Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

This is the change log for our tcb suite implementing the alternative password shadowing scheme on Owl.

2011-07-17  Solar Designer  <solar at>

	* tcb.spec: 1.1, "Requires: glibc-crypt_blowfish >= 1.2".

	* pam_tcb/support.c (_set_ctrl), pam_tcb/pam_tcb.8: changed the default
	hash encoding prefix from "$2a$" to "$2y$" (requires crypt_blowfish 1.2
	or newer).

2010-06-07  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.6.

	* libs/libtcb.c (tcb_is_suspect): Drop faulty check for sparse files.
	It was based on a wrong assumption that st_blksize indicates the size
	of allocated blocks.  Also, the notion of sparse files does not apply
	to filesystems with compression turned on.
	The purpose of this check was to prevent some DoS attacks on root
	invoking user management tools and on services doing authentication.
	On a system with tcb shadow files, if group shadow access is somehow
	compromised, those files may be directly written to by their
	corresponding users as well as made sparse, which is what made this
	check somewhat desirable, but it was insufficient and problematic.
	Bug reported by Jim Darby <jim at>.

2010-02-25  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.5.

2010-02-14  Dmitry V. Levin  <ldv at>

	Decrease the size of tcb_privs structure allocated in .data segment
	from 256K to a two dozen bytes by moving a groups array to .bss segment.
	* include/tcb.h (TCB_NGROUPS): Set to fixed value 1024 to reduce a waste
	of address space.  The former value NGROUPS_MAX is immensely large
	nowdays, and root privileged processes are not expected to have so large
	list of supplementary groups anyway.
	(struct tcb_privs): Move the groups array outside the structure.
	* libs/libtcb.c (glob_grplist): New static groups array.
	(tcb_drop_priv_r): Set errno in case of invalid use.
	(glob_privs, tcb_drop_priv_r, tcb_drop_priv): Update for the change of
	tcb_privs structure.
	* libs/nss.c (tcb_safe_open): Likewise.

2010-02-10  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.4.
	* LICENSE: Update copyright for 2010 year.

2010-01-20  Dmitry V. Levin  <ldv at>

	* libs/libtcb.c (tcb_drop_priv_r): Fix potential grpbuf buffer
	overflow.  This function is expected to return -1 if the buffer in
	tcb_privs structure is not sufficiently large to store all
	supplementary groups, but it didn't.  It treated 1st argument of
	getgroups(2) as the size of buffer in bytes, but according to specs it
	should be set to the size of buffer in items that can be stored there.
	To reproduce the bug, one has to build tcb with NGROUPS_MAX value
	lesser than the value defined in /proc/sys/kernel/ngroups_max, and set
	an appropriate (greater than NGROUPS_MAX) number of supplementary
	groups for the calling process.  There doesn't appear to be any
	untrusted user input involved.  Thus, this bug doesn't have to be
	treated as a security issue.

2010-01-19  Dmitry V. Levin  <ldv at>

	* libs/Makefile: Use LDFLAGS more consistently.
	* progs/Makefile: Likewise.
	Reported by PaweĊ‚ Hajdan, Jr. <phajdan.jr at>.

2009-04-03  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.3.

2009-04-02  Dmitry V. Levin  <ldv at>

	* LICENSE: Update copyright for 2009 year.

	* pam_tcb/pam_unix_passwd.c (update_file): Call fflush(3) and
	Reported by Ermanno Scaglione <erm67 at>.

	* pam_tcb/support.c (_unix_fork, unix_run_helper_binary): Replace
	all calls to exit(3) in child processes with calls to _exit(2).
	Reported by Pascal Terjan <pterjan at>.

2006-10-31  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.2.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Free retval_data
	pointer on error path.
	* pam_tcb/support.c (user_in_nisdb): Free userinfo string.
	* progs/tcb_chkpwd.c (zeroise): New function, zeroises string.
	(unix_verify_password): Free stored_hash string, zeroise hash
	Reported by Alexander Kanevskiy.

2006-05-06  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.1.
	* LICENSE: Updated copyright for 2006 year.

	* pam_tcb/pam_unix_sess.c (pam_sm_open_session): Fail with
	PAM_SESSION_ERR for unknown users.

2005-12-28  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.
	* LICENSE: Updated copyrights for 2004 and 2005 years.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Bump syslog
	priorities of three error messages.

2005-09-26  Dmitry V. Levin  <ldv at>

	Update logging code to use pam_syslog.
	Update conversation code to use pam_prompt.

	* include/attribute.h (TCB_GNUC_PREREQ, TCB_FORMAT, TCB_NONNULL):
	New macro.
	(unused): Rewrite using TCB_GNUC_PREREQ.
	* pam_tcb/compat.c: New file, defines pam_syslog and pam_prompt
	if PAM does not provide them.
	* pam_tcb/compat.h: New file, defines prototypes for pam_syslog
	and pam_prompt if PAM does not provide them.
	* pam_tcb/Makefile (LIBSRC): Add compat.c.
	* pam_tcb/pam_unix_acct.c (acct_shadow): Add pam handle parameter.
	(pam_sm_acct_mgmt): Pass pam handle to functions which now require
	it.  Replace _log_err with pam_syslog.	Replace _make_remark
	with pam_error and pam_info.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	Pass pam handle to functions which now require it.
	(pam_sm_authenticate): Replace _log_err with pam_syslog.
	* pam_tcb/pam_unix_passwd.c (PASSWD_TMP_FILE): Remove macro.
	(update_file): New function, based on update_passwd and
	(update_passwd, update_shadow): Rewrite using update_file.
	(get_nis_server, update_nis, do_setpass): Add pam handle
	(get_nis_server, update_nis, do_setpass, unix_approve_pass,
	unix_prelim, pam_sm_chauthtok): Pass pam handle to functions
	which now require it.  Replace _log_err with pam_syslog.
	Replace _make_remark with pam_error.
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Pass pam handle to functions which now
	require it.  Replace _log_err with pam_syslog.
	* pam_tcb/support.c (_log_err, converse, _make_remark): Remove
	no longer used functions.
	(_unix_fork, user_in_file, _unix_user_in_db,
	unix_blankpasswd_plain, _unix_blankpasswd, check_crypt,
	unix_verify_password_plain, crypt_wrapper_ra, crypt_wrapper,
	do_crypt, parse_opt, _set_ctrl): Add pam handle parameter.
	Pass pam handle to functions which now require it.
	Replace _log_err with pam_syslog.
	(_unix_read_password): Rewrite prompt handling to use pam_info
	and pam_prompt.
	* pam_tcb/support.h: Include "attribute.h" and "compat.h".
	(cmdline_opts): Add const qualifier to optname variable.
	(cb_func, _unix_user_in_db, _unix_fork, _set_ctrl,
	_unix_blankpasswd, _unix_read_password, crypt_wrapper, do_crypt):
	Update function prototypes.
	(_log_err, _make_remark): Remove prototypes of removed functions.

2005-09-12  Dmitry V. Levin  <ldv at>

	Implement OpenPAM build support.

	* Make.defs (CFLAGS): Remove -DLINUX_PAM.
	* pam_tcb/pam_unix_acct.c: Include <syslog.h>.
	Include <security/pam_appl.h> if and only if
	* pam_tcb/pam_unix_auth.c: Likewise.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* pam_tcb/pam_unix_sess.c: Likewise.
	* pam_tcb/support.c: Likewise.

	* pam_tcb/support.h: Define pam_item_t and pam_data_t.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Change type of
	item variable.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	* pam_tcb/pam_unix_passwd.c (unix_prelim, pam_sm_chauthtok):
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Likewise.
	* pam_tcb/support.c (converse, failures_cleanup,
	do_record_failure, _unix_read_password): Likewise.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Protect code
	which uses PAM_CONV_AGAIN and PAM_INCOMPLETE with appropriate
	* pam_tcb/support.c (converse): Likewise.

2005-09-11  Dmitry V. Levin  <ldv at>

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Do not override
	user prompt in calls to pam_get_user, recent PAM releases provide
	better default.
	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
	* pam_tcb/support.h: Remove PROMPT_USER.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Fix password
	string check to avoid potential NULL dereference.
	* pam_tcb/support.c (unix_verify_password_plain): Check password
	string to avoid potential NULL dereference.
	(unix_run_helper_binary): Remove redundant password string check.

	* progs/tcb_unconvert.c (copy_user_from_tcb): Add const qualifier
	to msg variable, to fix warning reported by "gcc -Wwrite-strings".

2005-08-23  Dmitry V. Levin  <ldv at>

	Package symlink and pam_pwdb(8) manual page link.

	* pam_tcb/pam_pwdb.8: New file.
	* Makefile, pam_tcb/Makefile, tcb.spec:
	Install and pam_pwdb.8.

	* tcb.spec: 0.9.9.

2005-08-19  Dmitry V. Levin  <ldv at>

	In the PAM module, implement "openlog" option and disable
	openlog/closelog calls for each logging function invocation
	by default.

	* pam_tcb/support.h: Rename UNIX_NOOPENLOG to UNIX_OPENLOG.
	* pam_tcb/support.c (_log_err): When UNIX_OPENLOG is not set,
	prefix log line with the module name.
	(bool_names): Add negate field.
	(unix_bools): Add "openlog" option.
	(parse_opt): Handle negate field.
	* pam_tcb/pam_tcb.8: Document "openlog" option.

2005-08-18  Dmitry V. Levin  <ldv at>

	Restrict list of global symbols exported by the library,
	NSS and PAM modules.

	* libs/Makefile: New variables: LIB_MAP and NSS_MAP.  Pass
	--version-script argument when linking shared library and the
	NSS module.
	* libs/ New file, version script for the NSS module.
	* libs/libtcb.c (ch_uid, ch_gid): Make static.
	* libs/ New file, version script for the library.

	* pam_tcb/Makefile: New variable: PAM_MAP.  Pass --version-script
	argument when linking the PAM module.
	* pam_tcb/ New file, version script for the PAM module.

2005-04-22  Dmitry V. Levin  <ldv at>

	Enhance multilib support.

	* Make.defs: New variables: SLIBDIR and LIBDIR.
	* libs/Makefile, pam_tcb/Makefile, tcb.spec: Use them.

	* libs/Makefile, pam_tcb/Makefile, misc/Makefile, progs/Makefile:
	Create all necessary directories in the beginning of install target.

2005-04-22  Dmitry V. Levin  <ldv at>

	Deal with compilation warnings generated by new gcc compiler.

	* include/attribute.h: New file.
	* libs/libtcb.c, pam_tcb/pam_unix_passwd.c,
	pam_tcb/pam_unix_auth.c, pam_tcb/support.c, pam_tcb/support.h:
	Include it.

	* include/attribute.h, pam_tcb/support.h (_log_err): Add
	workaround for those systems which lack support for __attribute__

	* pam_tcb/support.c (_log_err): Remove no longer needed
	__attribute__ directive.

	* libs/libtcb.c (alarm_catch), pam_tcb/pam_unix_auth.c
	(retval_cleanup), pam_tcb/pam_unix_passwd.c (update_nis),
	pam_tcb/support.c (data_cleanup):
	Mark unused arguments with "unused" attribute.

	* libs/libtcb.c (ch_uid, ch_gid, tcb_drop_priv_r),
	progs/tcb_chkpwd.c (is_two_strings),
	pam_tcb/support.c (_set_ctrl):
	Avoid comparison between signed and unsigned.

	* pam_tcb/support.c (unix_run_helper_binary,
	unix_verify_password_plain): Eliminate unused variable pamh.

	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt),
	pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred),
	pam_tcb/pam_unix_passwd.c (update_nis, do_setpass, unix_prelim,
	pam_sm_chauthtok), pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session), pam_tcb/support.c (converse,
	failures_cleanup, do_record_failure, _unix_read_password):
	Fix the strict aliasing issues.

	* tcb.spec:

2004-06-25  Dmitry V. Levin  <ldv at>

	* progs/tcb_unconvert.c (copy_from_tcb):
	Zero errno before each readdir(3) call.

	* tcb.spec:

2003-11-02  Solar Designer  <solar at>

	* pam_tcb/Makefile: Use -fPIC.

	* libs/Makefile, misc/Makefile, pam_tcb/Makefile, progs/Makefile,
	tcb.spec: Renamed FAKEROOT to DESTDIR.

	* tcb.spec:

2003-10-29  Solar Designer  <solar at>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_acct.c,
	progs/tcb_convert.c, progs/tcb_unconvert.c: Don't depend on
	*BSD-style asprintf(3) semantics as Ulrich has rejected that

	* README: New file, explains how tcb may be built on non-Owl.

	* tcb.spec:

2003-04-18  Solar Designer  <solar at>

	* misc/tcb.5, pam_tcb/pam_tcb.8, progs/tcb_convert.8: Use bold
	face for component names in .SH NAME, but avoid *roff commands
	to not confuse makewhatis and apropos(1).

	* LICENSE: Updated copyrights for year 2003.

	* tcb.spec:

2003-04-16  Dmitry V. Levin  <ldv at>

	* pam_tcb/support.c: Implemented proper fake salt creation
	to avoid a timing attack.

	* tcb.spec:

2002-10-31  Solar Designer  <solar at>

	* progs/tcb_chkpwd.c: Optimized unix_verify_password() a bit,
	from Dmitry V. Levin <ldv at>.

	* tcb.spec:

2002-10-30  Solar Designer  <solar at>

	* progs/tcb_convert.8: Noted that /etc/shadow backups need to be
	removed as well, with /etc/shadow- as the particular example.

	* tcb.spec:

2002-10-24  Solar Designer  <solar at>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	progs/tcb_chkpwd.c, progs/tcb_unconvert.c, misc/tcb.5: Cleaned
	up the recent changes.

	* tcb.spec: Set version to

2002-08-20  Rafal Wojtczuk  <nergal at>

	* libs/nss.c, progs/tcb_unconvert.c, misc/tcb.5: Merged
	enhancements which remove 32K users limit.

	* libs/libtcb.c, include/tcb.h: Added ENABLE_SETFSUGID.

	* pam_tcb/support.c, progs/tcb_chkpwd.c: Pass the username to
	the helper binary such that it can handle non-unique UIDs.

	* tcb.spec, libs/Makefile: Set version to 0.9.8.

2002-08-19  Solar Designer  <solar at>

	* tcb.spec, libs/Makefile: Moved symlink to /usr/lib
	(patch from Dmitry V. Levin).

2002-08-04  Solar Designer  <solar at>

	* pam_tcb/pam_tcb.5, pam_tcb/pam_unix.5: Moved these manual
	pages to section 8 (the files are now gone).

	* pam_tcb/pam_tcb.8, pam_tcb/pam_unix.8: New files, based on
	the section 5 manual pages with minor changes.

	* tcb.spec, misc/tcb.5, progs/tcb_convert.8, pam_tcb/Makefile:
	Updates to reflect the above change.

	* libs/Makefile: Use trailing slashes after directories with
	install commands.

2002-07-07  Solar Designer  <solar at>

	* pam_tcb/pam_unix_acct.c, pam_tcb/pam_unix_passwd.c: No
	longer let root enforced password changes (sp_lstchg == 0)
	take precedence over expired accounts (sp_expire).

2002-05-19  Solar Designer  <solar at>

	* Make.defs: Renamed SYSBIN to SBINDIR, define LIBEXECDIR.

	* tcb.spec, progs/Makefile, pam_tcb/Makefile,
	pam_tcb/pam_tcb.5, misc/tcb.5: Moved the chkpwd directory to

	* misc/Makefile: Deal with SBINDIR and LIBEXECDIR.

2001-11-28  Dmitry V. Levin  <ldv at>

	* pam_tcb/support.c: Replaced signal call with sigaction call.

	* pam_tcb/support.c: Fixed possible "dereferencing NULL" typo.

	* progs/tcb_chkpwd.c: Test also stdout for isatty.

	* progs/Makefile: Create relative symlink instead of absolute.

	* libs/nss.c: Fixed glibc-2.2.4 compilation warning.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* progs/tcb_unconvert.c: Likewise.