From owner-p4-projects Sun Apr 14 11:22:42 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E366637B405; Sun, 14 Apr 2002 11:22:22 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0777237B404 for ; Sun, 14 Apr 2002 11:22:22 -0700 (PDT) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3EIMLf50803 for perforce@freebsd.org; Sun, 14 Apr 2002 11:22:21 -0700 (PDT) (envelope-from des@freebsd.org) Date: Sun, 14 Apr 2002 11:22:21 -0700 (PDT) Message-Id: <200204141822.g3EIMLf50803@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to des@freebsd.org using -f From: Dag-Erling Smorgrav Subject: PERFORCE change 9724 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=9724 Change 9724 by des@des.at.des.thinksec.com on 2002/04/14 11:22:20 More checks & documentation, and fix some markup nits. Sponsored by: DARPA, NAI Labs Affected files ... ... //depot/projects/openpam/lib/pam_acct_mgmt.c#8 edit ... //depot/projects/openpam/lib/pam_authenticate.c#10 edit ... //depot/projects/openpam/lib/pam_chauthtok.c#11 edit ... //depot/projects/openpam/lib/pam_close_session.c#8 edit ... //depot/projects/openpam/lib/pam_open_session.c#8 edit ... //depot/projects/openpam/lib/pam_setcred.c#9 edit Differences ... ==== //depot/projects/openpam/lib/pam_acct_mgmt.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#8 $ */ #include @@ -62,3 +62,19 @@ * =pam_sm_acct_mgmt * !PAM_IGNORE */ + +/** + * The =pam_acct_mgmt function verifies and enforces account restrictions + * after the user has been authenticated. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_DISALLOW_NULL_AUTHTOK: + * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. + */ ==== //depot/projects/openpam/lib/pam_authenticate.c#10 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_authenticate.c#9 $ + * $P4: //depot/projects/openpam/lib/pam_authenticate.c#10 $ */ #include @@ -66,6 +66,7 @@ * =openpam_dispatch * =pam_sm_authenticate * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** @@ -79,8 +80,11 @@ * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_DISALLOW_NULL_AUTHTOK + * =PAM_DISALLOW_NULL_AUTHTOK: * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_chauthtok.c#11 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#10 $ + * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#11 $ */ #include @@ -82,8 +82,10 @@ * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_CHANGE_EXPIRED_AUTHTOK + * =PAM_CHANGE_EXPIRED_AUTHTOK: * Change only those authentication tokens that have expired. + * + * If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_close_session.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_close_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_close_session.c#8 $ */ #include @@ -52,6 +52,8 @@ int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags)); } @@ -61,4 +63,19 @@ * =openpam_dispatch * =pam_sm_close_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_close_session function tears down the user session previously + * set up by =pam_open_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_close_session will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_open_session.c#8 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_open_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_open_session.c#8 $ */ #include @@ -52,6 +52,8 @@ int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags)); } @@ -61,4 +63,20 @@ * =openpam_dispatch * =pam_sm_open_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_open_session sets up a user session for a previously + * authenticated user. The session should later be torn down by a call to + * =pam_close_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_open_session will return + * =PAM_SYMBOL_ERR. */ ==== //depot/projects/openpam/lib/pam_setcred.c#9 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_setcred.c#8 $ + * $P4: //depot/projects/openpam/lib/pam_setcred.c#9 $ */ #include @@ -52,6 +52,10 @@ int flags) { + if (flags & ~(PAM_SILENT|PAM_ESTABLISH_CRED|PAM_DELETE_CRED| + PAM_REINITIALIZE_CRED|PAM_REFRESH_CRED)) + return (PAM_SYMBOL_ERR); + /* XXX enforce exclusivity */ return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags)); } @@ -61,18 +65,27 @@ * =openpam_dispatch * =pam_sm_setcred * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** * The =pam_setcred function manages the application's credentials. - * The operation to perform is specified by the =flags argument: + * + * The =flags argument is the binary or of zero or more of the following + * values: * - * PAM_ESTABLISH_CRED: + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_ESTABLISH_CRED: * Establish the credentials of the target user. - * PAM_DELETE_CRED: + * =PAM_DELETE_CRED: * Revoke all established credentials. - * PAM_REINITIALIZE_CRED: + * =PAM_REINITIALIZE_CRED: * Fully reinitialise credentials. - * PAM_REFRESH_CRED: + * =PAM_REFRESH_CRED: * Refresh credentials. + * + * The latter four are mutually exclusive. + * + * If any other bits are set, =pam_setcred will return =PAM_SYMBOL_ERR. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message