headers
Sudarshan Soma | 1 Mar 2009 12:27
Picon

building static library libpam

Hi All,

I have downloaded the latest PAM library and modules ,Linux-PAM-1.0.3.
Can any one please let me know how can i build libpam.a(static library
that i would link it to the pam modules)

Thanks and Best Regards,
Pavan
Permalink | Reply | 5 comments |
headers
Thorsten Kukuk | 1 Mar 2009 15:32
Picon

Re: building static library libpam

On Sun, Mar 01, Sudarshan Soma wrote:

> Hi All,
> 
> I have downloaded the latest PAM library and modules ,Linux-PAM-1.0.3.
> Can any one please let me know how can i build libpam.a(static library
> that i would link it to the pam modules)

You should never link shared modules against static libraries.
On i586 this may work, but on x86-64 for example this is strictly
forbidden.

Else read the README, there it is explained.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Permalink | Reply | 4 comments |
headers
Sudarshan Soma | 2 Mar 2009 16:02
Picon

Re: building static library libpam

Thanks  Thorsten.

I was doing crosscompilation for ppc architecture.
I use the following options for crosscompiling with configure,

 CC=/opt/ELDK41/usr/bin/ppc_6xx-gcc  --disable-selinux
--host=ppc-linux-gnu -target=ppc-linux-gnu --build=i686-linux-gnu
--includedir=/opt/ELDK41/ppc_6xx/usr/include/security/

I find the following problems with this:

-- It directly didnt build .so , I manually created .so with all the
.o's formed. With this
the libpam looks like linked statically to pam_unix.so module,
although i didnt mention static flag anywhere.

when i do  /opt/ELDK41/usr/bin/ppc_6xx-nm on pam_unix.so, it gives
pam_get_item defined, but
pam_modutil_getlogin and similar modutil functions undefined.

/opt/ELDK41/usr/bin/ppc_6xx-nm .libs/pam_unix.so |grep modutil
         U pam_modutil_getlogin

Can anyone please let me know if i am  missing somehting here.

Thanks and Best Regards,
Pavan

On Sun, Mar 1, 2009 at 8:02 PM, Thorsten Kukuk <kukuk <at> suse.de> wrote:
> On Sun, Mar 01, Sudarshan Soma wrote:
(Continue reading)

Permalink | Reply | 3 comments |
headers
Thorsten Kukuk | 2 Mar 2009 16:09
Picon

Re: building static library libpam

On Mon, Mar 02, Sudarshan Soma wrote:

> Thanks  Thorsten.
> 
> I was doing crosscompilation for ppc architecture.
> I use the following options for crosscompiling with configure,
> 
>  CC=/opt/ELDK41/usr/bin/ppc_6xx-gcc  --disable-selinux
> --host=ppc-linux-gnu -target=ppc-linux-gnu --build=i686-linux-gnu
> --includedir=/opt/ELDK41/ppc_6xx/usr/include/security/
> 
> I find the following problems with this:
> 
> -- It directly didnt build .so , 

Which means configure doesn't detect your crosscompiling right.
Please check the output of configure and try to find out what goes
wrong.

  Thorsten
--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Permalink | Reply | 2 comments |
headers
matiit | 2 Mar 2009 16:53
Picon

Re: building static library libpam

Please, remove my e-mail adress from mailist.

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Sudarshan Soma | 3 Mar 2009 16:26
Picon

Re: building static library libpam

Thank you so much. Now iam able to cross compile successfully with the
below options and test it.

./configure  CC=/opt/ELDK41/usr/bin/ppc_6xx-gcc --disable-selinux
--host=ppc-linux-gnu -target=ppc-linux-gnu --build=i686-linux-gnu
LD=/opt/ELDK41/usr/bin/ppc_6xx-ld
CFLAGS="-I/opt/ELDK41/ppc_6xx/usr/include/security/"
LDFLAGS="-I/opt/ELDK41/ppc_6xx/usr/include/security/
-L/opt/ELDK41/ppc_6xx/usr/lib/"

I am resolving few other issues:

-- libpath with -L doesnt go while compiling pam_crack.so which still
takes /usr/lib/ for libcrack.so
--  when i try to dynamic link libpam to applciation, it doesnt link
properly and gives the error

"opt/ELDK41/usr/bin/ppc_6xx-ld: warning: cannot find entry symbol
_start; defaulting to 10000374"
for
/opt/ELDK41/usr/bin/ppc_6xx-ld  pamappl.o -M -Map testmap.map --cref
/opt/ELDK41/ppc_6xx/lib/libc.so /opt/ELDK41/ppc_6xx/lib/libdl.so
/root/workdoc/security/origlinuxpam/Linux-PAM-1.0.3/libpam/.libs/libpam.so
 /root/workdoc/security/origlinuxpam/Linux-PAM-1.0.3/libpam_misc/.libs/libpam_misc.so

Iam working on these, incase you have any comments/ suggestions,
please let me know

Thanks
Pavan

On Mon, Mar 2, 2009 at 8:39 PM, Thorsten Kukuk <kukuk <at> suse.de> wrote:
> On Mon, Mar 02, Sudarshan Soma wrote:
>
>> Thanks  Thorsten.
>>
>> I was doing crosscompilation for ppc architecture.
>> I use the following options for crosscompiling with configure,
>>
>>  CC=/opt/ELDK41/usr/bin/ppc_6xx-gcc  --disable-selinux
>> --host=ppc-linux-gnu -target=ppc-linux-gnu --build=i686-linux-gnu
>> --includedir=/opt/ELDK41/ppc_6xx/usr/include/security/
>>
>> I find the following problems with this:
>>
>> -- It directly didnt build .so ,
>
> Which means configure doesn't detect your crosscompiling right.
> Please check the output of configure and try to find out what goes
> wrong.
> - Show quoted text -
>  Thorsten
> --
> Thorsten Kukuk, Project Manager/Release Manager SLES
> SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
> GF: Markus Rex, HRB 16746 (AG Nuernberg)
>
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
Permalink | Reply | 0 comments |
headers
Thorsten Kukuk | 4 Mar 2009 11:07
Picon

Linux-PAM 1.0.4 released


Hello,

Linux-PAM 1.0.4 is released. There are only two changes, but this
are very important:

* Fixed CVE-2009-0579 (minimum days limit on password change is ignored)
* Fix libpam internal config/argument parser

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Permalink | Reply | 0 comments |
headers
Ian Ward Comfort | 5 Mar 2009 19:18
Picon
Favicon

pam_succeed_if's pam_sm_setcred

As of Linux-PAM 1.0.4, the pam_sm_setcred function of the  
pam_succeed_if module always returns PAM_IGNORE:

     PAM_EXTERN int
     pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
                    int argc UNUSED, const char **argv UNUSED)
     {
             return PAM_IGNORE;
     }

Is there any design reason not to give this function the same  
succeed_if behavior that the other pam_sm_* functions have?  I ask  
because I have a real-world scenario in which I'd like to use  
pam_succeed_if to skip setcred for some modules under certain  
circumstances.

--

-- 
Ian Ward Comfort <icomfort <at> rescomp.stanford.edu>
System Administrator, Student Computing, Stanford University
Permalink | Reply | 4 comments |
headers
Thorsten Kukuk | 5 Mar 2009 19:45
Picon

Re: pam_succeed_if's pam_sm_setcred

On Thu, Mar 05, Ian Ward Comfort wrote:

> As of Linux-PAM 1.0.4, the pam_sm_setcred function of the  
> pam_succeed_if module always returns PAM_IGNORE:
> 
>     PAM_EXTERN int
>     pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
>                    int argc UNUSED, const char **argv UNUSED)
>     {
>             return PAM_IGNORE;
>     }
> 
> Is there any design reason not to give this function the same  
> succeed_if behavior that the other pam_sm_* functions have?  I ask  
> because I have a real-world scenario in which I'd like to use  
> pam_succeed_if to skip setcred for some modules under certain  
> circumstances.

As written in the manual page of pam_sm_setcred():

       The way the auth stack is navigated in order to evaluate the
       pam_setcred() function call, independent of the pam_sm_setcred() return
       codes, is exactly the same way that it was navigated when evaluating
       the pam_authenticate() library call. Typically, if a stack entry was
       ignored in evaluating pam_authenticate(), it will be ignored when
       libpam evaluates the pam_setcred() function call. Otherwise, the return
       codes from each module specific pam_sm_setcred() call are treated as
       required.

So what you wish to do is not possible.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Permalink | Reply | 3 comments |
headers
Ian Ward Comfort | 5 Mar 2009 20:12
Picon
Favicon

Re: pam_succeed_if's pam_sm_setcred

On 5 Mar 2009, at 10:45 AM, Thorsten Kukuk wrote:
> As written in the manual page of pam_sm_setcred():
>
>       The way the auth stack is navigated in order to evaluate the
>       pam_setcred() function call, independent of the  
> pam_sm_setcred() return
>       codes, is exactly the same way that it was navigated when  
> evaluating
>       the pam_authenticate() library call. Typically, if a stack  
> entry was
>       ignored in evaluating pam_authenticate(), it will be ignored  
> when
>       libpam evaluates the pam_setcred() function call. Otherwise,  
> the return
>       codes from each module specific pam_sm_setcred() call are  
> treated as
>       required.
>
> So what you wish to do is not possible.

Ah, thanks; obviously I missed that section.  (I must be missing  
something else, too, as I thought I had my pam_authenticate stack  
skipping this module, but that's for me to investigate.)

--

-- 
Ian Ward Comfort <icomfort <at> rescomp.stanford.edu>
System Administrator, Student Computing, Stanford University
Permalink | Reply | 2 comments |

Gmane