[linux-pam] pam_env: Document the /etc/environment file.
by Tomáš Mráz
commit 51e2581a6cbedefebbb7bbe3fd8f3374049bc7c5
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Wed Feb 17 14:57:15 2016 +0100
pam_env: Document the /etc/environment file.
* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
Add a paragraph about /etc/environment. Add environ(7) reference.
modules/pam_env/Makefile.am | 3 ++-
modules/pam_env/pam_env.8.xml | 3 +++
modules/pam_env/pam_env.conf.5.xml | 14 ++++++++++++--
3 files changed, 17 insertions(+), 3 deletions(-)
---
diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am
index 7b8d9af..d6f081f 100644
--- a/modules/pam_env/Makefile.am
+++ b/modules/pam_env/Makefile.am
@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README
EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
-man_MANS = pam_env.conf.5 pam_env.8
+man_MANS = pam_env.conf.5 pam_env.8 environment.5
XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
@@ -30,6 +30,7 @@ sysconf_DATA = environment
if ENABLE_REGENERATE_MAN
noinst_DATA = README
README: pam_env.8.xml pam_env.conf.5.xml
+environment.5: pam_env.conf.5.xml
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
index 6eac6c8..d6e20a2 100644
--- a/modules/pam_env/pam_env.8.xml
+++ b/modules/pam_env/pam_env.8.xml
@@ -247,6 +247,9 @@
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum>
</citerefentry>.
</para>
</refsect1>
diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
index 4040275..c47f17d 100644
--- a/modules/pam_env/pam_env.conf.5.xml
+++ b/modules/pam_env/pam_env.conf.5.xml
@@ -12,7 +12,8 @@
<refnamediv>
<refname>pam_env.conf</refname>
- <refpurpose>the environment variables config file</refpurpose>
+ <refname>environment</refname>
+ <refpurpose>the environment variables config files</refpurpose>
</refnamediv>
@@ -60,6 +61,14 @@
at front) can be used to mark this line as a comment line.
</para>
+ <para>
+ The <filename>/etc/environment</filename> file specifies
+ the environment variables to be set. The file must consist of simple
+ <emphasis>NAME=VALUE</emphasis> pairs on separate lines.
+ The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ module will read the file after the <filename>pam_env.conf</filename>
+ file.
+ </para>
</refsect1>
<refsect1 id="pam_env.conf-examples">
@@ -113,7 +122,8 @@
<para>
<citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>
8 years, 2 months
[linux-pam] pam_unix: Add no_pass_expiry option to ignore password expiration.
by Tomáš Mráz
commit 8bb171506fc2579669fd86bd29885f256e26ccb0
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Wed Feb 17 14:21:41 2016 +0100
pam_unix: Add no_pass_expiry option to ignore password expiration.
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
modules/pam_unix/pam_unix.8.xml | 19 +++++++++++++++++++
modules/pam_unix/pam_unix_acct.c | 13 +++++++++++++
modules/pam_unix/pam_unix_auth.c | 20 +++++++++++---------
modules/pam_unix/support.h | 6 ++++--
4 files changed, 47 insertions(+), 11 deletions(-)
---
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index a8b64bb..6d8e4ba 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -364,6 +364,25 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_pass_expiry</option>
+ </term>
+ <listitem>
+ <para>
+ When set ignore password expiration as defined by the
+ <emphasis>shadow</emphasis> entry of the user. The option has an
+ effect only in case <emphasis>pam_unix</emphasis> was not used
+ for the authentication or it returned authentication failure
+ meaning that other authentication source or method succeeded.
+ The example can be public key authentication in
+ <emphasis>sshd</emphasis>. The module will return
+ <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
+ <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
+ <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
<para>
Invalid arguments are logged with <citerefentry>
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 2799845..f8b39c9 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -235,6 +235,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
} else
retval = check_shadow_expiry(pamh, spent, &daysleft);
+ if (on(UNIX_NO_PASS_EXPIRY, ctrl)) {
+ const void *pretval = NULL;
+ int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */
+
+ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+ && pretval)
+ authrv = *(const int *)pretval;
+
+ if (authrv != PAM_SUCCESS
+ && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED))
+ retval = PAM_SUCCESS;
+ }
+
switch (retval) {
case PAM_ACCT_EXPIRED:
pam_syslog(pamh, LOG_NOTICE,
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 44573e6..9a547b3 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -82,14 +82,13 @@
#define AUTH_RETURN \
do { \
- if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
+ if (ret_data) { \
D(("recording return code for next time [%d]", \
retval)); \
*ret_data = retval; \
pam_set_data(pamh, "unix_setcred_return", \
(void *) ret_data, setcred_free); \
- } else if (ret_data) \
- free (ret_data); \
+ } \
D(("done. [%s]", pam_strerror(pamh, retval))); \
return retval; \
} while (0)
@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
/* Get a few bytes so we can pass our return value to
- pam_sm_setcred(). */
- if (on(UNIX_LIKE_AUTH, ctrl))
- ret_data = malloc(sizeof(int));
+ pam_sm_setcred() and pam_sm_acct_mgmt(). */
+ ret_data = malloc(sizeof(int));
/* get the user'name' */
@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
*/
int
-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
+pam_sm_setcred (pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
{
int retval;
const void *pretval = NULL;
+ unsigned int ctrl;
D(("called."));
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+
retval = PAM_SUCCESS;
D(("recovering return code from auth call"));
/* We will only find something here if UNIX_LIKE_AUTH is set --
don't worry about an explicit check of argv. */
- if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+ if (on(UNIX_LIKE_AUTH, ctrl)
+ && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
&& pretval) {
retval = *(const int *)pretval;
pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 3729ce0..b767c26 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -98,9 +98,10 @@ typedef struct {
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
#define UNIX_QUIET 28 /* Don't print informational messages */
-#define UNIX_DES 29 /* DES, default */
+#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
+#define UNIX_DES 30 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -138,6 +139,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
};
8 years, 2 months