HISTORY revision 271624
1271624SdesOpenPAM Ourouparia 2014-09-12 2271624Sdes 3271624Sdes - ENHANCE: When executing a chain, require at least one service 4271624Sdes function to succeed. This mitigates fail-open scenarios caused by 5271624Sdes misconfigurations or missing modules. 6271624Sdes 7271624Sdes - ENHANCE: Make sure to overwrite buffers which may have contained an 8271624Sdes authentication token when they're no longer needed. 9271624Sdes 10271624Sdes - BUGFIX: Under certain circumstances, specifying a non-existent 11271624Sdes module (or misspelling the name of a module) in a policy could 12271624Sdes result in a fail-open scenario. (CVE-2014-3879) 13271624Sdes 14271624Sdes - FEATURE: Add a search path for modules. This was implemented in 15271624Sdes Nummularia but inadvertently left out of the release notes. 16271624Sdes 17271624Sdes - BUGFIX: The is_upper() predicate only accepted the letter A as an 18271624Sdes upper-case character instead of the entire A-Z range. As a result, 19271624Sdes service and module names containing upper-case letters other than A 20271624Sdes would be rejected. 21271624Sdes============================================================================ 22255376SdesOpenPAM Nummularia 2013-09-07 23255376Sdes 24255376Sdes - ENHANCE: Rewrite the dynamic loader to improve readability and 25255376Sdes reliability. Modules can now be listed without the ".so" suffix in 26255376Sdes the policy file; OpenPAM will automatically add it, just like it 27255376Sdes will automatically add the version number if required. 28255376Sdes 29255376Sdes - ENHANCE: Allow openpam_straddch(3) to be called without a character 30255376Sdes so it can be used to preallocate a string. 31255376Sdes 32255376Sdes - ENHANCE: Improve portability by adding simple asprintf(3) and 33255376Sdes vasprintf(3) implementations for platforms that don't have them. 34255376Sdes 35255376Sdes - ENHANCE: Move the libpam sources into a separate subdirectory. 36255376Sdes 37255376Sdes - ENHANCE: Substantial documentation improvements. 38255376Sdes 39255376Sdes - BUGFIX: When openpam_readword(3) encountered an opening quote, it 40255376Sdes would set the first byte in the buffer to '\0', discarding all 41255376Sdes existing text and, unless the buffer was empty to begin with, all 42255376Sdes subsequent text as well. This went unnoticed because none of the 43255376Sdes unit tests for quoted strings had any text preceding the opening 44255376Sdes quote. 45255376Sdes 46255376Sdes - BUGFIX: make --with-modules-dir work the way it was meant to work 47255376Sdes (but never did). 48255376Sdes============================================================================ 49236109SdesOpenPAM Micrampelis 2012-05-26 50236109Sdes 51236109Sdes - FEATURE: Add an openpam_readword(3) function which reads the next 52236109Sdes word from an input stream, applying shell quoting and escaping 53236109Sdes rules. Add numerous unit tests for openpam_readword(3). 54236109Sdes 55236109Sdes - FEATURE: Add an openpam_readlinev(3) function which uses the 56236109Sdes openpam_readword(3) function to read words from an input stream one 57236109Sdes at a time until it reaches an unquoted, unescaped newline, and 58236109Sdes returns an array of those words. Add several unit tests for 59236109Sdes openpam_readlinev(3). 60236109Sdes 61236109Sdes - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the 62236109Sdes machine's hostname. This was implemented in Lycopsida but 63236109Sdes inadvertantly left out of the release notes. 64236109Sdes 65236109Sdes - FEATURE: In pam_get_authtok(3), if neither the application nor the 66236109Sdes module have specified a prompt and PAM_HOST and PAM_RHOST are both 67236109Sdes defined but not equal, use a different default prompt that includes 68236109Sdes PAM_USER and PAM_HOST. 69236109Sdes 70236109Sdes - ENHANCE: Rewrite the policy parser to used openpam_readlinev(), 71236109Sdes which greatly simplifies the code. 72236109Sdes 73236109Sdes - ENHANCE: The previous implementation of the policy parser relied on 74236109Sdes the openpam_readline(3) function, which (by design) munges 75236109Sdes whitespace and understands neither quotes nor backslash escapes. 76236109Sdes As a result of the aforementioned rewrite, whitespace, quotes and 77236109Sdes backslash escapes in policy files are now handled in a consistent 78236109Sdes and predictable manner. 79236109Sdes 80236109Sdes - ENHANCE: On platforms that have it, use fdlopen(3) to load modules. 81236109Sdes This closes the race between the ownership / permission check and 82236109Sdes the dlopen(3) call. 83236109Sdes 84236109Sdes - ENHANCE: Reduce the amount of pointless error messages generated 85236109Sdes while searching for a module. 86236109Sdes 87236109Sdes - ENHANCE: Numerous documentation improvements, both in content and 88236109Sdes formatting. 89236109Sdes 90236109Sdes - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed 91236109Sdes OpenPAM's behavior when several policies exist for the same 92236109Sdes service, from ignoring all but the first to concatenating them all. 93236109Sdes Revert to the original behavior. 94236109Sdes 95236109Sdes - BUGFIX: Plug a memory leak in the policy parser. 96236109Sdes============================================================================ 97228692SdesOpenPAM Lycopsida 2011-12-18 98228692Sdes 99228692Sdes - ENHANCE: removed static build autodetection, which didn't work 100228692Sdes anyway. Use an explicit, user-specified preprocessor variable 101228692Sdes instead. 102228692Sdes 103228692Sdes - ENHANCE: cleaned up the documentation a bit. 104228692Sdes 105228692Sdes - ENHANCE: added openpam_subst(3), allowing certain PAM items to be 106228692Sdes embedded in strings such as prompts. Apply it to the prompts used 107228692Sdes by pam_get_user(3) and pam_get_authtok(3). 108228692Sdes 109228692Sdes - ENHANCE: added support for the user_prompt, authtok_prompt and 110228692Sdes oldauthtok_prompt module options, which override the prompts passed 111228692Sdes by the module to pam_set_user(3) and pam_get_authtok(3). 112228692Sdes 113228692Sdes - ENHANCE: rewrote the policy parser to support quoted option values. 114228692Sdes 115228692Sdes - ENHANCE: added pamtest(1), a tool for testing modules and policies. 116228692Sdes 117228692Sdes - ENHANCE: added code to check the ownership and permissions of a 118228692Sdes module before loading it. 119228692Sdes 120228692Sdes - ENHANCE: added / improved input validation in many cases, including 121271624Sdes the policy file and some function arguments. (CVE-2011-4122) 122228692Sdes============================================================================ 123174832SdesOpenPAM Hydrangea 2007-12-21 124147455Sdes 125174832Sdes - ENHANCE: when compiling with GCC, mark up API functions with GCC 126174832Sdes attributes where appropriate. 127174832Sdes 128174832Sdes - BUGFIX: fixed numerous warnings uncovered by GCC 4. 129174832Sdes 130174832Sdes - ENHANCE: building the documentation is now optional. 131174832Sdes 132174832Sdes - ENHANCE: corrected a number of mistakes and style issues in the 133174832Sdes build system. 134174832Sdes 135174832Sdes - ENHANCE: API function arguments are now const where appropriate, to 136174832Sdes match corresponding changes in the Solaris PAM and Linux-PAM APIs. 137174832Sdes 138174832Sdes - ENHANCE: corrected a number of C namespace violations. 139174832Sdes 140174832Sdes - ENHANCE: the module cache has been removed, allowing long-lived 141174832Sdes applications to pick up module changes. This also allows multiple 142174832Sdes threads to use PAM simultaneously (as long as they use separate PAM 143174832Sdes contexts), since the module cache was the only part of OpenPAM that 144174832Sdes was not thread-safe. 145174832Sdes============================================================================ 146228692SdesOpenPAM Figwort 2005-06-16 147174832Sdes 148147455Sdes - BUGFIX: Correct several small signedness and initialization bugs 149147455Sdes discovered during review by the NetBSD team. 150147455Sdes 151147455Sdes - BUGFIX: Modify gendoc.pl to sort cross-references in dictionary 152147455Sdes order within each section. 153147455Sdes 154147455Sdes - ENHANCE: if a policy specifies a relative module path, prepend the 155147455Sdes module directory so we never call dlopen(3) with a relative path. 156147455Sdes 157147455Sdes - ENHANCE: add a pam.conf(5) manual page. 158147455Sdes============================================================================ 159141098SdesOpenPAM Feterita 2005-02-01 160141098Sdes 161141098Sdes - BUGFIX: Correct numerous markup errors, invalid cross-references, 162141098Sdes and other issues in the manual pages, with kind assistance from 163141098Sdes Ruslan Ermilov <ru@freebsd.org>. 164141098Sdes 165141098Sdes - BUGFIX: Avoid multiple evaluation of macro arguments in ENTERX() 166141098Sdes and RETURNX() macros. 167141098Sdes 168141098Sdes - BUGFIX: Remove an unnecessary and non-portable pointer cast in 169141098Sdes pam_get_data(3). 170141098Sdes 171141098Sdes - BUGFIX: Fix identical typos in PAM_ACCT_EXPIRED case in 172141098Sdes pam_strerror(3) and gendoc.pl. 173141098Sdes 174141098Sdes - ENHANCE: Minor overhaul of the autoconf / build system. 175141098Sdes 176141098Sdes - ENHANCE: Add openpam_free_envlist(3). 177141098Sdes============================================================================ 178125647SdesOpenPAM Eelgrass 2004-02-10 179125647Sdes 180125647Sdes - BUGFIX: Correct array handling bugs in conversation code. 181125647Sdes 182125647Sdes - BUGFIX: In openpam_ttyconv(3), don't strip trailing linear 183125647Sdes whitespace from the user's response. 184125647Sdes 185125647Sdes - BUGFIX: Many constness issues addressed. 186125647Sdes============================================================================ 187117610SdesOpenPAM Dogwood 2003-07-15 188117610Sdes 189117610Sdes - ENHANCE: Use the GNU autotools. 190117610Sdes 191117610Sdes - ENHANCE: Constify the msg field in struct pam_message. 192117610Sdes 193117610Sdes - BUGFIX: Remove left-over debugging output 194117610Sdes 195117610Sdes - BUGFIX: Avoid side effects in arguments to the FREE() macro 196117610Sdes 197117610Sdes - ENHANCE: Make openpam_ttyconv(3) use read(2) rather than fgets(3). 198117610Sdes 199117610Sdes - BUGFIX: Staticize some variables which shouldn't be global. 200117610Sdes 201117610Sdes - BUGFIX: Correcly anticipate a NULL user in pam_get_user(3). 202117610Sdes 203117610Sdes - ENHANCE: Various minor documentation improvements. 204117610Sdes 205117610SdesThanks to Dmitry V. Levin <ldv@altlinux.org> for considerable 206117610Sdesassistance with this release. 207117610Sdes============================================================================ 208115619SdesOpenPAM Digitalis 2003-06-01 209115619Sdes 210115619Sdes - ENHANCE: Completely rewrite the configuration parser and add 211115619Sdes support for the "include" control flag. 212115619Sdes 213115619Sdes - ENHANCE: Improve portability to NetBSD, OpenBSD and Linux. 214115619Sdes 215115619Sdes - ENHANCE: Lots of additional paranoia. 216115619Sdes 217115619Sdes - BUGFIX: The sample su(1) application dropped privileges before 218115619Sdes forking instead of after. 219115619Sdes 220115619Sdes - ENHANCE: Document openpam_log(3). 221115619Sdes 222115619Sdes - ENHANCE: Other minor documentation fixes. 223115619Sdes 224115619SdesThanks to Dmitry V. Levin <ldv@altlinux.org> for considerable 225115619Sdesassistance with this release. 226115619Sdes============================================================================ 227114536SdesOpenPAM Dianthus 2003-05-02 228114536Sdes 229114536Sdes - BUGFIX: Initialize some potentially uninitialized variables. 230114536Sdes 231114536Sdes - BUGFIX: Silence some warnings emitted by gcc -std=iso9899:1999. 232114536Sdes 233114536Sdes - BUGFIX: In pam_getenv(), return a pointer to the stored variable 234114536Sdes instead of a freshly allocated copy. 235114536Sdes 236114536Sdes - ENHANCE: Detect recursion in openpam_borrow_cred() 237114536Sdes 238114536Sdes - ENHANCE: Make borrowing one's own credentials a no-op. 239114536Sdes 240114536Sdes - ENHANCE: Further improve debugging support. 241114536Sdes 242114536Sdes - ENHANCE: Clean up some variable names. 243114536Sdes============================================================================ 244108794SdesOpenPAM Daffodil 2003-01-06 245108794Sdes 246108794Sdes - ENHANCE: Document dependency on <sys/types.h> (for size_t) 247108794Sdes 248108794Sdes - ENHANCE: Slightly improve error detection in openpam_ttyconv(). 249108794Sdes 250108794Sdes - BUGFIX: Fix several typos in debugging macros. 251108794Sdes============================================================================ 252107937SdesOpenPAM Cyclamen 2002-12-12 253107937Sdes 254107937Sdes - ENHANCE: Improve recursion detection in openpam_dispatch(). 255107937Sdes 256107937Sdes - ENHANCE: Add debugging messages at entry and exit points of most 257107937Sdes functions. 258107937Sdes 259107937Sdes - ENHANCE: Fix some minor style issues. 260107937Sdes 261107937Sdes - BUGFIX: Add default cases to the switches in openpam_log.c. 262107937Sdes 263107937Sdes - ENHANCE: Add /usr/local/etc/pam.conf to policy search path. 264107937Sdes 265107937Sdes - BUGFIX: In openpam_ttyconv(3), print the prompt to stdout rather 266107937Sdes than stderr. 26791094Sdes============================================================================ 26899158SdesOpenPAM Citronella 2002-06-30 26999158Sdes 27099158Sdes - ENHANCE: Add the "binding" control flag (from Solaris 9). 27199158Sdes 27299158Sdes - ENHANCE: Define struct pam_repository and PAM_REPOSITORY (from 27399158Sdes Solaris 9). 27499158Sdes 275107937Sdes - ENHANCE: Flesh out the pam(3) man page. 27699158Sdes 27799158Sdes - ENHANCE: Add an openpam(3) page with cross-references to all the 27899158Sdes documented OpenPAM API extensions. 27999158Sdes 28099158Sdes - ENHANCE: Add a pam_conv(3) man page describing the conversation 28199158Sdes system. 28299158Sdes 28399158Sdes - ENHANCE: Improved sample application. 28499158Sdes 28599158Sdes - ENHANCE: Added sample pam_unix module. 28699158Sdes 28799158Sdes - BUGFIX: Various documentation nits. 28899158Sdes============================================================================ 28997241SdesOpenPAM Cinquefoil 2002-05-24 29097241Sdes 29197241Sdes - BUGFIX: Various warnings uncovered by gcc 3.1. 29297241Sdes 29397241Sdes - ENHANCE: Add a null conversation function, openpam_nullconv(3). 29497241Sdes 29597241Sdes - BUGFIX: Initialize the "other" chain to all zeroes. 29697241Sdes 29797241Sdes - ENHANCE: Document openpam_ttyconv(3). 29897241Sdes============================================================================ 29995908SdesOpenPAM Cinnamon 2002-05-02 30095908Sdes 30195908Sdes - ENHANCE: Add a null conversation function, openpam_nullconv(). 30295908Sdes 30395908Sdes - BUGFIX: Various markup bugs in the documentation. 30495908Sdes 30595908Sdes - BUGFIX: Document <security/openpam.h>. 30695908Sdes 30795908Sdes - BUGFIX: Duplicate expansion of openpam_log() macro arguments. 30895908Sdes 30995908Sdes - ENHANCE: Restructure the policy-loading code and align our use of 31095908Sdes the "other" policy with Solaris and Linux-PAM. 31195908Sdes 31295908Sdes - ENHANCE: Log dlopen() and dlsym() failures. 31395908Sdes 31495908Sdes - ENHANCE: In openpam_ttyconv(), emit a newline after error and info 31595908Sdes messages unless the message contains one already. 31695908Sdes 31795908Sdes - BUGFIX: In pam_vprompt(), initialize the response pointer to NULL 31895908Sdes so we can detect whether the conversation function touched it. 31995908Sdes============================================================================ 32094670SdesOpenPAM Cineraria 2002-04-14 32194670Sdes 32295908Sdes - BUGFIX: Fix confusion between token and prompt in 32395908Sdes pam_get_authtok(3). 32495908Sdes 32594670Sdes - ENHANCE: Improved documentation. 32694670Sdes 32794670Sdes - ENHANCE: Adopt the same preprocessor tricks that were used in 32894670Sdes FreeBSD's version of Linux-PAM to simplify static linking without 32994670Sdes requiring dummy primitives. 33094670Sdes 33195908Sdes - ENHANCE: Move the policy-loading code out of pam_start.c. 33294670Sdes 33394670Sdes - BUGFIX: Fix typo in one of the versions of the openpam_log macro. 33494670Sdes 33594670Sdes - ENHANCE: Add versioning macros. 33694670Sdes============================================================================ 33794209SdesOpenPAM Cinchona 2002-04-08 33894209Sdes 33994209Sdes - ENHANCE: Improved documentation for several API functions. 34094209Sdes 34194209Sdes - BUGFIX: Fix bug in pam_set_data() that would result in corruption 34294209Sdes of the module data list. 34394209Sdes 34494209Sdes - BUGFIX: Allocate the correct amount of memory for the environment 34594209Sdes list in pam_putenv(). 34694209Sdes 34794209Sdes - ENHANCE: Change pam_get_authtok()'s prototype so the caller can 34894209Sdes specify what token it wants. Also introduce PAM_OLDAUTHTOK_PROMPT. 34994209Sdes 35094209Sdes - BUGFIX: Plug memory leak in pam_get_user() / pam_get_authtok(), and 35194209Sdes reduce differences between these very similar functions. 35294209Sdes 35394209Sdes - ENHANCE: Check flags carefully in pam_authenticate() and 35494209Sdes pam_chauthtok(). 35594209Sdes 35694209Sdes - BUGFIX: Fix bugs in portability code; libpam now builds on NetBSD. 35794209Sdes 35894209Sdes - ENHANCE: In pam_get_authtok(), if PAM_OLDAUTHTOK is set, we're 35994209Sdes asked for PAM_AUTHTOK, and we have to prompt the user, prompt her 36094209Sdes twice and compare the responses. 36194209Sdes 36294209Sdes - ENHANCE: Add openpam_{borrow,restore}_cred(), for temporarily 36394209Sdes switching to user credentials. 36494209Sdes 36594209Sdes - ENHANCE: Add openpam_free_data(), a generic cleanup function for 36694209Sdes pam_set_data() consumers. 36794209Sdes============================================================================ 368236109SdesOpenPAM Centaury 2002-03-14 36991684Sdes 37092289Sdes - BUGFIX: Add missing #include <string.h> to openpam_log.c. 37192289Sdes 37292289Sdes - BUGFIX: s/PAM_REINITIALISE_CRED/PAM_REINITIALIZE_CRED/. XSSO uses 37392289Sdes the former, but Solaris and Linux-PAM use the latter. 37492289Sdes 37592289Sdes - BUGFIX: The dynamic loader and the module cache contained a number 37692289Sdes of bugs which would cause a segmentation fault if pam_start(3) was 37792289Sdes called again after pam_end(3), as happens in login(1), xdm(1) etc. 37892289Sdes after a failed login. 37992289Sdes 38092289Sdes - BUGFIX: Refer to a module by the name used in the policy file, even 38192289Sdes if the module that was actually loaded was versioned. 38292289Sdes 38392289Sdes - ENHANCE: Suppress debugging logs, unless compiled with -DDEBUG. 38492289Sdes============================================================================ 38594209SdesOpenPAM Celandine 2002-03-05 38692289Sdes 38791684Sdes - BUGFIX: PAM_TRY_AGAIN is a valid return value for pam_chauthtok(). 38891684Sdes 38991684Sdes - BUGFIX: Run passwd chain twice, first with the PAM_PRELIM_CHECK 39091684Sdes flag set, then with the PAM_UPDATE_AUTHTOK flag set. 39191684Sdes 39291684Sdes - BUGFIX: Failure of a "sufficient" module should not terminate the 39391684Sdes passwd chain if the PAM_PRELIM_CHECK flag is set. 39491684Sdes 39591684Sdes - BUGFIX: Clear PAM_AUTHTOK after running the service modules. 39691684Sdes 39791684Sdes - ENHANCE: Prevent applications from specifying the PAM_PRELIM_CHECK 39891684Sdes or PAM_UPDATE_AUTHTOK flags themselves. 39991684Sdes 40091684Sdes - BUGFIX: openpam_set_option() did not support changing the value of 40191684Sdes an existing option. 40291684Sdes 40391684Sdes - ENHANCE: Add support for module versioning. OpenPAM will prefer a 40491684Sdes module with the same version number as the library itself to one 40591684Sdes with no version number at all. 40691684Sdes============================================================================ 407236109SdesOpenPAM Cantaloupe 2002-02-22 40891100Sdes 40991100Sdes - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid 41091100Sdes argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures. 41191100Sdes 41291100Sdes - ENHANCE: Add in-line documentation in most source files, and a Perl 41391100Sdes script that generates mdoc code from that. 41491100Sdes 41591100Sdes - BUGFIX: The environment list was not properly NULL-terminated. 41691100Sdes 41791100Sdes - ENHANCE: Allow the PAM_AUTHTOK_PROMPT item to override the prompt 41891100Sdes specified by the module. 41991100Sdes 42091100Sdes - BUGFIX: PAM_NUM_ITEMS was set too low. It has been moved to 42191100Sdes pam_constants.h to avoid it going stale again. 42291100Sdes 42391100Sdes - ENHANCE: Move all code related to static modules into a separate 42491100Sdes file. 42591100Sdes 42691100Sdes - ENHANCE: openpam_ttyconv() now masks most signals while prompting the 42791100Sdes user, and supports setting a timeout (which defaults to off). 42891100Sdes 42991100Sdes - BUGFIX: Some manual pages referenced XSSO even though they 43091100Sdes documented OpenPAM-specific functions. 43191100Sdes 43291100Sdes - ENHANCE: Added openpam_get_option() and openpam_set_option(). 43391100Sdes 43491100Sdes - ENHANCE: openpam_get_authtok() now respects the echo_pass, 43591100Sdes try_first_pass, and use_first_pass options. 43691100Sdes============================================================================ 437236109SdesOpenPAM Caliopsis 2002-02-13 43891097Sdes 43991097SdesFixed a number of bugs in the previous release, including: 44091097Sdes - a number of bugs in and related to pam_[gs]et_item(3) 44191097Sdes - off-by-one bug in pam_start.c would trim last character off certain 44291097Sdes configuration lines 44391097Sdes - incorrect ordering of an array in openpam_load.c would cause service 44491097Sdes module functions to get mixed up 44591097Sdes - missing 'continue' in openpam_dispatch.c caused successes to be 44691097Sdes counted as failures 44791097Sdes============================================================================ 448236109SdesOpenPAM Calamite 2002-02-09 44991094Sdes 45091094SdesFirst (beta) release. 451