| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:
root addr=xyz.com
for the account name while logging in. It will look like root logged in with
an address of xyz.com.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
|
|
|
|
|
|
| |
We have all tests in the tests/ directory.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
| |
Signed-off-by: James Youngman <jay@gnu.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
| |
Signed-off-by: James Youngman <jay@gnu.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
The strlen() returns size_t, not int. The fgets() returns
pointer, not int.
Signed-off-by: James Youngman <jay@gnu.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
| |
selinux_utils.c:16: warning: assignment discards qualifiers from pointer target type
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
E.g., in this example, the "if (p)" test is useless.
if (p)
free (p);
I've been removing such tests systematically.
Here's where I proposed it to the git folks, along with justification
for why it's ok to perform this transformation, these days (no one
uses SunOS4 anymore):
http://thread.gmane.org/gmane.comp.version-control.git/74187
Signed-off-by: Jim Meyering <meyering@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following patch makes the username-in-upper-case feature optional.
I have chosen to make it default to off since this feature was designed
to cater for serial terminals that were last sold almost 30 years ago,
thus the likelyhood that anyone will need this feature turned on is
vanishingly small.
Addresses-Debian-Bug: 156242
Signed-off-by: Hamish Coleman <hamish@zot.org>
Signed-off-by: LaMont Jones <lamont@debian.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This patch fix a small memory leak (rh#251539) and also remove
unnecessary pam_set_item(). We needn't to zeroing PAM_USER when the
value is already NULL, it doesn't make sense.
Addresses-Red-Hat-Bugzilla: #251539
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
| |
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
The utils like fdisk or login are usable on non-linux systems.
This patch allows to compile on systems without linux/major.h.
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
|
|
|
|
| |
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
| |
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
|
|
|
|
|
|
|
|
| |
Add a missing period, a missing space, a comma and a word for clarity,
plus a period and an uppercase letter to match surrounding messages.
Further add a missing call to gettext, and undo an unneeded linewrap.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
used when the PAM transaction be terminated.
This patch also cleanup PAM code in chsh(1).
Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
Co-Author: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Stupid bug in audit code:
$ login
login: ^D
login: ^D
Segmentation fault
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
| |
A chown-like operations are unexpected when you execute "make install"
as non-root user. For example RPM defines owner+permissions in .spec
file -- you needn't to use root account to create useful RPM package.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
| |
chsh(1) uses empty shell setting (pw->pw_shell="") as a synonym for
/bin/sh. This convention is silly and unnecessary. (The vsftpd server
will not run if the shell assigned to user "ftp" is a null string --
according to bug rh#103004).
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: LaMont Jones <lamont@mmjgroup.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
8 bit characters on the Linux console lead to input corruption (e.g.
German umlauts). This is easily reproducable by inserting a login name with
umlaut and typing backspace afterwards.
agetty supports tty parity, which leads to getty treating these characters
as a 7bit char with set parity.
This patch by Samuel Thibault adds a new option -8 which disables parity
detection for ttys not used for serial logins.
| Note: With this patch, 8bit characters are just silently dropped (that's
| the expected getty behavior), this is quite neat since you then don't
| even need to backspace your 8bit characters :)
Signed-off-by: LaMont Jones <lamont@mmjgroup.com>
|
|
|
|
|
|
| |
The sigsetmask() is deprecated in favor of sigprocmask().
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
| |
Prevent wall from adding an empty newline to every new line.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
| |
From: Alan Curry <pacman@TheWorld.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This patch add a new 'O' escape code to display domain name
by issue-file (/etc/issue) output.
(Based on an Gentoo patch.)
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
| |
Preprocessor options belong to *_CPPFLAGS; add $(AM_CPPFLAGS) as we
want to amend it, not override.
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
|
|
|
| |
Build lib/*.c individually for each project which uses it, so that the
right set of flags is applied each time.
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
|
|
|
| |
Programs which are usually installed with the setuid bit do need their own
CFLAGS and LDFLAGS. SUID_LDFLAGS is analogic to SUID_CFLAGS.
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
|
|
|
| |
SUID_CFLAGS are not meant to override the makefile-wide AM_CFLAGS.
(We do not use AM_CFLAGS currently, but we will.)
Signed-off-by: Stepan Kasal <skasal@redhat.com>
|
|
|
|
|
|
|
|
| |
The patch allows to define special CFLAGS for typical suid programs
(like mount, umount, chfn, ...). Some distributions use for example
"-fpic" for suid binaries.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The original newgrp command doesn't expect group pasword in /etc/gshadow
although almost all distributions use this file (and the gpasswd command).
The newgrp from util-linux is deprecated and better is use shadow-utils only.
Unfortunately, shadow-utils are broken too (see RH version where is bugfix).
In this case it's better fix util-linux version at least...
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
| |
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
| |
The login command reports AUDIT_USER_LOGIN message to audit system
(depends on --with-audit).
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This support includes:
* non-PAM version supports IPv6 ranges in /etc/usertty
* utmp records with IPv6 addresses
Based on patch by: Milan Zazrivec <mzazrivec@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
| |
The hnmatch() in checktty.c is checking IP addresses if the login util
is compiled without PAM support.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
On 64-bit platforms such as x86_64, glibc is usually built with 32-bit
compatibility for various structures. One of them is utmp.
What this means is that gettimeofday(&ut.ut_tv, NULL) on x86_64 will
end up overwriting the first parts of ut_addr_v6, leading to garbage
in the utmp file.
Signed-off-by: Karel Zak <kzak@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The login omits pam_acct_mgmt & chauth_tok when authentication is skipped.
Authentication may be skipped, for example, during krlogin because Kerberos
already took care of it. The problem with skipping pam_acct_mgmt is that it
allows users to use the system when maybe they should not be allowed, such that
if they have a Kerberos ticket, the other checks do not apply.
If a user had to use password authentication, pam_acct_mgmt may reject the user
for several reasons: not allowed to use the system at this time, not allowed to
use this system, user's account has been disabled, etc. Why should these tests
be skipped just because the user has a ticket?
Same with pam_chauthtok: the user may have a valid ticket, but if their
password has expired, they need to enter a new one right now.
Signed-off-by: Karel Zak <kzak@redhat.com>
|