2024-04-09  Dmitry V. Levin  <ldv@strace.io>

	Prepare for 1.6.1 release.
	* configure.ac (AC_INIT): Raise version to 1.6.1.
	* po/Linux-PAM.pot (Project-Id-Version): Likewise.
	* NEWS: Update.

	Resolves: https://github.com/linux-pam/linux-pam/issues/774

2024-04-08  Dmitry V. Levin  <ldv@strace.io>

	po: update .pot and .po files.
	Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
	command.  This essentially updates the line numbers and timestamps.

2024-04-07  Dmitry V. Levin  <ldv@strace.io>

	configure.ac: do not check for headers that are included unconditionally
	* configure.ac (AC_HEADER_STDC, AC_HEADER_TIME): Remove.
	(AC_CHECK_HEADERS): Remove fcntl.h, limits.h, malloc.h, sys/file.h,
	sys/ioctl.h, sys/time.h, syslog.h, net/if.h, termio.h, unistd.h,
	sys/fsuid.h, and inittypes.h.

2024-04-03  Dmitry V. Levin  <ldv@strace.io>

	doc: fix pam_get_data manual regarding PAM_NO_MODULE_DATA return value.
	pam_get_data manual page used to claim that PAM_NO_MODULE_DATA is
	returned not only when no module specific data is present but also
	when there is a corresponding data entry with NULL value.

	As this claim is in contradiction with the implementation and with the
	pam manual page, fix pam_get_data manual page.

	* doc/man/pam_get_data.3.xml (PAM_NO_MODULE_DATA): Sync with
	the implementation and with the pam manual page.

	Resolves: https://github.com/linux-pam/linux-pam/pull/780

2024-04-03  Dmitry V. Levin  <ldv@strace.io>

	tests: check pam_get_data PAM_NO_MODULE_DATA return value semantics.
	* tests/tst-pam_get_data.c (main): Check that PAM_NO_MODULE_DATA is
	returned by pam_get_data iff the corresponding data is not present.

	tests: cleanup tst-pam_get_data to use test_assert.h framework.
	* tests/tst-pam_get_data.c: Include "test_assert.h".
	(main): Rewrite using ASSERT_EQ() and ASSERT_NE() macros.

2024-04-03  Marco Trevisan (Treviño)  <mail@3v1n0.net>

	tests: Add some pam_get_data tests.
	The function was not tested, so add some basic testing to it.

2024-04-02  Aura Herrero Ruiz  <aura.herreroruiz@outlook.es>

	doc: fix uses of non-neutral gender pronouns.

2024-03-31  Dmitry V. Levin  <ldv@strace.io>

	pam_start.c: do not call bindtextdomain() unless nls is enabled.
	Call bindtextdomain() only when both the function is available and
	the build is configured with --enable-nls.

	* libpam/pam_start.c (_pam_start_internal): Guard bindtextdomain()
	invocation with ENABLE_NLS.

	Complements: v1.6.0~244 ("pam_start.c: call bindtextdomain() to expose Linux-PAM locales")
	Resolves: https://github.com/linux-pam/linux-pam/pull/773

2024-03-31  Thorsten Kukuk  <kukuk@suse.com>

	pam_env: document when the module is executed.
	Document that pam_env.so is only called by pam_setcred() and
	not by pam_authenticate() when added to the auth stack.

	Resolves: https://github.com/linux-pam/linux-pam/issues/680

2024-03-31  Alan01  <alanmortensen.am@gmail.com>

	po: update da.po.

2024-03-31  Andika Triwidada  <andika@gmail.com>

	po: update translations using Weblate (Indonesian)
	Currently translated at 87.1% (88 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/id/

2024-03-29  Sergei Trofimovich  <slyich@gmail.com>

	pam_unix: allow empty passwords with non-empty hashes.
	Before the change pam_unix has different behaviours for a user with
	empty password for these two `/etc/shadow` entries:

	    nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
	    nulloktest::1::::::

	The entry with a hash was rejected and the entry without was accepted.

	The rejection happened because 9e74e90147c "pam_unix: avoid determining
	if user exists" introduced the following rejection check (slightly
	simplified):

	        ...
	        } else if (p[0] == '\0' && nullok) {
	                if (hash[0] != '\0') {
	                        retval = PAM_AUTH_ERR;
	                }

	We should not reject the user with a hash assuming it's non-empty.
	The change does that by pushing empty password check into
	`verify_pwd_hash()`.

	`NixOS` generates such hashed entries for empty passwords as if they
	were non-empty using the following perl code:

	    sub hashPassword {
	        my ($password) = @_;
	        my $salt = "";
	        my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
	        $salt .= $chars[rand 64] for (1..8);
	        return crypt($password, '$6$' . $salt . '$');
	    }

	Resolves: https://github.com/linux-pam/linux-pam/issues/758
	Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"

2024-03-04  Shaleen Bathla  <shaleen.bathla@oracle.com>
	    Dmitry V. Levin  <ldv@strace.io>

	pam_limits: fix potential use-after-free of pl->conf_file.
	When limits.d is processed, pl->conf_file consequently points to
	elements of filename_list array which are freed later even though
	it can still be used in the logging.

	Fixes: f6b973b92281 ("Add support for limits.d directory to pam_limits")

2024-03-03  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: use yp functions only if nis requested.
	It can happen that yp functions are found in system but their header
	files are not available. In this case, do not call them.

	build: fail if requested nis headers are missing.
	Failing if a feature is directly requested is default by now.
	Do the same for --enable-nis=yes.

2024-02-22  Christian Göttsche  <cgzones@googlemail.com>

	conf/modules: constify read-only data arrays.

	pam_unix: drop cast to same type.

	modules: drop redundant return at end of void functions.

	pam_faillock: drop duplicate include.

	modules: enclose macro parameter.

	libpamc: enclose macro parameter.

	libpam: enclose macro parameters.

2024-02-22  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: avoid string formatting of NULL.
	Since the struct member user might be NULL use the same condition for
	the value as for the preceding key.

	Reported-by: Yugend

2024-02-22  Christian Göttsche  <cgzones@googlemail.com>

	pam_xauth: untangle strings.
	Untangle two distinct strings to simplify their usage.
	Check for allocation failure of the second one.
	Fix double-free of the second one in the error branch in line 692.

	Reported-by: Yugend

2024-02-22  Christian Göttsche  <cgzones@googlemail.com>

	pam_xauth: sanitize variable after asprintf(3) failure.
	On asprintf(3) failure the value of the first argument is undefined.
	Set to NULL to avoid UB on cleanup.

2024-02-07  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_limits: print line number in warning.
	The line itself is modified while parsing its content. Print the line
	number and file name instead so an administrator can investigate it.

2024-02-06  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_limits: remove whitespaces around value.
	Trim all whitespaces before and after value.

	Resolves: https://github.com/linux-pam/linux-pam/pull/760
	Fixes: eec4358a49dc ("pam_limits: avoid sscanf in parse_config_file")

2024-02-06  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam_internal: introduce pam_line.
	The pam_assemble_line function is renamed to pam_line_assemble and
	moved into libpam_internal so it can be shared across libpam and the
	pam_env module.

	Applied renaming to all other relevant functions and data structures
	so it is easier to locate them in files.

2024-02-04  Arseny Maslennikov  <ar@cs.msu.ru>

	pam_inline.h: Fix use of memset_explicit(3)
	That function is being added to C23 with the same prototype
	as memset(3):

	    void* memset_explicit(void*, int, size_t);

	Unlike bzero, it accepts the fill byte as an argument.

	Fixes: 19a292681789 ("libpam: introduce secure memory erasure helpers")

2024-01-24  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: try to set uid to 0 for unix_chkpwd.
	The geteuid check does not cover all cases. If a program runs with
	elevated capabilities like CAP_SETUID then we can still check
	credentials of other users.

	Keep logging for future analysis though.

	Resolves: https://github.com/linux-pam/linux-pam/issues/747
	Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")

2024-01-24  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam_internal: supply debug functionality.
	Move function bodies from headers into dedicated object files stored in
	libpam_internal. This library won't be installed.

	Keep the debug function body in header, even though disabled when
	building Linux-PAM, to stay API compatible with previous versions.

2024-01-22  Christian Göttsche  <cgzones@googlemail.com>

	configure: fail if specified option cannot be satisfied.
	The options whether to build with support for libprelude, libaudit,
	libselinux, or libeconf are set to enable-if-available.  These options
	also have a configure flag `--enable-foo`, which currently fall back to
	the feature being disabled if not available.

	Change these feature flags to fail if specified explicitly and the
	required dependencies cannot be satisfied.

	Prompted by #728 and #746

2024-01-21  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_faildelay: add more tests to delay parser.

	pam_faildelay: support UINT_MAX delay on 32 bit.
	Use strtoll to support up to 64 bit on 32 bit systems, although only up
	to 32 unsigned bits are used. The strtoul function exists but converts
	negative numbers to positive ones without any form of warning.

2024-01-21  Tobias Stoeckmann  <tobias@stoeckmann.org>

	modules: add pamc headers to the search path only when needed.
	The pam client library libpamc is only needed if libpam_misc is in use.
	But libpam_misc is only used by an SELinux helper binary.

	Remove the libpamc includes from the search path in all other cases.

2024-01-21  Christian Göttsche  <cgzones@googlemail.com>

	pam_pwhistory: allocate crypt data on the heap.
	The struct crypt_data has the size of 32768 bytes, thus allocate it on
	the heap for portability.

	pam_userdb: cleanse crypt data.
	Clease the crypt data to avoid any potential information leakage.

	pam_unix: cleanse crypt data.
	Cleanse the crypt data also in the failure branch to sanitize in case of
	partial data being written.

	modules: zero out crypt_r(3) data before usage.
	The manual page of crypt_r(3) recommends to zero the entire data object.

2024-01-20  Dmitry V. Levin  <ldv@strace.io>

	pam_faildelay: fix compilation warnings on 32bit platforms.
	Fix the following warning reported by gcc on 32bit platforms:

	  pam_faildelay.c: In function 'pam_sm_authenticate':
	  pam_faildelay.c:104:34: error: comparison of integer expressions of different signedness: 'long int' and 'unsigned int' [-Werror=sign-compare]
	    104 |           if (delay < 0 || delay > UINT_MAX)
	        |                                  ^
	  pam_faildelay.c:123:32: error: comparison of integer expressions of different signedness: 'long int' and 'unsigned int' [-Werror=sign-compare]
	    123 |         if (delay < 0 || delay > UINT_MAX / S_TO_MICROS)
	        |                                ^

	* modules/pam_faildelay/pam_faildelay.c (pam_sm_authenticate): Cast
	"delay" to "unsigned long" in comparisons with unsigned int.

	Fixes: dd87776d3683 ("pam_faildelay: validate parameter ranges")

2024-01-20  Dmitry V. Levin  <ldv@strace.io>

	pam_namespace: use sed instead of awk in namespace.init.
	Given that sed is considered a more lightweight dependency than awk,
	and since sed is used by pam_namespace_helper anyway, use sed instead of
	awk in namespace.init as well.

	* modules/pam_namespace/namespace.init: Use sed instead of awk to obtain
	the UMASK value from /etc/login.defs.

2024-01-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	build: correctly set WITH_SELINUX conditional.
	React on actual test if SELinux is available, not just if SELinux
	should be tested for.

	Currently the supposedly disabled binaries are still installed even if
	SELinux is not available.

	Fixes: cb9f88ba944d ("pam_unix: build unix_update only with SELinux enabled")

2024-01-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: do not warn if password aging is disabled.
	Later checks will print a warning if daysleft is 0. If password
	aging is disabled, leave daysleft at -1.

	Resolves: https://github.com/linux-pam/linux-pam/issues/743
	Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging")

2024-01-18  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam_misc: use size_t for sizes.
	Theoretically the int might overflow. Use a size_t to protect this
	function which might be called from an application, because it is
	exposed through pam_misc.h header.

2024-01-18  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: remove escaped newlines from econf lines.
	The libeconf routines do not remove escaped newlines the way we want to
	process them later on. Manually remove them from values.

	Resolves: https://github.com/linux-pam/linux-pam/issues/738
	Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")

2024-01-18  Dmitry V. Levin  <ldv@strace.io>

	pam_env: fix --enable-vendordir fallback logic.
	* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
	VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
	if the config file is specified via module arguments.

	Link: https://github.com/linux-pam/linux-pam/issues/738
	Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")

2024-01-18  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: check VENDORDIR after config.h inclusion.
	The VENDORDIR define has to be checked after config.h
	inclusion, otherwise the ifdef test always yields false.

	Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")

2024-01-18  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: fix build with --enable-read-both-confs.
	If configure option --enable-read-both-confs is used, the build
	fails with 1.6.0 due to missing stack level depth argument passed to
	_pam_parse_conf_file.

	Resolves: https://github.com/linux-pam/linux-pam/issues/736
	Fixes: v1.6.0~205 ("libpam: avoid infinite recursion with includes")

2024-01-17  Jacob Heider  <jacob@pkgx.dev>

	pam_namespace: include stdint.h.
	pam_namespace.c makes use of SIZE_MAX but doesn't include stdint.h,
	resulting in the following build failures on 1.6.0:

	  pam_namespace.c: In function 'process_line':
	  pam_namespace.c:649:41: error: 'SIZE_MAX' undeclared (first use in this function)
	    649 |         if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
	        |                                         ^~~~~~~~
	  pam_namespace.c:41:1: note: 'SIZE_MAX' is defined in header '<stdint.h>'; did you forget to '#include <stdint.h>'?
	     40 | #include "argv_parse.h"
	    +++ |+#include <stdint.h>
	     41 |
	  pam_namespace.c:649:41: note: each undeclared identifier is reported only once for each function it appears in
	    649 |         if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
	        |                                         ^~~~~~~~

	Fixes: v1.6.0~100 ("pam_namespace: validate amount of uids in config")
	Resolves: https://github.com/linux-pam/linux-pam/issues/733

2024-01-17  Dmitry V. Levin  <ldv@strace.io>

	Prepare for 1.6.0 release.
	* configure.ac (AC_INIT): Raise version to 1.6.0.
	* po/Linux-PAM.pot (Project-Id-Version): Likewise.
	* NEWS: Update.

	Resolves: https://github.com/linux-pam/linux-pam/issues/690

2024-01-17  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations
	Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
	being placed in user controlled directories, causing the PAM module to
	block indefinitely during `openat()`.

	Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
	refer to a directory.

	With this the check whether the final path element is a directory
	becomes unnecessary, drop it.

2024-01-16  Dmitry V. Levin  <ldv@strace.io>

	po: update .pot and .po files.
	Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
	command.  This essentially updates the line numbers and timestamps.

2024-01-16  Damien Pou  <dampato+linux@ik.me>

	po: update translations using Weblate (French)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: fix typo in comment.

	pam_pwhistory: fix typo in example configuration.
	The option file points to a file, not a directory.

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	NEWS: fix typos.

	pam_unix: fix typos in comments.

	ci: bump actions/checkout to v4.

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	doc: do not clean bootstrapped files.
	The two files custom-html.xsl and custom-man.xsl are created at
	configure time.  Only delete them on `make distclean` instead of
	`make clean` to be able to re-generate manual pages afterwards.

	Fixes: b285afe0ea45 ("doc: remove generated files during cleanup")

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	configure: require libsystemd on --enable-logind.
	Fail if --enable-logind is specified while libsystemd cannot be found,
	so the feature is reliably enabled on request.

	Complements: v1.5.3~26 ("Y2038: use logind instead of utmp")

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: use cp variable only when needed.
	Removes its usage from check_old_pass and reduces its
	visibility in save_old_pass.

	pam_pwhistory: parse opasswd lines verbatim.
	Users may have a hash character in their name, which would be removed.
	This in turn effectively defeats the purpose of pam_pwhistory for the
	user.

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: do not allow comma as a field separator.
	The opasswd file shall not use comma as a separator. Enforce colon just
	like pam_pwhistory does as well.

	A comma can be part of a user name, although its usage is discouraged.
	If such a user exists, it could happen that stored passwords of another
	user are checked.

2024-01-16  Dmitry V. Levin  <ldv@strace.io>

	modules: do not invoke getline(3) unnecessarily.
	Replace
	  while (getline(...) != -1 && retval)
	with
	  while (retval && getline(...) != -1)

	* modules/pam_listfile/pam_listfile.c (pam_listfile): Do not invoke
	getline(3) when its result is going to be ignored.
	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
	Likewise.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: declare read-only data array const.

	pam_unix: log about failure to execute unix_chkpwd(8)

	pam_unix: clean additional possible sensitive buffers.

	pam_unix: use more appropriate types.

	pam_unix: retain const qualifier.

	pam_unix: enclose macro arguments.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: set close-on-exec.
	Since the module operates on sensitive files set the close-on-exec flag,
	to avoid file descriptor leaks if there is ever any sibling thread.

	The fopen(3) mode "e" is supported in glibc since version 2.7 (released
	in 2007), and ignored prior, see:
	https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: support setgid version of unix_chkpwd(8)
	In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the
	real group as well.

	Also check the privileges are permanently lost, see:
	https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful

	See also the current Debian patch:
	https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: reject unix_update(8) running on different unprivileged user.
	In case unix_update(8) is installed as a setuid binary, which Fedora and
	Debian does not do, prevent unprivileged users to probe (and eventually
	change) passwords of other users (including root).

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: add audit support to unix_update(8)
	Emit audit reports in the helper unix_update(8) about abnormal
	executions, unprivileged authentications, and password updates.

	Also log unprivileged authentication failures to syslog.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: refactor audit logging.
	Split the audit logging code into a separate file, to be reused by
	unix_update(8).

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: fix regressions.
	The returned value stored in pwd from _unix_getpwnam is inserted into
	pam handler through pam_set_data. Do not manually free the value.

	Also check getline return value for != -1 instead of == -1.

	Fixes 8f2ca5919b26843ef774ef0aeb9bf261dec943a0 and
	73d009e9ea8edafc18c7fe3650b25dd6bdce88c1. No release affected.

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: disable SELinux code if not used.
	Disable code to run helper binary if SELinux is not enabled.

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: build pwhistory_helper only with SELinux enabled.
	Apply the same logic of pam_unix Makefile adjustment for
	pw_history as well. Reference commit is
	cb9f88ba944d56c0b6c65be18500f7d56c9f514c.

	The helper pwhistory_helper(8) is only called from code enabled when
	SELinux support is enabled.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_pwhistory: annotate declaration with format attribute.
	Instead of annotating the function definition with the format attribute
	annotate the declaration, so the annotation is visible at call sites.

	pam_unix: annotate declaration with format attribute.
	Instead of annotating the function definition with the format attribute
	annotate the declaration, so the annotation is visible at call sites.

2024-01-14  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_succeed_if: add unit test.
	Cover previous changes with unit test.

	pam_succeed_if: empty strings are no number.
	If an empty string is encountered, do not treat it as 0. Instead,
	return PAM_SERVICE_ERR as specified in comment.

2024-01-14  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_succeed_if: allow very long field values.
	Fields are currently written to stack buffer, even if they already
	exist in heap. Just reference them in this case. If numbers have to be
	stored as a string, use a stack buffer sufficiently large for the
	long long conversion (64 bit).

	Also adjust the "left != buf" check to allow this change. It is simply
	the else-statement to previous if-else-if-block, because in every other
	case left is set to buf.

2024-01-13  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: remove unused defines.
	These are leftovers from fgets usages.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_usertype: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Rename
	to pam_usertype, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_usertype.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_succeed_if: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Rename
	to pam_succeed_if, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_succeed_if.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_sepermit: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Rename
	to pam_sepermit, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_sepermit.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_localuser: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename
	to pam_localuser, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_localuser.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Rename
	to pam_listfile, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_listfile.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_lastlog: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Rename to
	pam_auth, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_auth.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_access: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_access/pam_access.c (pam_sm_authenticate): Rename to
	pam_access, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_access.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: log all option errors.
	The parser of module options used to bail out after the first option
	error without checking other options.  With this change, while the
	return code semantics remains unchanged, all option errors are logged.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log all
	option errors.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: consistently log unknown options.
	In most cases the parser of module options already logs unknown options
	before returning, but in two cases it didn't.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log unknown
	onerr= and sense= options.

2024-01-13  Andreas Vögele  <andreas@andreasvoegele.com>

	pam_access: add quiet_log option.
	If quiet_log option is specified, no "access denied" message is logged.

	* modules/pam_access/pam_access.c (struct login_info): Add quiet_log.
	(parse_args): Initialize it.
	(pam_sm_authenticate): Use it.
	* modules/pam_access/pam_access.8.xml: Document quiet_log option.

	Closes: https://github.com/linux-pam/linux-pam/issues/706

2024-01-13  김인수  <simmon@nplob.com>

	po: update translations using Weblate (Korean)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/

2024-01-12  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_listfile: treat \r like \n.
	The characters \r and \n are replaced by NUL byte. Treat a line which
	is empty after removal of \r just like lines which are empty after
	the removal of \n.

	pam_env: allow escaping of escape character.
	Otherwise it is not possible to add \ into an environment variable.

	modules: simplify newline removal.

	pam_debug: simplify state function.
	The return value of function state is never checked.

	pam_env: fix Makefile.am dependencies.
	Comply with doc/man and enforce that pam_env.conf.5 does exist.

	doc: remove generated files during cleanup.

	doc: remove unneeded test statement.
	Since pam.d.5 is a generated file, the test for existence in srcdir can
	be removed.

2024-01-12  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: strictly separate builddir and srcdir.
	Building outside of source directory fails if --disable-doc is not
	explicitly chosen.

	This happens because generated files are sometimes expected in the
	source directory, where they won't exist.

2024-01-08  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: build unix_update only with SELinux enabled.
	The helper unix_update(8) is only called from code enabled when SELinux
	support is enabled.

2024-01-08  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: fix memory leak.
	The the allocated line buffer on success.

	Reported by GCC analyzer.

	Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")

2024-01-08  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: do not truncate user names.
	This could allow users with very long names to impersonate a user
	with a 255 characters long name.

	The check if the argument argv[1] actually matches the user name
	implies that "user" can unconditionally be set to argv[1]: If they are
	equal, the strings are obviously equal. If they are not or if null is
	returned by getuidname, "user" is set to argv[1] anyway.

	This way, the static buffer can be safely removed because the result
	of getpwuid() is not stored, which means that subsequent calls to
	such functions can safely overwrite their internal buffers.

2024-01-08  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_access: avoid group name truncation.
	If a very long group name is supplied, do not truncate it. It is safe to
	work directly on the supplied token, which is also already done in
	user_match, from where group_match is also called.

	pam_limits: prevent overflow with very long line.
	The strcpy is not safe anymore because input lines can be very long.
	Use strdup instead. If allocation fails, treat the error exactly
	like a memory allocation issue in pam_modutil functions.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: use getrandom if possible.
	Use getrandom to retrieve random numbers for delay calculation.

	If it fails or is not available, keep using current algorithm.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: handle long delays properly.
	If a delay close to UINT_MAX has been set, then the delay computation
	might overflow the value due to added randomness.

	Systems where linux-pam is in use should generally have a 32 bit
	unsigned int and a 64 bit unsigned long long, and a time_t of either
	64 bit or 32 bit. Under these assumptions, using the result for delay is
	safe because of the division before assigning it to tv_sec (time_t).

	Thought about using uint64_t type here but as long as "unsigned int"
	is part of the API instead of uint32_t, no proper guarantees could be
	made anyway.

	Unfortunately we have to supply an unsigned int if a PAM_FAIL_DELAY
	function has been set. In such a case, supply a UINT_MAX if delay is
	larger than that. It's the best we can do without breaking the API.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: use _pam_assemble_line.
	When pam_env is compiled without libeconf support enabled,
	this removes fgets limitations and allows arbitrarily long lines.

	libpam: clear config line memory before free.

	libpam: allow custom escaped newline replacement.
	To use _pam_assemble_line in pam_env, we must be able to modify the
	replacement of an escaped newline. The PAM configuration replaces it
	with a blank, while pam_env fully removes it.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: move line assembling functions to header.
	This follows the idiom of debug functions which reside in headers to
	allow their usage within libpam itself and its modules without adding
	modutil functions, i.e. extending the API.

	No functional change.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: skip _expand_arg if possible.
	If no special characters exist, simply skip _expand_arg to avoid
	memory allocations and string copying.

	pam_env: extend test for escaped newlines.
	This covers the _assemble_line functionality, which slightly differs
	from _pam_assemble_line in libpam, i.e. does not replace the backslash
	with a blank.

	pam_env: allow very long variable expansions.
	Variable expansion can exceed the maximum line length allowed in an
	environment configuration file. Since PAM environment variables already
	support arbitrary lengths, allow them in pam_env as well.

	pam_namespace: fix typo in manual page.

	doc: Fix grammar mistake in Linux-PAM-ADG.xml.

	pam_unix: fix typos in manual page.

	treewide: fix typos in comments.

	libpam: use correct function definition.
	The declaration uses static keyword, the definition does not.
	Fix the definition, because the function is only used in this
	file.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpam: enclose function macros.
	Avoid potential dangling-else issues by wrapping macros inside a while
	loop.

	libpamc: merge includes.

	libpam: fix indentation.
	Reported by clang-tidy.

2024-01-04  Dmitry V. Levin  <ldv@strace.io>

	pam_unix/passverify: always run the helper to obtain shadow password file entries
	Initially, when pam_unix.so verified the password, it used to try to
	obtain the shadow password file entry for the given user by invoking
	getspnam(3), and only when that didn't work and the effective uid
	was nonzero, pam_unix.so used to invoke the helper as a fallback.

	When SELinux support was introduced by commit
	67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
	also for the case when SELinux was enabled.

	Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
	fallback conditions for the case when pam_modutil_getspnam() failed
	with EACCES.

	Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
	invoked as a fallback when pam_modutil_getspnam() fails for any reason.

	The ultimate solution for the case when pam_unix.so does not have
	permissions to obtain the shadow password file entry is to stop trying
	to use pam_modutil_getspnam() and to invoke the helper instead.
	Here are two recent examples.

	https://github.com/linux-pam/linux-pam/pull/484 describes a system
	configuration where libnss_systemd is enabled along with libnss_files
	in the shadow entry of nsswitch.conf, so when libnss_files is unable
	to obtain the shadow password file entry for the root user, e.g. when
	SELinux is enabled, NSS falls back to libnss_systemd which returns
	a synthesized shadow password file entry for the root user, which
	in turn locks the root user out.

	https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
	essentially the same problem in a similar system configuration.

	This commit is the final step in the direction of addressing the issue:
	for password verification pam_unix.so now invokes the helper instead of
	making the pam_modutil_getspnam() call.

	* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
	Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
	the shadow password file entry.

	Complements: https://github.com/linux-pam/linux-pam/pull/386
	Resolves: https://github.com/linux-pam/linux-pam/pull/484
	Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_timestamp: correct failure condition.
	Bail out on NULL pointer, not otherwise.

	Reported by cppcheck.

	Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_filter: drop invalid tty hack.
	The open(3) flag O_NOCTTY does not detach the calling process from the
	opened file descriptor, like TIOCNOTTY, see tty(4), does.

	Drop the invalid hack to avoid the file descriptor being leaked.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	tests: avoid NULL dereference in error branch.
	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_timestamp: fix condition order.
	Check the array index first before dereferencing the array.
	Also convert the index type to size_t to avoid casting.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpamc/test: fix assignment.
	Assign the error code instead of performing a no-op comparison.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpamc/test: pipe deallocation mismatch.
	Close pipes opened via popen(3) with pclose(3).
	Also close the pipe in error branches.

	Reported by cppcheck.
