Date: Sun, 14 Apr 2002 11:22:21 -0700 (PDT) From: Dag-Erling Smorgrav <des@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 9724 for review Message-ID: <200204141822.g3EIMLf50803@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=9724 Change 9724 by des@des.at.des.thinksec.com on 2002/04/14 11:22:20 More checks & documentation, and fix some markup nits. Sponsored by: DARPA, NAI Labs Affected files ... ... //depot/projects/openpam/lib/pam_acct_mgmt.c#8 edit ... //depot/projects/openpam/lib/pam_authenticate.c#10 edit ... //depot/projects/openpam/lib/pam_chauthtok.c#11 edit ... //depot/projects/openpam/lib/pam_close_session.c#8 edit ... //depot/projects/openpam/lib/pam_open_session.c#8 edit ... //depot/projects/openpam/lib/pam_setcred.c#9 edit Differences ... ==== //depot/projects/openpam/lib/pam_acct_mgmt.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#8 $ */ #include <sys/param.h> @@ -62,3 +62,19 @@ * =pam_sm_acct_mgmt * !PAM_IGNORE */ + +/** + * The =pam_acct_mgmt function verifies and enforces account restrictions + * after the user has been authenticated. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_DISALLOW_NULL_AUTHTOK: + * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. + */ ==== //depot/projects/openpam/lib/pam_authenticate.c#10 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_authenticate.c#9 $ + * $P4: //depot/projects/openpam/lib/pam_authenticate.c#10 $ */ #include <sys/param.h> @@ -66,6 +66,7 @@ * =openpam_dispatch * =pam_sm_authenticate * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** @@ -79,8 +80,11 @@ * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_DISALLOW_NULL_AUTHTOK + * =PAM_DISALLOW_NULL_AUTHTOK: * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_chauthtok.c#11 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#10 $ + * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#11 $ */ #include <sys/param.h> @@ -82,8 +82,10 @@ * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_CHANGE_EXPIRED_AUTHTOK + * =PAM_CHANGE_EXPIRED_AUTHTOK: * Change only those authentication tokens that have expired. + * + * If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_close_session.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_close_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_close_session.c#8 $ */ #include <sys/param.h> @@ -52,6 +52,8 @@ int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags)); } @@ -61,4 +63,19 @@ * =openpam_dispatch * =pam_sm_close_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_close_session function tears down the user session previously + * set up by =pam_open_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_close_session will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_open_session.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_open_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_open_session.c#8 $ */ #include <sys/param.h> @@ -52,6 +52,8 @@ int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags)); } @@ -61,4 +63,20 @@ * =openpam_dispatch * =pam_sm_open_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_open_session sets up a user session for a previously + * authenticated user. The session should later be torn down by a call to + * =pam_close_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_open_session will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_setcred.c#9 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_setcred.c#8 $ + * $P4: //depot/projects/openpam/lib/pam_setcred.c#9 $ */ #include <sys/param.h> @@ -52,6 +52,10 @@ int flags) { + if (flags & ~(PAM_SILENT|PAM_ESTABLISH_CRED|PAM_DELETE_CRED| + PAM_REINITIALIZE_CRED|PAM_REFRESH_CRED)) + return (PAM_SYMBOL_ERR); + /* XXX enforce exclusivity */ return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags)); } @@ -61,18 +65,27 @@ * =openpam_dispatch * =pam_sm_setcred * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** * The =pam_setcred function manages the application's credentials. - * The operation to perform is specified by the =flags argument: + * + * The =flags argument is the binary or of zero or more of the following + * values: * - * PAM_ESTABLISH_CRED: + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_ESTABLISH_CRED: * Establish the credentials of the target user. - * PAM_DELETE_CRED: + * =PAM_DELETE_CRED: * Revoke all established credentials. - * PAM_REINITIALIZE_CRED: + * =PAM_REINITIALIZE_CRED: * Fully reinitialise credentials. - * PAM_REFRESH_CRED: + * =PAM_REFRESH_CRED: * Refresh credentials. + * + * The latter four are mutually exclusive. + * + * If any other bits are set, =pam_setcred will return =PAM_SYMBOL_ERR. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204141822.g3EIMLf50803>