2024-01-17  Dmitry V. Levin  <ldv@strace.io>

	Prepare for 1.6.0 release.
	* configure.ac (AC_INIT): Raise version to 1.6.0.
	* po/Linux-PAM.pot (Project-Id-Version): Likewise.
	* NEWS: Update.

	Resolves: https://github.com/linux-pam/linux-pam/issues/690

2024-01-17  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations
	Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
	being placed in user controlled directories, causing the PAM module to
	block indefinitely during `openat()`.

	Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
	refer to a directory.

	With this the check whether the final path element is a directory
	becomes unnecessary, drop it.

2024-01-16  Dmitry V. Levin  <ldv@strace.io>

	po: update .pot and .po files.
	Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
	command.  This essentially updates the line numbers and timestamps.

2024-01-16  Damien Pou  <dampato+linux@ik.me>

	po: update translations using Weblate (French)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: fix typo in comment.

	pam_pwhistory: fix typo in example configuration.
	The option file points to a file, not a directory.

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	NEWS: fix typos.

	pam_unix: fix typos in comments.

	ci: bump actions/checkout to v4.

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	doc: do not clean bootstrapped files.
	The two files custom-html.xsl and custom-man.xsl are created at
	configure time.  Only delete them on `make distclean` instead of
	`make clean` to be able to re-generate manual pages afterwards.

	Fixes: b285afe0ea45 ("doc: remove generated files during cleanup")

2024-01-16  Christian Göttsche  <cgzones@googlemail.com>

	configure: require libsystemd on --enable-logind.
	Fail if --enable-logind is specified while libsystemd cannot be found,
	so the feature is reliably enabled on request.

	Complements: v1.5.3~26 ("Y2038: use logind instead of utmp")

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: use cp variable only when needed.
	Removes its usage from check_old_pass and reduces its
	visibility in save_old_pass.

	pam_pwhistory: parse opasswd lines verbatim.
	Users may have a hash character in their name, which would be removed.
	This in turn effectively defeats the purpose of pam_pwhistory for the
	user.

2024-01-16  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: do not allow comma as a field separator.
	The opasswd file shall not use comma as a separator. Enforce colon just
	like pam_pwhistory does as well.

	A comma can be part of a user name, although its usage is discouraged.
	If such a user exists, it could happen that stored passwords of another
	user are checked.

2024-01-16  Dmitry V. Levin  <ldv@strace.io>

	modules: do not invoke getline(3) unnecessarily.
	Replace
	  while (getline(...) != -1 && retval)
	with
	  while (retval && getline(...) != -1)

	* modules/pam_listfile/pam_listfile.c (pam_listfile): Do not invoke
	getline(3) when its result is going to be ignored.
	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
	Likewise.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: declare read-only data array const.

	pam_unix: log about failure to execute unix_chkpwd(8)

	pam_unix: clean additional possible sensitive buffers.

	pam_unix: use more appropriate types.

	pam_unix: retain const qualifier.

	pam_unix: enclose macro arguments.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: set close-on-exec.
	Since the module operates on sensitive files set the close-on-exec flag,
	to avoid file descriptor leaks if there is ever any sibling thread.

	The fopen(3) mode "e" is supported in glibc since version 2.7 (released
	in 2007), and ignored prior, see:
	https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: support setgid version of unix_chkpwd(8)
	In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the
	real group as well.

	Also check the privileges are permanently lost, see:
	https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful

	See also the current Debian patch:
	https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: reject unix_update(8) running on different unprivileged user.
	In case unix_update(8) is installed as a setuid binary, which Fedora and
	Debian does not do, prevent unprivileged users to probe (and eventually
	change) passwords of other users (including root).

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: add audit support to unix_update(8)
	Emit audit reports in the helper unix_update(8) about abnormal
	executions, unprivileged authentications, and password updates.

	Also log unprivileged authentication failures to syslog.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: refactor audit logging.
	Split the audit logging code into a separate file, to be reused by
	unix_update(8).

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: fix regressions.
	The returned value stored in pwd from _unix_getpwnam is inserted into
	pam handler through pam_set_data. Do not manually free the value.

	Also check getline return value for != -1 instead of == -1.

	Fixes 8f2ca5919b26843ef774ef0aeb9bf261dec943a0 and
	73d009e9ea8edafc18c7fe3650b25dd6bdce88c1. No release affected.

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: disable SELinux code if not used.
	Disable code to run helper binary if SELinux is not enabled.

2024-01-15  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_pwhistory: build pwhistory_helper only with SELinux enabled.
	Apply the same logic of pam_unix Makefile adjustment for
	pw_history as well. Reference commit is
	cb9f88ba944d56c0b6c65be18500f7d56c9f514c.

	The helper pwhistory_helper(8) is only called from code enabled when
	SELinux support is enabled.

2024-01-15  Christian Göttsche  <cgzones@googlemail.com>

	pam_pwhistory: annotate declaration with format attribute.
	Instead of annotating the function definition with the format attribute
	annotate the declaration, so the annotation is visible at call sites.

	pam_unix: annotate declaration with format attribute.
	Instead of annotating the function definition with the format attribute
	annotate the declaration, so the annotation is visible at call sites.

2024-01-14  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_succeed_if: add unit test.
	Cover previous changes with unit test.

	pam_succeed_if: empty strings are no number.
	If an empty string is encountered, do not treat it as 0. Instead,
	return PAM_SERVICE_ERR as specified in comment.

2024-01-14  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_succeed_if: allow very long field values.
	Fields are currently written to stack buffer, even if they already
	exist in heap. Just reference them in this case. If numbers have to be
	stored as a string, use a stack buffer sufficiently large for the
	long long conversion (64 bit).

	Also adjust the "left != buf" check to allow this change. It is simply
	the else-statement to previous if-else-if-block, because in every other
	case left is set to buf.

2024-01-13  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: remove unused defines.
	These are leftovers from fgets usages.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_usertype: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Rename
	to pam_usertype, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_usertype.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_succeed_if: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Rename
	to pam_succeed_if, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_succeed_if.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_sepermit: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Rename
	to pam_sepermit, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_sepermit.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_localuser: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Rename
	to pam_localuser, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_localuser.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Rename
	to pam_listfile, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_listfile.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_lastlog: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Rename to
	pam_auth, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_auth.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_access: do not call pam_sm_authenticate.
	Calling an exported function from the module is unsafe as there is no
	guarantee that the function that will be actually called is the one that
	is provided by the module.

	* modules/pam_access/pam_access.c (pam_sm_authenticate): Rename to
	pam_access, add static qualifier, remove "flags" argument.
	Update all callers.  Add a new pam_sm_authenticate as a thin wrapper
	around pam_access.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: log all option errors.
	The parser of module options used to bail out after the first option
	error without checking other options.  With this change, while the
	return code semantics remains unchanged, all option errors are logged.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log all
	option errors.

2024-01-13  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: consistently log unknown options.
	In most cases the parser of module options already logs unknown options
	before returning, but in two cases it didn't.

	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Log unknown
	onerr= and sense= options.

2024-01-13  Andreas Vögele  <andreas@andreasvoegele.com>

	pam_access: add quiet_log option.
	If quiet_log option is specified, no "access denied" message is logged.

	* modules/pam_access/pam_access.c (struct login_info): Add quiet_log.
	(parse_args): Initialize it.
	(pam_sm_authenticate): Use it.
	* modules/pam_access/pam_access.8.xml: Document quiet_log option.

	Closes: https://github.com/linux-pam/linux-pam/issues/706

2024-01-13  김인수  <simmon@nplob.com>

	po: update translations using Weblate (Korean)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/

2024-01-12  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_listfile: treat \r like \n.
	The characters \r and \n are replaced by NUL byte. Treat a line which
	is empty after removal of \r just like lines which are empty after
	the removal of \n.

	pam_env: allow escaping of escape character.
	Otherwise it is not possible to add \ into an environment variable.

	modules: simplify newline removal.

	pam_debug: simplify state function.
	The return value of function state is never checked.

	pam_env: fix Makefile.am dependencies.
	Comply with doc/man and enforce that pam_env.conf.5 does exist.

	doc: remove generated files during cleanup.

	doc: remove unneeded test statement.
	Since pam.d.5 is a generated file, the test for existence in srcdir can
	be removed.

2024-01-12  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: strictly separate builddir and srcdir.
	Building outside of source directory fails if --disable-doc is not
	explicitly chosen.

	This happens because generated files are sometimes expected in the
	source directory, where they won't exist.

2024-01-08  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: build unix_update only with SELinux enabled.
	The helper unix_update(8) is only called from code enabled when SELinux
	support is enabled.

2024-01-08  Christian Göttsche  <cgzones@googlemail.com>

	pam_unix: fix memory leak.
	The the allocated line buffer on success.

	Reported by GCC analyzer.

	Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")

2024-01-08  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: do not truncate user names.
	This could allow users with very long names to impersonate a user
	with a 255 characters long name.

	The check if the argument argv[1] actually matches the user name
	implies that "user" can unconditionally be set to argv[1]: If they are
	equal, the strings are obviously equal. If they are not or if null is
	returned by getuidname, "user" is set to argv[1] anyway.

	This way, the static buffer can be safely removed because the result
	of getpwuid() is not stored, which means that subsequent calls to
	such functions can safely overwrite their internal buffers.

2024-01-08  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_access: avoid group name truncation.
	If a very long group name is supplied, do not truncate it. It is safe to
	work directly on the supplied token, which is also already done in
	user_match, from where group_match is also called.

	pam_limits: prevent overflow with very long line.
	The strcpy is not safe anymore because input lines can be very long.
	Use strdup instead. If allocation fails, treat the error exactly
	like a memory allocation issue in pam_modutil functions.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: use getrandom if possible.
	Use getrandom to retrieve random numbers for delay calculation.

	If it fails or is not available, keep using current algorithm.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: handle long delays properly.
	If a delay close to UINT_MAX has been set, then the delay computation
	might overflow the value due to added randomness.

	Systems where linux-pam is in use should generally have a 32 bit
	unsigned int and a 64 bit unsigned long long, and a time_t of either
	64 bit or 32 bit. Under these assumptions, using the result for delay is
	safe because of the division before assigning it to tv_sec (time_t).

	Thought about using uint64_t type here but as long as "unsigned int"
	is part of the API instead of uint32_t, no proper guarantees could be
	made anyway.

	Unfortunately we have to supply an unsigned int if a PAM_FAIL_DELAY
	function has been set. In such a case, supply a UINT_MAX if delay is
	larger than that. It's the best we can do without breaking the API.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: use _pam_assemble_line.
	When pam_env is compiled without libeconf support enabled,
	this removes fgets limitations and allows arbitrarily long lines.

	libpam: clear config line memory before free.

	libpam: allow custom escaped newline replacement.
	To use _pam_assemble_line in pam_env, we must be able to modify the
	replacement of an escaped newline. The PAM configuration replaces it
	with a blank, while pam_env fully removes it.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: move line assembling functions to header.
	This follows the idiom of debug functions which reside in headers to
	allow their usage within libpam itself and its modules without adding
	modutil functions, i.e. extending the API.

	No functional change.

2024-01-05  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: skip _expand_arg if possible.
	If no special characters exist, simply skip _expand_arg to avoid
	memory allocations and string copying.

	pam_env: extend test for escaped newlines.
	This covers the _assemble_line functionality, which slightly differs
	from _pam_assemble_line in libpam, i.e. does not replace the backslash
	with a blank.

	pam_env: allow very long variable expansions.
	Variable expansion can exceed the maximum line length allowed in an
	environment configuration file. Since PAM environment variables already
	support arbitrary lengths, allow them in pam_env as well.

	pam_namespace: fix typo in manual page.

	doc: Fix grammar mistake in Linux-PAM-ADG.xml.

	pam_unix: fix typos in manual page.

	treewide: fix typos in comments.

	libpam: use correct function definition.
	The declaration uses static keyword, the definition does not.
	Fix the definition, because the function is only used in this
	file.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpam: enclose function macros.
	Avoid potential dangling-else issues by wrapping macros inside a while
	loop.

	libpamc: merge includes.

	libpam: fix indentation.
	Reported by clang-tidy.

2024-01-04  Dmitry V. Levin  <ldv@strace.io>

	pam_unix/passverify: always run the helper to obtain shadow password file entries
	Initially, when pam_unix.so verified the password, it used to try to
	obtain the shadow password file entry for the given user by invoking
	getspnam(3), and only when that didn't work and the effective uid
	was nonzero, pam_unix.so used to invoke the helper as a fallback.

	When SELinux support was introduced by commit
	67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
	also for the case when SELinux was enabled.

	Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
	fallback conditions for the case when pam_modutil_getspnam() failed
	with EACCES.

	Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
	invoked as a fallback when pam_modutil_getspnam() fails for any reason.

	The ultimate solution for the case when pam_unix.so does not have
	permissions to obtain the shadow password file entry is to stop trying
	to use pam_modutil_getspnam() and to invoke the helper instead.
	Here are two recent examples.

	https://github.com/linux-pam/linux-pam/pull/484 describes a system
	configuration where libnss_systemd is enabled along with libnss_files
	in the shadow entry of nsswitch.conf, so when libnss_files is unable
	to obtain the shadow password file entry for the root user, e.g. when
	SELinux is enabled, NSS falls back to libnss_systemd which returns
	a synthesized shadow password file entry for the root user, which
	in turn locks the root user out.

	https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
	essentially the same problem in a similar system configuration.

	This commit is the final step in the direction of addressing the issue:
	for password verification pam_unix.so now invokes the helper instead of
	making the pam_modutil_getspnam() call.

	* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
	Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
	the shadow password file entry.

	Complements: https://github.com/linux-pam/linux-pam/pull/386
	Resolves: https://github.com/linux-pam/linux-pam/pull/484
	Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_timestamp: correct failure condition.
	Bail out on NULL pointer, not otherwise.

	Reported by cppcheck.

	Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_filter: drop invalid tty hack.
	The open(3) flag O_NOCTTY does not detach the calling process from the
	opened file descriptor, like TIOCNOTTY, see tty(4), does.

	Drop the invalid hack to avoid the file descriptor being leaked.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	tests: avoid NULL dereference in error branch.
	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	pam_timestamp: fix condition order.
	Check the array index first before dereferencing the array.
	Also convert the index type to size_t to avoid casting.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpamc/test: fix assignment.
	Assign the error code instead of performing a no-op comparison.

	Reported by cppcheck.

2024-01-04  Christian Göttsche  <cgzones@googlemail.com>

	libpamc/test: pipe deallocation mismatch.
	Close pipes opened via popen(3) with pclose(3).
	Also close the pipe in error branches.

	Reported by cppcheck.

2024-01-03  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_listfile: use getline.

	pam_unix: use getline.

	pam_xauth: use getline.

	pam_faillock: use getline.

	pam_access: use getline.

	pam_exec: use getline.

	pam_limits: use getline.

	pam_sepermit: use getline.

	pam_securetty: use getline.

	pam_unix: reduce variable visibility.

	pam_unix: calculate user length only if needed.

	pam_unix: use getline in _unix_getpwnam.
	Use getline instead of fgets to allow arbitrarily long lines.

	pam_unix: unify error handling.

	pam_unix: use calloc instead of malloc/memset.

	pam_unix: use size_t instead of int for sizes.
	Also rename buflen to retlen, since it is not associated with the
	variable buf, but ret.

2024-01-03  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_unix: avoid reading uninitialized variable.
	The function _unix_comesfromsource calls _unix_getpwnam internally.
	When changing the authentication token, it is first called to read
	local passwd file and optionally contacting NIS. If an entry is
	found, _unix_getpwnam is called, this time definitely reading passwd
	file and contacting NIS (if support exists) and parsing the entry.

	This is meant to check if the entry is not just available but also
	valid.

	Since the return value of _unix_getpwnam is not checked and the
	supplied pointer is only set in case of success, the check for a
	NULl pointer afterwards can lead to undefined behavior.

	It is easier to call _unix_getpwnam directly, check its return value
	and then check if the entry could be parsed. This in turn reduces the
	amount of /etc/passwd accesses (and fixes a theoretical TOCTOU race).

2024-01-03  Tobias Stoeckmann  <tobias@stoeckmann.org>

	configure.ac: remove unneeded function checks.
	Even if these checks reveal that a function does not exist, there are
	no corresponding HAVE_* or ac_cv_func_* checks in source files.

2024-01-03  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_namespace: validate amount of uids in config.
	If more than INT_MAX uids are found in a configuration line, the
	variable `count` would trigger a signed integer overflow.

	If more than UINT_MAX uids are found in a configuration line, then
	the `num_uids` counter is invalid, which could eventually lead to out
	of boundary accesses.

	Also make sure that size multiplication for malloc does not overflow.

2024-01-03  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: document that the namespace.init script runs as root.

	pam_namespace: document instance_prefix field better wrt final element.

2024-01-03  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: close unnecessary file descriptors before exec()
	Currently the `rm` subprocess and the namespace init script inherit a
	random set of open file descriptors from the process running PAM.
	Depending on the actual PAM stack configuration these can even be
	security sensitive files. In any case it is unclean to inherit
	unexpected open file descriptors to child processes like this.

	To address this close all file descriptors except stdio before executing
	a new program.

2024-01-03  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: cleanup_tmpdirs(): use proper error message.

2024-01-03  Matthias Gerstner  <matthias.gerstner@suse.de>

	pam_namespace: fix double-free on parse error in namespace.conf.
	If a line in namespace.conf only consists of one field then the error
	handling logic in process_line() ends up in a double-free, resulting in
	a process abort in libc.

	It looks like instead of NULLing the `dir` variable, the
	`instance_prefix` is NULLed, without purpose. Fix this.

2024-01-02  Anton Gubarkov  <anton.gubarkov@gmail.com>

	pam_exec: allow expose_authtok for password PAM_TYPE.
	Before this change, pam_exec allowed expose_authtok option to be
	specified for "auth" PAM_TYPE only.

	* modules/pam_exec/pam_exec.c (call_exec): Allow expose_authtok
	to be specified for "password" PAM_TYPE.
	* modules/pam_exec/pam_exec.8.xml: Document it.

2024-01-02  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_listfile: drop string duplication.
	The ifname variable is only assigned, but the string content itself is
	never modified. Drop the strdup call to simplify the code.

	pam_listfile: do not truncate arguments.
	Allow arbitrary lengths of arguments coming from pam configuration file.

	pam_listfile: fix typo in comment.

	pam_listfile: fix formatting.
	The formatting made the code look like there is an "else"-block
	followed by an "else if"-block.

	pam_faillock: do not truncate arguments.
	The FAILLOCK_CONF_MAX_LINELINE limitation is not true for arguments
	which derive from pam configuration file.

	pam_wheel: do not truncate group.
	If a pam configuration file contains a very long group name, do not
	silently truncate it.

	pam_env: use strndup.
	The strndup call is easier to review than malloc + strncpy.

	pam_env: reduce variable visibility.
	This will simplify further changes.

	pam_env: remove cast.
	The zu formatter is available, as can be seen one line above. Do not
	cast unnecessarily to unsigned long. Cosmetic change on pretty much
	all supported systems.

	pam_env: fix debug and error messages.
	The tmpptr variable is only used for resolved variables. If the
	creation of expanded string overflows at other places, log the actually
	overflowing character instead of a "random" string in tmpptr.

	pam_env: reduce stack usage.
	It is not required to have a copy of the string in stack. This removes
	the need of another strncpy call which also makes future cleanups
	easier.

2024-01-01  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_env: fix memory leak.
	If DEFAULT or OVERRIDE is supplied multiple times in a line then memory
	leaks can occur.

	Adjusted test case (compile with address sanitizer to see failure).

2024-01-01  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: add a configuration file parser test.
	The pam_listfile is apparently the only module in the tree that has
	mandatory options and at the same time bails out in case of unknown
	options.  Use this specific behaviour of the module to test libpam
	configuration file parsing.

	* modules/pam_listfile/tst-pam_listfile-retval.c (main): Perform a test
	dedicated to configuration file parsing.

2023-12-31  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_permit: add configuration file parser test.
	The pam_permit module is the easiest around. Use its test to add another
	test case for configuration file parsing in libpam itself.

2023-12-31  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: support arbitrarily long config lines.
	Use getline in _pam_assemble_line to allow very long lines.

	Also handle escaped newlines and NUL bytes better, even though
	the latter are not valid for text files.

2023-12-31  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: support very long strings in _pam_mkargv.
	This support has to be added before arbitrarily long lines are allowed
	in configuration files.

	pam_motd: support very long arguments.
	The pam_split_string function should not use unsigned int to make sure
	that the counter will never overflow if arbitrarily long configuration
	file lines are supported.

	pam_exec: support very large argc values.
	Prepare the calculation to support very large argc values in order to
	support arbitrarily long configuration lines in the future.

	pam_filter: support very long arguments.
	The return value of strlen has to be stored in size_t for future
	support of arbitrarily long configuration file lines.

2023-12-31  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile.8: enhance formatting.
	* modules/pam_listfile/pam_listfile.8.xml: Fix formatting of option
	arguments.

	pam_listfile.8: fix grammar.
	* modules/pam_listfile/pam_listfile.8.xml: Fix a few grammar issues.

	pam_listfile.8: enhance item=tty description.
	* modules/pam_listfile/pam_listfile.8.xml: Tweak item=tty description
	so it no longer implies that PAM_TTY is always set.

2023-12-30  Dmitry V. Levin  <ldv@strace.io>

	pam_listfile: add a test for return values.
	* modules/pam_listfile/tst-pam_listfile-retval.c: New file.
	* modules/pam_listfile/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(check_PROGRAMS, tst_pam_listfile_retval_LDADD): New variables.

2023-12-30  Dmitry V. Levin  <ldv@strace.io>

	pam_canonicalize_user: fix the test for return values.
	* modules/pam_canonicalize_user/tst-pam_canonicalize_user-retval.c: Fix.
	* modules/pam_canonicalize_user/Makefile.am (TESTS): Add $(check_PROGRAMS).
	(AM_LDFLAGS): Rename to pam_canonicalize_user_la_LDFLAGS.
	(tst_pam_canonicalize_user_retval_LDFLAGS): New variable.

	Fixes: 980ddf706777 ("pam_canonicalize_user: add a test for return values")

2023-12-30  Martin Srebotnjak  <miles@filmsi.net>

	po: update translations using Weblate (Slovenian)
	Currently translated at 17.8% (18 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sl/

2023-12-30  Liu Tao  <lyuutau@outlook.com>

	po: update translations using Weblate (Chinese (Simplified) (zh_CN))
	Currently translated at 98.0% (99 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/

2023-12-30  Balázs Úr  <balazs@urbalazs.hu>

	po: update translations using Weblate (Hungarian)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/

2023-12-30  김인수  <simmon@nplob.com>

	po: update translations using Weblate (Korean)
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/

2023-12-30  Rafael Fontenelle  <rafaelff@gnome.org>

	po: update translations using Weblate (Portuguese (Brazil))
	Currently translated at 100.0% (101 of 101 strings).

	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/

2023-12-29  Solar Designer  <solar@openwall.com>

	unix_chkpwd, unix_update: Use exit codes 128+ on signals.

2023-12-27  Dmitry V. Levin  <ldv@strace.io>

	pam_timestamp_check: check format_timestamp_name return value.
	* modules/pam_timestamp/pam_timestamp.c [PAM_TIMESTAMP_MAIN] (main):
	Bail out if format_timestamp_name returns an error.

2023-12-24  Dmitry V. Levin  <ldv@strace.io>

	pam_timestamp_check: fix potential null pointer dereferences on error path
	* modules/pam_timestamp/pam_timestamp.c [PAM_TIMESTAMP_MAIN] (main):
	Bail out early in case of initialization errors to avoid potential null
	pointer dereferences in -d mode.

2023-12-24  Fmiard  <yzd50036@gmail.com>

	pam_timestamp_check: fix potential null pointer dereference on error path
	* modules/pam_timestamp/pam_timestamp.c [PAM_TIMESTAMP_MAIN] (main):
	Bail out early if getpwuid fails.

2023-12-21  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_motd: fail if too many motd files encountered.
	Prevent signed integer overflow if too many motd files are encountered.
	Use the easiest approach for such an unlikely scenario.

2023-12-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	libpam: reduce memory usage of _pam_mkargv.
	The input string "s" is duplicated into "sbuf" and tokens copied from
	there into target memory "our_argv".

	Since "our_argv" is allocated to be always large enough to keep the
	whole string "s" (plus pointers) in it, we can skip "sbuf" entirely.

2023-12-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_mkhomedir: avoid string copying.
	The characters in skeldir are only assigned, not modified later on.
	Use a const char pointer instead which is easier to verify.

	pam_filter: use stpcpy instead of strcpy.
	It's been checked before that enough space exists. Let stpcpy return
	the correct pointer to end of string instead of keeping track of it
	manually.

	pam_access: reserve space for dot character.
	It should not happen that inet_ntop uses all space available, but
	let's better be safe than sorry, since strcat won't check for us.

2023-12-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: use asprintf to construct strings.
	The asprintf function is considered as given for current code already.
	Use it instead of calling malloc + strcpy + strcat manually.

	Reported-by: Benny Baumann <BenBE@geshi.org>

2023-12-19  Tobias Stoeckmann  <tobias@stoeckmann.org>

	treewide: replace malloc followed by strcpy with strdup.
	Suggested-by: Benny Baumann <BenBE@geshi.org>

	pam_xauth: check strdup return value.
	Treat NULL as error just as if cookiefile is constructed manually.

2023-12-19  Benny Baumann  <BenBE@geshi.org>

	pam_timestamp: try RAND_priv_bytes first.
	* modules/pam_timestamp/hmac_openssl_wrapper.c: Include <openssl/rand.h>.
	(generate_key): Try RAND_priv_bytes before getrandom.

	pam_timestamp: prefer getrandom(2) when available.
	* configure.ac (AC_CHECK_HEADERS): Add sys/random.h.
	(AC_CHECK_FUNCS): Add getrandom.
	* modules/pam_timestamp/hmac_openssl_wrapper.c [HAVE_SYS_RANDOM_H]:
	Include <sys/random.h>.
	(generate_key) [HAVE_GETRANDOM]: Call getrandom(2) before trying
	to open /dev/urandom.

2023-12-19  Benny Baumann  <BenBE@geshi.org>

	pam_timestamp: indicate non-null arguments to the compiler.
	As these functions assume their arguments to be valid pointers without
	checking this pre-condition, this should be marked to the compiler.
	Doing so allows to detect potential NULL dereferences when a caller
	may pass in an invalid NULL pointer.

	* modules/pam_timestamp/hmac_openssl_wrapper.c (generate_key, read_file,
	write_file, key_management): Add PAM_NONNULL attribute.

2023-12-19  Benny Baumann  <BenBE@geshi.org>

	pam_timestamp: ensure we get zero-initialized memory.
	This ensures that the whole buffer is in a somewhat defined state all
	the time even when some function calls write into the buffer only
	partially.  This is not strictly necessary, as short writes into
	the buffer are checked, but it's good practice anyway.

	* modules/pam_timestamp/hmac_openssl_wrapper.c (generate_key):
	Replace malloc with calloc.

2023-12-19  Benny Baumann  <BenBE@geshi.org>

	pam_timestamp: allocate memory before opening /dev/urandom.
	It's handy to have the memory allocated before trying several methods
	of obtaining randomness that are going to be introduced by subsequent
	commits.

	* modules/pam_timestamp/hmac_openssl_wrapper.c (generate_key):
	Allocate memory before trying to open /dev/urandom.

2023-12-19  Benny Baumann  <BenBE@geshi.org>

	pam_timestamp: clean buffers before freeing.
	* modules/pam_timestamp/hmac_openssl_wrapper.c (generate_key): Clean
	the buffer on short read.
	(write_file): Clean the buffer on short write.

2023-12-18  Tobias Stoeckmann  <tobias@stoeckmann.org>

	pam_access: fix nul byte handling in config.
