthtok( pam_handle_t *pamh, - int flags, - int argc, - const char **argv); - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-unix_passwd", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#ifdef NEED_LCKPWDF -/* This is a hack, but until libc and glibc both include this function - * by default (libc only includes it if nys is not being used, at the - * moment, and glibc doesn't appear to have it at all) we need to have - * it here, too. :-( - * - * This should not become an official part of PAM. - * - * BEGIN_HACK -*/ - -/* - * lckpwdf.c -- prevent simultaneous updates of password files - * - * Before modifying any of the password files, call lckpwdf(). It may block - * for up to 15 seconds trying to get the lock. Return value is 0 on success - * or -1 on failure. When you are done, call ulckpwdf() to release the lock. - * The lock is also released automatically when the process exits. Only one - * process at a time may hold the lock. - * - * These functions are supposed to be conformant with AT&T SVID Issue 3. - * - * Written by Marek Michalkiewicz , - * public domain. - */ - -#include -#include - -#define LOCKFILE "/etc/.pwd.lock" -#define TIMEOUT 15 - -static int lockfd = -1; - -static int -set_close_on_exec(int fd) -{ - int flags = fcntl(fd, F_GETFD, 0); - if (flags == -1) - return -1; - flags |= FD_CLOEXEC; - return fcntl(fd, F_SETFD, flags); -} - -static int -do_lock(int fd) -{ - struct flock fl; - - memset(&fl, 0, sizeof fl); - fl.l_type = F_WRLCK; - fl.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &fl); -} - -static void -alarm_catch(int sig) -{ -/* does nothing, but fcntl F_SETLKW will fail with EINTR */ -} - -static int lckpwdf(void) -{ - struct sigaction act, oldact; - sigset_t set, oldset; - - if (lockfd != -1) - return -1; - - lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); - if (lockfd == -1) - return -1; - if (set_close_on_exec(lockfd) == -1) - goto cleanup_fd; - - memset(&act, 0, sizeof act); - act.sa_handler = alarm_catch; - act.sa_flags = 0; - sigfillset(&act.sa_mask); - if (sigaction(SIGALRM, &act, &oldact) == -1) - goto cleanup_fd; - - sigemptyset(&set); - sigaddset(&set, SIGALRM); - if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1) - goto cleanup_sig; - - alarm(TIMEOUT); - if (do_lock(lockfd) == -1) - goto cleanup_alarm; - alarm(0); - sigprocmask(SIG_SETMASK, &oldset, NULL); - sigaction(SIGALRM, &oldact, NULL); - return 0; - -cleanup_alarm: - alarm(0); - sigprocmask(SIG_SETMASK, &oldset, NULL); -cleanup_sig: - sigaction(SIGALRM, &oldact, NULL); -cleanup_fd: - close(lockfd); - lockfd = -1; - return -1; -} - -static int -ulckpwdf(void) -{ - unlink(LOCKFILE); - if (lockfd == -1) - return -1; - - if (close(lockfd) == -1) { - lockfd = -1; - return -1; - } - lockfd = -1; - return 0; -} -/* END_HACK */ -#endif - -#define PAM_FAIL_CHECK if(retval != PAM_SUCCESS) { return retval; } - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - char *usrname, *curpass, *newpass; /* pointers to the username, - current password, and new password */ - - struct pam_conv *appconv; /* conversation with the app */ - struct pam_message msg, *pmsg; /* Misc for conversations */ - struct pam_response *resp; - - int retval=0; /* Gets the return values for all our function calls */ - unsigned int pflags=0; /* Holds the flags from our getpass & setpass - functions */ - - const char *cmiscptr; /* Utility variables, used for different purposes at - different times */ - char *miscptr; /* Utility variables, used for different purposes at - different times */ - unsigned int miscint; - int fascist = 1; /* Be fascist by default. If compiled with cracklib, - call cracklib. Otherwise just check length... */ - - char argbuf[256],argval[256]; - int i; - - - retval = pam_get_item(pamh,PAM_CONV,(const void **) &appconv); - PAM_FAIL_CHECK; - - retval = pam_get_item(pamh,PAM_USER,(const void **) &usrname); - PAM_FAIL_CHECK; - if(flags & PAM_PRELIM_CHECK) { - pflags = _do_getpass(usrname,&miscptr); - if(pflags & PPW_NOSUCHUSER) - return PAM_USER_UNKNOWN; - else if(pflags & ~(PPW_SHADOW|PPW_EXPIRING|PPW_WILLEXPIRE)) - return PAM_AUTHTOK_ERR; - else - return PAM_SUCCESS; - } /* else... */ -#ifdef DEBUG - fprintf(stderr,"Got username of %s\n",usrname); -#endif - if((usrname == NULL) || (strlen(usrname) < 1)) { - /* The app is supposed to get us the username! */ - retval = PAM_USER_UNKNOWN; - PAM_FAIL_CHECK; - } - - for(i=0; i < argc; i++) { - { - char *tmp = x_strdup(argv[i]); - strncpy(argbuf,strtok(tmp ,"="),255); - strncpy(argval,strtok(NULL,"="),255); - free(tmp); - } - - /* For PC functionality use "strict" -- historically "fascist" */ - if(!strcmp(argbuf,"strict") || !strcmp(argbuf, "fascist")) - - if(!strcmp(argval,"true")) - fascist = 1; - else if(!strcmp(argval,"false")) - fascist = 0; - else - return PAM_SERVICE_ERR; - else { - _pam_log(LOG_ERR,"Unknown option: %s",argbuf); - return PAM_SERVICE_ERR; - } - } - - - /* Now we have all the initial information we need from the app to - set things up (we assume that getting the username succeeded...) */ - retval = pam_get_item(pamh,PAM_OLDAUTHTOK,(const void **) &curpass); - PAM_FAIL_CHECK; - if(getuid()) { /* If this is being run by root, we don't need to get their - old password. - note */ - /* If we haven't been given a password yet, prompt for one... */ - miscint=0; - while((curpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) { - pflags = _do_getpass(usrname,&miscptr); - if(pflags & PPW_NOSUCHUSER) - return PAM_USER_UNKNOWN; /* If the user that was passed in doesn't - exist, say so and exit (app passes in - username) */ - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = OLD_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - curpass = resp->resp; - free (resp); - if(_do_checkpass(curpass?curpass:"",miscptr)) { - int abortme = 0; - - /* password is incorrect... */ - if (curpass && curpass[0] == '\0') { - /* ...and it was zero-length; user wishes to abort change */ - abortme = 1; - } - if (curpass) { free (curpass); } - curpass = NULL; - if (abortme) { - conv_sendmsg(appconv,"Password change aborted.",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - } - } - - if(curpass == NULL) - return PAM_AUTH_ERR; /* They didn't seem to enter the right password - for three tries - error */ - pam_set_item(pamh, PAM_OLDAUTHTOK, (void *)curpass); - } else { -#ifdef DEBUG - fprintf(stderr,"I am ROOT!\n"); -#endif - pflags = _do_getpass(usrname,&curpass); - if(curpass == NULL) - curpass = x_strdup(""); - } - if(pflags & PPW_TOOEARLY) { - conv_sendmsg(appconv,"You must wait longer to change your password", - PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(pflags & PPW_WILLEXPIRE) - conv_sendmsg(appconv,"Your password is about to expire",PAM_TEXT_INFO); - else if(pflags & PPW_EXPIRED) - return PAM_ACCT_EXPIRED; /* If their account has expired, we can't auth - them to change their password */ - if(!(pflags & PPW_EXPIRING) && (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - return PAM_SUCCESS; - /* If we haven't been given a password yet, prompt for one... */ - miscint=0; - pam_get_item(pamh,PAM_AUTHTOK,(const void **)&newpass); - cmiscptr = NULL; - while((newpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) { - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = NEW_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - newpass = resp->resp; - free (resp); - -#ifdef DEBUG - if(newpass) - fprintf(stderr,"Got password of %s\n",newpass); - else - fprintf(stderr,"No new password...\n"); -#endif - if (newpass[0] == '\0') { free (newpass); newpass = (char *) 0; } - cmiscptr=NULL; - if(newpass) { -#ifdef USE_CRACKLIB - if(fascist && getuid()) - cmiscptr = FascistCheck(newpass,CRACKLIB_DICTS); -#else - if(fascist && getuid() && strlen(newpass) < 6) - cmiscptr = "You must choose a longer password"; -#endif - if(curpass) - if(!strcmp(curpass,newpass)) { - cmiscptr="You must choose a new password."; - newpass=NULL; - } - } else { - /* We want to abort the password change */ - conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(!cmiscptr) { - /* We ask them to enter their password again... */ - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = AGAIN_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - miscptr = resp->resp; - free (resp); - if (miscptr[0] == '\0') { free (miscptr); miscptr = (char *) 0; } - if(!miscptr) { /* Aborting password change... */ - conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(!strcmp(newpass,miscptr)) { - miscptr=NULL; - break; - } - conv_sendmsg(appconv,"You must enter the same password twice.", - PAM_ERROR_MSG); - miscptr=NULL; - newpass=NULL; - } - else { - conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG); - newpass = NULL; - } - } - if(cmiscptr) { - /* conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG); */ - return PAM_AUTHTOK_ERR; - } else if(newpass == NULL) - return PAM_AUTHTOK_ERR; /* They didn't seem to enter the right password - for three tries - error */ -#ifdef DEBUG - printf("Changing password for sure!\n"); -#endif - /* From now on, we are bound and determined to get their password - changed :-) */ - pam_set_item(pamh, PAM_AUTHTOK, (void *)newpass); - retval = _do_setpass(usrname,newpass,pflags); -#ifdef DEBUG - fprintf(stderr,"retval was %d\n",retval); -#endif - if(retval & ~PPW_SHADOW) { - conv_sendmsg(appconv,"Error: Password NOT changed",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } else { - conv_sendmsg(appconv,"Password changed",PAM_TEXT_INFO); - return PAM_SUCCESS; - } -} - -/* _do_checkpass() returns 0 on success, non-0 on failure */ -STATIC int _do_checkpass(const char *entered, char *listed) -{ - char salt[3]; - if ((strlen(listed) == 0) &&(strlen(entered) == 0)) { - /* no password in database; no password entered */ - return (0); - } - salt[0]=listed[0]; salt[1]=listed[1]; salt[2]='\0'; - return strcmp(crypt(entered,salt),listed); -} - -STATIC char mksalt(int seed) { - int num = seed % 64; - - if (num < 26) - return 'a' + num; - else if (num < 52) - return 'A' + (num - 26); - else if (num < 62) - return '0' + (num - 52); - else if (num == 63) - return '.'; - else - return '/'; -} - -STATIC int _do_setpass(char *forwho, char *towhat,int flags) -{ - struct passwd *pwd=NULL, *tmpent=NULL; - FILE *pwfile,*opwfile; - char thesalt[3]; - int retval=0; - struct timeval time1; - int err = 0; -#ifdef HAVE_SHADOW_H - struct spwd *spwdent=NULL, *stmpent=NULL; -#endif - if(flags & PPW_SHADOW) { retval |= PPW_SHADOW; } - gettimeofday(&time1, NULL); - srand(time1.tv_usec); - thesalt[0]=mksalt(rand()); - thesalt[1]=mksalt(rand()); - thesalt[2]='\0'; - - /* lock the entire password subsystem */ -#ifdef USE_LCKPWDF - lckpwdf(); -#endif - setpwent(); - pwd = getpwnam(forwho); -#ifdef DEBUG - printf("Got %p, for %s (salt %s)\n",pwd, - forwho,thesalt); -#endif - if(pwd == NULL) - return PPW_NOSUCHUSER; - endpwent(); - -#ifdef HAVE_SHADOW_H - if(flags & PPW_SHADOW) { - spwdent = getspnam(forwho); - if(spwdent == NULL) - return PPW_NOSUCHUSER; - spwdent->sp_pwdp = towhat; - spwdent->sp_lstchg = time(NULL)/(60*60*24); - pwfile = fopen(SH_TMPFILE,"w"); - opwfile = fopen("/etc/shadow","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(SH_TMPFILE,0,0); - chmod(SH_TMPFILE,0600); - stmpent=fgetspent(opwfile); - while(stmpent) { - if(!strcmp(stmpent->sp_namp,forwho)) { - stmpent->sp_pwdp = crypt(towhat,thesalt); - stmpent->sp_lstchg = time(NULL)/(60*60*24); -#ifdef DEBUG - fprintf(stderr,"Set password %s for %s\n",stmpent->sp_pwdp, - forwho); -#endif - } - if (putspent(stmpent,pwfile)) { - fprintf(stderr, "error writing entry to shadow file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - stmpent=fgetspent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to shadow file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(SH_TMPFILE,"/etc/shadow"); - else - unlink(SH_TMPFILE); - } else { - pwd->pw_passwd = towhat; - pwfile = fopen(PW_TMPFILE,"w"); - opwfile = fopen("/etc/passwd","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(PW_TMPFILE,0,0); - chmod(PW_TMPFILE,0644); - tmpent=fgetpwent(opwfile); - while(tmpent) { - if(!strcmp(tmpent->pw_name,forwho)) { - tmpent->pw_passwd = crypt(towhat,thesalt); - } - if (putpwent(tmpent,pwfile)) { - fprintf(stderr, "error writing entry to password file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - tmpent=fgetpwent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to password file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(PW_TMPFILE,"/etc/passwd"); - else - unlink(PW_TMPFILE); - } -#else - pwd->pw_passwd = towhat; - pwfile = fopen(PW_TMPFILE,"w"); - opwfile = fopen("/etc/passwd","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(PW_TMPFILE,0,0); - chmod(PW_TMPFILE,0644); - tmpent=fgetpwent(opwfile); - while(tmpent) { - if(!strcmp(tmpent->pw_name,forwho)) { - tmpent->pw_passwd = crypt(towhat,thesalt); - } - if (putpwent(tmpent,pwfile)) { - fprintf(stderr, "error writing entry to shadow file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - tmpent=fgetpwent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to password file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(PW_TMPFILE,"/etc/passwd"); - else - unlink(PW_TMPFILE); -#endif - /* unlock the entire password subsystem */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif - return retval; -} - -STATIC int _do_getpass(char *forwho, char **theirpass) -{ - struct passwd *pwd=NULL; /* Password and shadow password */ -#ifdef HAVE_SHADOW_H - struct spwd *spwdent=NULL; /* file entries for the user */ - time_t curdays; -#endif - int retval=0; - /* UNIX passwords area */ - setpwent(); - pwd = getpwnam(forwho); /* Get password file entry... */ - endpwent(); - if(pwd == NULL) - return PPW_NOSUCHUSER; /* We don't need to do the rest... */ -#ifdef HAVE_SHADOW_H - if(!strcmp(pwd->pw_passwd,"x")) { - /* ...and shadow password file entry for this user, if shadowing - is enabled */ - retval |= PPW_SHADOW; - setspent(); - spwdent = getspnam(forwho); - endspent(); - if(spwdent == NULL) - return PPW_NOSUCHUSER; - *theirpass = x_strdup(spwdent->sp_pwdp); - - /* We have the user's information, now let's check if their account - has expired (60 * 60 * 24 = number of seconds in a day) */ - - /* Get the current number of days since 1970 */ - curdays = time(NULL)/(60*60*24); - if((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) - && (spwdent->sp_min != -1)) - retval |= PPW_TOOEARLY; - else if((curdays - > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact)) - && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1)) - /* Their password change has been put off too long, - OR their account has just plain expired */ - retval |= PPW_EXPIRED; - else if((curdays > (spwdent->sp_lstchg + spwdent->sp_max)) - && (spwdent->sp_max != -1)) - /* Their passwd needs to be changed */ - retval |= PPW_EXPIRING; - else if((curdays > (spwdent->sp_lstchg - + spwdent->sp_max - spwdent->sp_warn)) - && (spwdent->sp_max != -1) && (spwdent->sp_warn != -1)) - retval |= PPW_WILLEXPIRE; -/* if(spwdent->sp_lstchg < 0) - retval &= ~(PPW_WILLEXPIRE | PPW_EXPIRING | PPW_EXPIRED); - if(spwdent->sp_max < 0) - retval &= ~(PPW_EXPIRING | PPW_EXPIRED); */ - } else { - *theirpass = (char *)x_strdup(pwd->pw_passwd); - } - -#else - *theirpass = (char *) x_strdup(pwd->pw_passwd); -#endif - - return retval; -} - -STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style) -{ - struct pam_message msg,*pmsg; - struct pam_response *resp; - int retval; - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = style; - msg.msg = message; - resp = NULL; - - retval = aconv->conv(1, (const struct pam_message **) &pmsg, - &resp, aconv->appdata_ptr); - if (resp) { - _pam_drop_reply(resp, 1); - } - return retval; -} - - -STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style, - char **result) -{ - struct pam_message msg,*pmsg; - struct pam_response *resp; - int retval; - - D(("called.")); - - /* Get the password from the user... */ - pmsg = &msg; - msg.msg_style = style; - msg.msg = message; - resp = NULL; - - retval = aconv->conv(1, (const struct pam_message **) &pmsg, - &resp, aconv->appdata_ptr); - if(retval != PAM_SUCCESS) - return retval; - if(resp != NULL) { - *result = resp->resp; free(resp); - return PAM_SUCCESS; - } - else - return PAM_SERVICE_ERR; -} diff --git a/contrib/libpam/modules/pam_unix/pam_unix_sess.c b/contrib/libpam/modules/pam_unix/pam_unix_sess.c deleted file mode 100644 index 319b2ed6288e..000000000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_sess.c +++ /dev/null @@ -1,181 +0,0 @@ -/* - * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ - */ - -/* - * Copyright Alexander O. Yuriev, 1996. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: pam_unix_sess.c,v $ - * Revision 1.1 1996/11/09 19:44:35 morgan - * Initial revision - * - * Revision 1.4 1996/05/21 03:55:17 morgan - * added "const" to definition of rcsid[] - * - * Revision 1.3 1996/04/23 16:32:28 alex - * nothing really got changed. - * - * Revision 1.2 1996/04/19 03:23:33 alex - * session code implemented. account management moved into pam_unix_acct.c - * - */ - -#include -#include -#include -#include - -#ifndef LINUX /* AGM added this as of 0.2 */ - - #include - -#endif /* ditto */ - -#include -#include -#include -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -static const char rcsid[] = "$Id: pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ pam_unix session management. alex@bach.cis.temple.edu"; - -/* Define internal functions */ - -static int _get_log_level( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -int _pam_unix_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -int _pam_unix_close_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -/* Implementation */ - -static int _get_log_level( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int i = argc; - int log_level = LOG_DEBUG; - - while ( i-- ) - { - if ( strcmp( *argv, "debug" ) == 0 ) - log_level = LOG_DEBUG; - else if ( strcmp ( *argv, "trace" ) == 0 ) - log_level = LOG_AUTHPRIV; - argv++; - } - - return log_level; -} - -int _pam_unix_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int log_level; - char *user_name, *service; - - - log_level = _get_log_level( pamh, flags, argc, argv ); - - pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( !user_name ) - return PAM_CONV_ERR; /* How did we get authenticated with - no username?! */ - - pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( !service ) - return PAM_CONV_ERR; - - syslog ( log_level, - "pam_unix authentication session started, user %s, service %s\n", - user_name, service ); - - return PAM_SUCCESS; -} - -int _pam_unix_close_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int log_level; - char *user_name, *service; - - log_level = _get_log_level( pamh, flags, argc, argv ); - - pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( !user_name ) - return PAM_CONV_ERR; /* How did we get authenticated with - no username?! */ - - pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( !service ) - return PAM_CONV_ERR; - - syslog ( log_level, - "pam_unix authentication session finished, user %s, service %s\n", - user_name, service ); - - return PAM_SUCCESS; -} - -int pam_sm_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - return _pam_unix_open_session( pamh, flags, argc, argv ) ; -} - -int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - return _pam_unix_close_session( pamh, flags, argc, argv ) ; -} - diff --git a/contrib/libpam/modules/pam_unix/support.c b/contrib/libpam/modules/pam_unix/support.c deleted file mode 100644 index a2fafcd2c13e..000000000000 --- a/contrib/libpam/modules/pam_unix/support.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/support.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ - */ - -/* - * Copyright Andrew Morgan, 1996. All rights reserved. - * Modified by Alexander O. Yuriev - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: support.c,v $ - * Revision 1.1 1996/11/09 19:44:35 morgan - * Initial revision - * - * Revision 1.1 1996/04/17 01:11:08 alex - * Initial revision - * - */ - -#include /* define NULL */ - -#ifndef LINUX - - #include - -#endif /* LINUX */ - -#include - - -#ifndef NDEBUG - - #include - -#endif /* NDEBUG */ - - -/* Phototype declarations */ - -int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ); - -int _set_auth_tok( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -/* Implementation */ - -int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ) - -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) - { - retval = conv->conv( nargs, - ( const struct pam_message ** ) message, - response, - conv->appdata_ptr ); - } - return retval; -} - -/***************************************************************************/ -/* prompt user for a using conversation calls */ -/***************************************************************************/ - -int _set_auth_tok( pam_handle_t *pamh, - int flags, int argc, - const char **argv ) -{ - int retval; - char *p; - - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - - /* set up conversation call */ - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "Password: "; - resp = NULL; - - if ( ( retval = converse( pamh, 1 , pmsg, &resp ) ) != PAM_SUCCESS ) - return retval; - - if ( resp ) - { - if ( ( flags & PAM_DISALLOW_NULL_AUTHTOK ) && - resp[0].resp == NULL ) - { - free( resp ); - return PAM_AUTH_ERR; - } - - p = resp[ 0 ].resp; - - /* This could be a memory leak. If resp[0].resp - is malloc()ed, then it has to be free()ed! - -- alex - */ - - resp[ 0 ].resp = NULL; - - } - else - return PAM_CONV_ERR; - - free( resp ); - pam_set_item( pamh, PAM_AUTHTOK, p ); - return PAM_SUCCESS; -} diff --git a/contrib/libpam/modules/pam_warn/Makefile b/contrib/libpam/modules/pam_warn/Makefile deleted file mode 100644 index 167af5a370ac..000000000000 --- a/contrib/libpam/modules/pam_warn/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# -# $Id: Makefile,v 1.2 1997/04/05 06:20:16 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.2 1997/04/05 06:20:16 morgan -# fixed fakeroot -# -# Revision 1.1 1996/12/01 03:12:22 morgan -# Initial revision -# -# -# Created by Andrew Morgan 1996/11/14 -# - -TITLE=pam_warn - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_warn/README b/contrib/libpam/modules/pam_warn/README deleted file mode 100644 index f45b271c0d77..000000000000 --- a/contrib/libpam/modules/pam_warn/README +++ /dev/null @@ -1,23 +0,0 @@ -# $Id: README,v 1.1 1996/12/01 03:12:22 morgan Exp $ -# - -This module is an authentication module that does not authenticate. -Instead it always returns PAM_IGNORE, indicating that it does not want -to affect the authentication process. - -Its purpose is to log a message to the syslog indicating the -pam_item's available at the time it was invoked. It is a diagnostic -tool. - -Recognized arguments: - - - -module services provided: - - auth _autheticate and _setcred (blank) - password _chauthtok [mapped to _authenticate] - - -Andrew Morgan -1996/11/14 diff --git a/contrib/libpam/modules/pam_warn/pam_warn.c b/contrib/libpam/modules/pam_warn/pam_warn.c deleted file mode 100644 index 2a0a23d6e989..000000000000 --- a/contrib/libpam/modules/pam_warn/pam_warn.c +++ /dev/null @@ -1,112 +0,0 @@ -/* pam_warn module */ - -/* - * $Id: pam_warn.c,v 1.2 1997/02/15 17:19:08 morgan Exp $ - * - * Written by Andrew Morgan 1996/3/11 - * - * $Log: pam_warn.c,v $ - * Revision 1.2 1997/02/15 17:19:08 morgan - * corrected many bugs and removed fixed buffer logging - * - * Revision 1.1 1996/12/01 03:12:22 morgan - * Initial revision - * - * - */ - -#include -#include -#include -#include - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD - -#include - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-warn", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - const char *service=NULL, *user=NULL, *terminal=NULL - , *rhost=NULL, *ruser=NULL; - - (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); - (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal); - _pam_log(LOG_NOTICE, "service: %s [on terminal: %s]" - , service ? service : "" - , terminal ? terminal : "" - ); - (void) pam_get_user(pamh, &user, "Who are you? "); - (void) pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - _pam_log(LOG_NOTICE, "user: (uid=%d) -> %s [remote: %s@%s]" - , getuid() - , user ? user : "" - , ruser ? ruser : "?nobody" - , rhost ? rhost : "?nowhere" - ); - - /* we are just a fly on the wall */ - - return PAM_IGNORE; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - , const char **argv) -{ - return PAM_IGNORE; -} - -/* password updating functions */ - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - , const char **argv) -{ - /* map to the authentication function... */ - - return pam_sm_authenticate(pamh, flags, argc, argv); -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_warn_modstruct = { - "pam_warn", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - pam_sm_chauthtok, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_wheel/Makefile b/contrib/libpam/modules/pam_wheel/Makefile deleted file mode 100644 index 553e32199668..000000000000 --- a/contrib/libpam/modules/pam_wheel/Makefile +++ /dev/null @@ -1,94 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton 1996/09/10 -# - -ifeq ($(HAVE_PWDBLIB),yes) - -TITLE=pam_wheel -CFLAGS += -DHAVE_PWDBLIB - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -EXTRALS = -lpwdb - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/%.o : %.c -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -#ifdef STATIC -# $(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALS) -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) $(EXTRALS) -#endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else -include ../dont_makefile -endif diff --git a/contrib/libpam/modules/pam_wheel/README b/contrib/libpam/modules/pam_wheel/README deleted file mode 100644 index 336bb31ef133..000000000000 --- a/contrib/libpam/modules/pam_wheel/README +++ /dev/null @@ -1,33 +0,0 @@ - -pam_wheel: - only permit root authentication too members of wheel group - -RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or - failure. - - use_uid the check for wheel membership will be done against - the current uid instead of the original one - (useful when jumping with su from one account to - another for example) - - trust the pam_wheel module will return PAM_SUCCESS instead - of PAM_IGNORE if the user is a member of the wheel - group (thus with a little play stacking the modules - the wheel members may be able to su to root without - being prompted for a passwd). - - deny Reverse the sense of the auth operation: if the user - is trying to get UID 0 access and is a member of the - wheel group, deny access (well, kind of nonsense, but - for use in conjunction with 'group' argument... :-) - - group=xxxx Instead of checking the GID 0 group, use the xxxx - group to perform the authentification. - -MODULE SERVICES PROVIDED: - auth _authetication and _setcred (blank) - -AUTHOR: - Cristian Gafton - diff --git a/contrib/libpam/modules/pam_wheel/pam_wheel.c b/contrib/libpam/modules/pam_wheel/pam_wheel.c deleted file mode 100644 index db262d83d8c9..000000000000 --- a/contrib/libpam/modules/pam_wheel/pam_wheel.c +++ /dev/null @@ -1,277 +0,0 @@ -/* pam_wheel module */ - -/* - * Written by Cristian Gafton 1996/09/10 - * See the end of the file for Copyright Information - * - * - * 1.2 - added 'deny' and 'group=' options - * 1.1 - added 'trust' option - * 1.0 - the code is working for at least another person, so... :-) - * 0.1 - use vsyslog instead of vfprintf/syslog in _pam_log - * - return PAM_IGNORE on success (take care of sloppy sysadmins..) - * - use pam_get_user instead of pam_get_item(...,PAM_USER,...) - * - a new arg use_uid to auth the current uid instead of the - * initial (logged in) one. - * 0.0 - first release - * - * TODO: - * - try to use make_remark from pam_unix/support.c - * - consider returning on failure PAM_FAIL_NOW if the user is not - * a wheel member. - */ - -#include -#define __USE_BSD -#include -#include -#include -#include -#include -#ifdef HAVE_PWDBLIB -# include -#else -# include -# include -#endif - - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include - -/* variables */ -static char use_group[BUFSIZ]; - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Wheel", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* checks if a user is on a list of members of the GID 0 group */ - -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; - else if (!strcmp(*argv,"trust")) - ctrl |= PAM_TRUST_ARG; - else if (!strcmp(*argv,"deny")) - ctrl |= PAM_DENY_ARG; - else if (!strncmp(*argv,"group=",6)) - strcpy(use_group,*argv+6); - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int ctrl; - const char *username; - char *fromsu; - struct passwd *pwd, *tpwd; - struct group *grp; - int retval = PAM_AUTH_ERR; - - /* Init the optional group */ - bzero(use_group,sizeof(use_group)); - - ctrl = _pam_parse(argc, argv); - retval = pam_get_user(pamh,&username,NULL); - if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); - return PAM_SERVICE_ERR; - } - - /* su to a uid 0 account ? */ - pwd = getpwnam(username); - if (!pwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"unknown user %s",username); - return PAM_USER_UNKNOWN; - } - - /* Now we know that the username exists, pass on to other modules... - * the call to pam_get_user made this obsolete, so is commented out - * - * pam_set_item(pamh,PAM_USER,(const void *)username); - */ - - /* is this user an UID 0 account ? */ - if(pwd->pw_uid) { - /* no need to check for wheel */ - return PAM_IGNORE; - } - - if (ctrl & PAM_USE_UID_ARG) { - tpwd = getpwuid(getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"who is running me ?!"); - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = getlogin(); - if (!fromsu) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"who is running me ?!"); - return PAM_SERVICE_ERR; - } - } - - if (!use_group[0]) - grp = getgrgid(0); - else - grp = getgrnam(use_group); - - if (!grp || !grp->gr_mem) { - if (ctrl & PAM_DEBUG_ARG) { - if (!use_group[0]) - _pam_log(LOG_NOTICE,"no members in a GID 0 group"); - else - _pam_log(LOG_NOTICE,"no members in '%s' group",use_group); - } - if (ctrl & PAM_DENY_ARG) - /* if this was meant to deny access to the members - * of this group and the group does not exist, allow - * access - */ - return PAM_IGNORE; - else - return PAM_AUTH_ERR; - } - - if (is_on_list(grp->gr_mem, fromsu)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'", - (ctrl & PAM_DENY_ARG)?"denied":"granted", - fromsu,username); - if (ctrl & PAM_DENY_ARG) - return PAM_PERM_DENIED; - else - if (ctrl & PAM_TRUST_ARG) - return PAM_SUCCESS; - else - return PAM_IGNORE; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'", - (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username); - if (ctrl & PAM_DENY_ARG) - return PAM_SUCCESS; - else - return PAM_PERM_DENIED; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_wheel_modstruct = { - "pam_wheel", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* - * Copyright (c) Cristian Gafton , 1996, 1997 - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */