1OpenPAM Micrampelis 2012-05-26 2 3 - FEATURE: Add an openpam_readword(3) function which reads the next 4 word from an input stream, applying shell quoting and escaping 5 rules. Add numerous unit tests for openpam_readword(3). 6 7 - FEATURE: Add an openpam_readlinev(3) function which uses the 8 openpam_readword(3) function to read words from an input stream one 9 at a time until it reaches an unquoted, unescaped newline, and 10 returns an array of those words. Add several unit tests for 11 openpam_readlinev(3). 12 13 - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the 14 machine's hostname. This was implemented in Lycopsida but 15 inadvertantly left out of the release notes. 16 17 - FEATURE: In pam_get_authtok(3), if neither the application nor the 18 module have specified a prompt and PAM_HOST and PAM_RHOST are both 19 defined but not equal, use a different default prompt that includes 20 PAM_USER and PAM_HOST. 21 22 - ENHANCE: Rewrite the policy parser to used openpam_readlinev(), 23 which greatly simplifies the code. 24 25 - ENHANCE: The previous implementation of the policy parser relied on 26 the openpam_readline(3) function, which (by design) munges 27 whitespace and understands neither quotes nor backslash escapes. 28 As a result of the aforementioned rewrite, whitespace, quotes and 29 backslash escapes in policy files are now handled in a consistent 30 and predictable manner. 31 32 - ENHANCE: On platforms that have it, use fdlopen(3) to load modules. 33 This closes the race between the ownership / permission check and 34 the dlopen(3) call. 35 36 - ENHANCE: Reduce the amount of pointless error messages generated 37 while searching for a module. 38 39 - ENHANCE: Numerous documentation improvements, both in content and 40 formatting. 41 42 - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed 43 OpenPAM's behavior when several policies exist for the same 44 service, from ignoring all but the first to concatenating them all. 45 Revert to the original behavior. 46 47 - BUGFIX: Plug a memory leak in the policy parser. 48============================================================================ 49OpenPAM Lycopsida 2011-12-18 50 51 - ENHANCE: removed static build autodetection, which didn't work 52 anyway. Use an explicit, user-specified preprocessor variable 53 instead. 54 55 - ENHANCE: cleaned up the documentation a bit. 56 57 - ENHANCE: added openpam_subst(3), allowing certain PAM items to be 58 embedded in strings such as prompts. Apply it to the prompts used 59 by pam_get_user(3) and pam_get_authtok(3). 60 61 - ENHANCE: added support for the user_prompt, authtok_prompt and 62 oldauthtok_prompt module options, which override the prompts passed 63 by the module to pam_set_user(3) and pam_get_authtok(3). 64 65 - ENHANCE: rewrote the policy parser to support quoted option values. 66 67 - ENHANCE: added pamtest(1), a tool for testing modules and policies. 68 69 - ENHANCE: added code to check the ownership and permissions of a 70 module before loading it. 71 72 - ENHANCE: added / improved input validation in many cases, including 73 the policy file and some function arguments. 74============================================================================ 75OpenPAM Hydrangea 2007-12-21 76 77 - ENHANCE: when compiling with GCC, mark up API functions with GCC 78 attributes where appropriate. 79 80 - BUGFIX: fixed numerous warnings uncovered by GCC 4. 81 82 - ENHANCE: building the documentation is now optional. 83 84 - ENHANCE: corrected a number of mistakes and style issues in the 85 build system. 86 87 - ENHANCE: API function arguments are now const where appropriate, to 88 match corresponding changes in the Solaris PAM and Linux-PAM APIs. 89 90 - ENHANCE: corrected a number of C namespace violations. 91 92 - ENHANCE: the module cache has been removed, allowing long-lived 93 applications to pick up module changes. This also allows multiple 94 threads to use PAM simultaneously (as long as they use separate PAM 95 contexts), since the module cache was the only part of OpenPAM that 96 was not thread-safe. 97============================================================================ 98OpenPAM Figwort 2005-06-16 99 100 - BUGFIX: Correct several small signedness and initialization bugs 101 discovered during review by the NetBSD team. 102 103 - BUGFIX: Modify gendoc.pl to sort cross-references in dictionary 104 order within each section. 105 106 - ENHANCE: if a policy specifies a relative module path, prepend the 107 module directory so we never call dlopen(3) with a relative path. 108 109 - ENHANCE: add a pam.conf(5) manual page. 110============================================================================ 111OpenPAM Feterita 2005-02-01 112 113 - BUGFIX: Correct numerous markup errors, invalid cross-references, 114 and other issues in the manual pages, with kind assistance from 115 Ruslan Ermilov <ru@freebsd.org>. 116 117 - BUGFIX: Avoid multiple evaluation of macro arguments in ENTERX() 118 and RETURNX() macros. 119 120 - BUGFIX: Remove an unnecessary and non-portable pointer cast in 121 pam_get_data(3). 122 123 - BUGFIX: Fix identical typos in PAM_ACCT_EXPIRED case in 124 pam_strerror(3) and gendoc.pl. 125 126 - ENHANCE: Minor overhaul of the autoconf / build system. 127 128 - ENHANCE: Add openpam_free_envlist(3). 129============================================================================ 130OpenPAM Eelgrass 2004-02-10 131 132 - BUGFIX: Correct array handling bugs in conversation code. 133 134 - BUGFIX: In openpam_ttyconv(3), don't strip trailing linear 135 whitespace from the user's response. 136 137 - BUGFIX: Many constness issues addressed. 138============================================================================ 139OpenPAM Dogwood 2003-07-15 140 141 - ENHANCE: Use the GNU autotools. 142 143 - ENHANCE: Constify the msg field in struct pam_message. 144 145 - BUGFIX: Remove left-over debugging output 146 147 - BUGFIX: Avoid side effects in arguments to the FREE() macro 148 149 - ENHANCE: Make openpam_ttyconv(3) use read(2) rather than fgets(3). 150 151 - BUGFIX: Staticize some variables which shouldn't be global. 152 153 - BUGFIX: Correcly anticipate a NULL user in pam_get_user(3). 154 155 - ENHANCE: Various minor documentation improvements. 156 157Thanks to Dmitry V. Levin <ldv@altlinux.org> for considerable 158assistance with this release. 159============================================================================ 160OpenPAM Digitalis 2003-06-01 161 162 - ENHANCE: Completely rewrite the configuration parser and add 163 support for the "include" control flag. 164 165 - ENHANCE: Improve portability to NetBSD, OpenBSD and Linux. 166 167 - ENHANCE: Lots of additional paranoia. 168 169 - BUGFIX: The sample su(1) application dropped privileges before 170 forking instead of after. 171 172 - ENHANCE: Document openpam_log(3). 173 174 - ENHANCE: Other minor documentation fixes. 175 176Thanks to Dmitry V. Levin <ldv@altlinux.org> for considerable 177assistance with this release. 178============================================================================ 179OpenPAM Dianthus 2003-05-02 180 181 - BUGFIX: Initialize some potentially uninitialized variables. 182 183 - BUGFIX: Silence some warnings emitted by gcc -std=iso9899:1999. 184 185 - BUGFIX: In pam_getenv(), return a pointer to the stored variable 186 instead of a freshly allocated copy. 187 188 - ENHANCE: Detect recursion in openpam_borrow_cred() 189 190 - ENHANCE: Make borrowing one's own credentials a no-op. 191 192 - ENHANCE: Further improve debugging support. 193 194 - ENHANCE: Clean up some variable names. 195============================================================================ 196OpenPAM Daffodil 2003-01-06 197 198 - ENHANCE: Document dependency on <sys/types.h> (for size_t) 199 200 - ENHANCE: Slightly improve error detection in openpam_ttyconv(). 201 202 - BUGFIX: Fix several typos in debugging macros. 203============================================================================ 204OpenPAM Cyclamen 2002-12-12 205 206 - ENHANCE: Improve recursion detection in openpam_dispatch(). 207 208 - ENHANCE: Add debugging messages at entry and exit points of most 209 functions. 210 211 - ENHANCE: Fix some minor style issues. 212 213 - BUGFIX: Add default cases to the switches in openpam_log.c. 214 215 - ENHANCE: Add /usr/local/etc/pam.conf to policy search path. 216 217 - BUGFIX: In openpam_ttyconv(3), print the prompt to stdout rather 218 than stderr. 219============================================================================ 220OpenPAM Citronella 2002-06-30 221 222 - ENHANCE: Add the "binding" control flag (from Solaris 9). 223 224 - ENHANCE: Define struct pam_repository and PAM_REPOSITORY (from 225 Solaris 9). 226 227 - ENHANCE: Flesh out the pam(3) man page. 228 229 - ENHANCE: Add an openpam(3) page with cross-references to all the 230 documented OpenPAM API extensions. 231 232 - ENHANCE: Add a pam_conv(3) man page describing the conversation 233 system. 234 235 - ENHANCE: Improved sample application. 236 237 - ENHANCE: Added sample pam_unix module. 238 239 - BUGFIX: Various documentation nits. 240============================================================================ 241OpenPAM Cinquefoil 2002-05-24 242 243 - BUGFIX: Various warnings uncovered by gcc 3.1. 244 245 - ENHANCE: Add a null conversation function, openpam_nullconv(3). 246 247 - BUGFIX: Initialize the "other" chain to all zeroes. 248 249 - ENHANCE: Document openpam_ttyconv(3). 250============================================================================ 251OpenPAM Cinnamon 2002-05-02 252 253 - ENHANCE: Add a null conversation function, openpam_nullconv(). 254 255 - BUGFIX: Various markup bugs in the documentation. 256 257 - BUGFIX: Document <security/openpam.h>. 258 259 - BUGFIX: Duplicate expansion of openpam_log() macro arguments. 260 261 - ENHANCE: Restructure the policy-loading code and align our use of 262 the "other" policy with Solaris and Linux-PAM. 263 264 - ENHANCE: Log dlopen() and dlsym() failures. 265 266 - ENHANCE: In openpam_ttyconv(), emit a newline after error and info 267 messages unless the message contains one already. 268 269 - BUGFIX: In pam_vprompt(), initialize the response pointer to NULL 270 so we can detect whether the conversation function touched it. 271============================================================================ 272OpenPAM Cineraria 2002-04-14 273 274 - BUGFIX: Fix confusion between token and prompt in 275 pam_get_authtok(3). 276 277 - ENHANCE: Improved documentation. 278 279 - ENHANCE: Adopt the same preprocessor tricks that were used in 280 FreeBSD's version of Linux-PAM to simplify static linking without 281 requiring dummy primitives. 282 283 - ENHANCE: Move the policy-loading code out of pam_start.c. 284 285 - BUGFIX: Fix typo in one of the versions of the openpam_log macro. 286 287 - ENHANCE: Add versioning macros. 288============================================================================ 289OpenPAM Cinchona 2002-04-08 290 291 - ENHANCE: Improved documentation for several API functions. 292 293 - BUGFIX: Fix bug in pam_set_data() that would result in corruption 294 of the module data list. 295 296 - BUGFIX: Allocate the correct amount of memory for the environment 297 list in pam_putenv(). 298 299 - ENHANCE: Change pam_get_authtok()'s prototype so the caller can 300 specify what token it wants. Also introduce PAM_OLDAUTHTOK_PROMPT. 301 302 - BUGFIX: Plug memory leak in pam_get_user() / pam_get_authtok(), and 303 reduce differences between these very similar functions. 304 305 - ENHANCE: Check flags carefully in pam_authenticate() and 306 pam_chauthtok(). 307 308 - BUGFIX: Fix bugs in portability code; libpam now builds on NetBSD. 309 310 - ENHANCE: In pam_get_authtok(), if PAM_OLDAUTHTOK is set, we're 311 asked for PAM_AUTHTOK, and we have to prompt the user, prompt her 312 twice and compare the responses. 313 314 - ENHANCE: Add openpam_{borrow,restore}_cred(), for temporarily 315 switching to user credentials. 316 317 - ENHANCE: Add openpam_free_data(), a generic cleanup function for 318 pam_set_data() consumers. 319============================================================================ 320OpenPAM Centaury 2002-03-14 321 322 - BUGFIX: Add missing #include <string.h> to openpam_log.c. 323 324 - BUGFIX: s/PAM_REINITIALISE_CRED/PAM_REINITIALIZE_CRED/. XSSO uses 325 the former, but Solaris and Linux-PAM use the latter. 326 327 - BUGFIX: The dynamic loader and the module cache contained a number 328 of bugs which would cause a segmentation fault if pam_start(3) was 329 called again after pam_end(3), as happens in login(1), xdm(1) etc. 330 after a failed login. 331 332 - BUGFIX: Refer to a module by the name used in the policy file, even 333 if the module that was actually loaded was versioned. 334 335 - ENHANCE: Suppress debugging logs, unless compiled with -DDEBUG. 336============================================================================ 337OpenPAM Celandine 2002-03-05 338 339 - BUGFIX: PAM_TRY_AGAIN is a valid return value for pam_chauthtok(). 340 341 - BUGFIX: Run passwd chain twice, first with the PAM_PRELIM_CHECK 342 flag set, then with the PAM_UPDATE_AUTHTOK flag set. 343 344 - BUGFIX: Failure of a "sufficient" module should not terminate the 345 passwd chain if the PAM_PRELIM_CHECK flag is set. 346 347 - BUGFIX: Clear PAM_AUTHTOK after running the service modules. 348 349 - ENHANCE: Prevent applications from specifying the PAM_PRELIM_CHECK 350 or PAM_UPDATE_AUTHTOK flags themselves. 351 352 - BUGFIX: openpam_set_option() did not support changing the value of 353 an existing option. 354 355 - ENHANCE: Add support for module versioning. OpenPAM will prefer a 356 module with the same version number as the library itself to one 357 with no version number at all. 358============================================================================ 359OpenPAM Cantaloupe 2002-02-22 360 361 - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid 362 argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures. 363 364 - ENHANCE: Add in-line documentation in most source files, and a Perl 365 script that generates mdoc code from that. 366 367 - BUGFIX: The environment list was not properly NULL-terminated. 368 369 - ENHANCE: Allow the PAM_AUTHTOK_PROMPT item to override the prompt 370 specified by the module. 371 372 - BUGFIX: PAM_NUM_ITEMS was set too low. It has been moved to 373 pam_constants.h to avoid it going stale again. 374 375 - ENHANCE: Move all code related to static modules into a separate 376 file. 377 378 - ENHANCE: openpam_ttyconv() now masks most signals while prompting the 379 user, and supports setting a timeout (which defaults to off). 380 381 - BUGFIX: Some manual pages referenced XSSO even though they 382 documented OpenPAM-specific functions. 383 384 - ENHANCE: Added openpam_get_option() and openpam_set_option(). 385 386 - ENHANCE: openpam_get_authtok() now respects the echo_pass, 387 try_first_pass, and use_first_pass options. 388============================================================================ 389OpenPAM Caliopsis 2002-02-13 390 391Fixed a number of bugs in the previous release, including: 392 - a number of bugs in and related to pam_[gs]et_item(3) 393 - off-by-one bug in pam_start.c would trim last character off certain 394 configuration lines 395 - incorrect ordering of an array in openpam_load.c would cause service 396 module functions to get mixed up 397 - missing 'continue' in openpam_dispatch.c caused successes to be 398 counted as failures 399============================================================================ 400OpenPAM Calamite 2002-02-09 401 402First (beta) release. 403============================================================================ 404$Id: HISTORY 609 2012-05-26 13:57:45Z des $ 405