├── .hgignore ├── .hgtags ├── .idea ├── $CACHE_FILE$ ├── .gitignore ├── misc.xml ├── modules.xml └── vcs.xml ├── ChangeLog.txt ├── Makefile ├── Makefile.release ├── README.txt ├── agpl-3.0.txt ├── debian ├── changelog ├── compat ├── control ├── copyright ├── libpam-python-doc.doc-base ├── libpam-python.README.Debian ├── patches │ ├── intersphinx-localmapping.diff │ └── series ├── rules ├── source.lintian-overrides ├── source │ └── format ├── tests │ ├── control │ └── pam-python-test.sh └── watch ├── doc ├── Makefile ├── conf.py ├── pam_permit.py └── pam_python.rst ├── examples ├── pam_deny.py ├── pam_nologin.py └── pam_permit.py ├── pam-python.html ├── pam-python.iml └── src ├── Makefile ├── ctest.c ├── pam_python.c ├── setup.py ├── test-pam_python.pam.in └── test.py /.hgignore: -------------------------------------------------------------------------------- 1 | syntax: glob 2 | 3 | *.orig 4 | *.py[co] 5 | MANIFEST 6 | __pycache__ 7 | build 8 | debian/*.debhelper 9 | debian/*.log 10 | debian/*.substvars 11 | debian/files 12 | debian/libpam-python 13 | debian/libpam-python-doc 14 | doc/html 15 | src/*.so 16 | src/build 17 | src/ctest 18 | src/test-pam_python.pam 19 | release.tmp 20 | -------------------------------------------------------------------------------- /.hgtags: -------------------------------------------------------------------------------- 1 | 41c0dec01d3547d0d5fba489886417f17cf3c573 pam-python-1.0.4-1 2 | 457b995c545e4c7891343cbbcbf91a475ba6afd4 pam-python-1.0.5-1 3 | ed984bf580e0fc43210e7a9d26fee13af6a57acd pam-python-1.0.6-1 4 | 0247ab687b4347cc52859ca461fb0126dd7e2ebe pam-python-1.0.7-1 5 | -------------------------------------------------------------------------------- /.idea/$CACHE_FILE$: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /workspace.xml -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /ChangeLog.txt: -------------------------------------------------------------------------------- 1 | pam-python-1.0.7 Wed, 18 Sep 2019 20:23:54 +1000 2 | 3 | Bug: Local root exploit. 4 | 5 | pam-python-1.0.6 Sat, 27 Aug 2016 21:35:36 +1000 6 | 7 | New: Update Makefile.release 8 | New: OSX support. 9 | Bug: Fix debian bug #833411. 10 | 11 | pam-python-1.0.5 Fri, 19 Feb 2016 19:29:38 +1000 12 | 13 | New: Update Makefile.release 14 | Bug: Fix pam typeo in pam_accept.py. Thanks to André Caron 15 | for the bug report. 16 | 17 | pam-python-1.0.4 2014-05-04 18 | 19 | New: Re-homed to sourceforge. 20 | New: Move to the AGPL-3.0. 21 | 22 | pam-python-1.0.3 2014-05-04 23 | 24 | Bug: Make work with older versions of Python, courtesy of Thomas Kula. 25 | Bug: Call dlerror() where appropriate, courtesy of David MacKenzie. 26 | New: Linux-PAM-html has moved url's 27 | 28 | pam-python-1.0.2 2012-04-05 29 | 30 | Bug: Get rid of build crap in source distribution. 31 | Bug: Fix doco grammar. 32 | 33 | pam-python-1.0.1 2010-12-13 34 | 35 | Bug: Build test suit so libraries are loaded as needed. 36 | 37 | pam-python-1.0.0 2010-05-23 38 | 39 | New: Documentation moved to Python 2.6 format, ie sphinx. 40 | New: Added additional members for the new PAM items: 41 | PAM_XDISPLAY, PAM_XAUTHTOK and PAM_AUTHTOK_TYPE. 42 | New: Added the PamXAuthData class. 43 | New: Added new PAM constants in PAM 1.1.1. 44 | 45 | pam-python-0.1.1 2009-08-05 46 | 47 | New: Made to work with Python 2.5. 48 | 49 | pam-python-0.1.0 2007-12-05 50 | 51 | New: Epoch. 52 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: doc lib 3 | 4 | .PHONY: lib 5 | lib: 6 | $(MAKE) --directory src 7 | 8 | .PHONY: doc 9 | doc: 10 | $(MAKE) --directory doc 11 | 12 | .PHONY: test 13 | test: 14 | $(MAKE) --directory src $@ 15 | 16 | .PHONY: clean-pam_python 17 | clean-pam_python: 18 | rm -rf pam_python 19 | 20 | .PHONY: clean 21 | clean: clean-pam_python 22 | $(MAKE) --directory doc $@ 23 | $(MAKE) --directory src $@ 24 | 25 | .PHONY: install 26 | install: install-doc install-lib 27 | 28 | .PHONY: install-doc 29 | install-doc: clean-pam_python 30 | $(MAKE) --directory doc $@ 31 | 32 | .PHONY: install-lib 33 | install-lib: clean-pam_python 34 | $(MAKE) --directory src $@ 35 | 36 | RELEASE_SOURCES = \ 37 | ChangeLog.txt \ 38 | Makefile \ 39 | Makefile.release \ 40 | pam-python.html \ 41 | README.txt \ 42 | doc/pam_python.rst \ 43 | src/ctest.c \ 44 | src/Makefile \ 45 | src/pam_python.c \ 46 | src/setup.py \ 47 | src/test-pam_python.pam.in \ 48 | src/test.py 49 | 50 | include Makefile.release 51 | 52 | release-project-clean:: clean 53 | -------------------------------------------------------------------------------- /Makefile.release: -------------------------------------------------------------------------------- 1 | # 2 | # Do a release. 3 | # 4 | # This is file is identical for _all_ sourceforge projects I host. It is 5 | # designed to one thing: automate my sourceforce work flow. Be warned that 6 | # I will selfishly reject any patches that don't do that. 7 | # 8 | # It does the following: 9 | # 10 | # 1. Verifies the changelogs have been updated to a consistent version. 11 | # 12 | # 2. Updates the verison numbers and copyright dates in all source files. 13 | # 14 | # 3. Builds the source tarball. 15 | # 16 | # 4. Builds the debian source and binary packages. 17 | # 18 | # 5. If there is a .spec file, buids the rpm source and binary 19 | # packages. 20 | # 21 | # 6. Sends the released files (tarball, debian and rpm packages) to the 22 | # release area. 23 | # 24 | # 7. Sends the HTML file, and other files references by it, to the web 25 | # site. 26 | # 27 | # Copyright (c) 2013,2014,2015,2016,2017,2018,2019 Russell Stuart. 28 | # Licensed (at your choice) under GPLv2, or any later version, 29 | # or AGPL-3.0+, or any later version. 30 | # 31 | RELEASE_ME=$(shell sed -n '1s/ .*//p' ChangeLog.txt) 32 | RELEASE_PACKAGE_NAME=$(shell echo "$(RELEASE_ME)" | sed 's/-[^-]*$$//') 33 | RELEASE_VERSION=$(shell echo "$(RELEASE_ME)" | sed 's/.*-//') 34 | RELEASE_YEAR=$(shell date +%Y) 35 | RELEASE_MONTH=$(shell date +%b) 36 | RELEASE_DATE=$(shell date +%Y-%m-%d) 37 | RELEASE_DEBIAN_VERSION=$(shell sed -n 's/[^(]*($[^)]*$).*/\1/p;q' debian/changelog) 38 | 39 | RELEASE_DIR=release.tmp 40 | RELEASE_HTDOCS=$(RELEASE_DIR)/htdocs 41 | RELEASE_FILES=$(RELEASE_DIR)/$(RELEASE_PACKAGE_NAME)-$(RELEASE_DEBIAN_VERSION) 42 | 43 | .PHONY: release 44 | release: $(RELEASE_DIR)/release.stamp 45 | $(RELEASE_DIR)/release.stamp: $(RELEASE_SOURCES) 46 | @echo ME=$(RELEASE_ME) PACKAGE=$(RELEASE_PACKAGE_NAME) VERSION=$(RELEASE_VERSION) YEAR=$(RELEASE_YEAR) MONTH=$(RELEASE_MONTH) DATE=$(RELEASE_DATE) DEBIAN_VERSION=$(RELEASE_DEBIAN_VERSION) 47 | # 48 | # Ensure the Debian changelog matches this version. 49 | # 50 | debian_version="$(RELEASE_DEBIAN_VERSION)"; [ "$(RELEASE_PACKAGE_NAME)-$${debian_version%-*}" = "$(RELEASE_ME)" ] || \ 51 | { echo 1>&2 "debian/changelog: changelog is out of date."; exit 1; } 52 | $(MAKE) release-clean 53 | # 54 | # Check changes have reflected in mercurial. 55 | # 56 | ! hg status | grep '^?' || { echo "hg add hasn't been done" 1>&2; exit 1; } 57 | ! hg status | grep '^!' || { echo "hg rm hasn't been done" 1>&2; exit 1; } 58 | [ -z "$$(hg resolv --list | grep -v ^R)" ] || { echo "There are unresolved merge conflicts" 1>&2; exit 1; } 59 | 60 | # 61 | # Update all the version numbers and dates. 62 | # 63 | set -e; for f in $(wildcard *.1); do \ 64 | sed -i "s/^$[.].\" Copyright (c) $2[0-9]*/\1$(RELEASE_YEAR)/" "$${f}"; \ 65 | sed -i "s/^$[.]TH [A-Z]* 1 \"$[^\"]*$\".*Version[ ]\+$[1-9][0-9]*[.][0-9]\+/\1$(RELEASE_MONTH) $(RELEASE_YEAR)\2$(RELEASE_VERSION)/" "$${f}"; \ 66 | done 67 | set -e; for f in $$(find . -name "*.c" -o -name "*.h"); do \ 68 | sed -i "/$(RELEASE_YEAR)/!s/$Copyright (c) [-0-9, ]*2[0-9]*$$,\? *Russell Stuart$/\1,$(RELEASE_YEAR)\2/" "$${f}"; \ 69 | sed -i "s/^$static.*_version..[ ]*=[ ]*\"$[^\"]*/\1$(RELEASE_VERSION)/" "$${f}"; \ 70 | sed -i "s/^$static.*_date..[ ]*=[ ]*\"$[^\"]*/\1$(RELEASE_DATE)/" "$${f}"; \ 71 | done 72 | set -e; for f in $$(find . -name "*.py"); do \ 73 | sed -i 's/^$VERSION[ ]*=[ ]*"$[^ "]*/\1$(RELEASE_VERSION)/' $${f}; \ 74 | sed -i 's/^$VERSION[ ]*=[ ]*"[^ ]* \+$[^"]*/\1$(RELEASE_DATE)/' $${f}; \ 75 | done 76 | set -e; for f in $$(find . -name "*.rst" -o -name "*.py" -o -name "Makefile*") README.txt; do \ 77 | sed -i "/$(RELEASE_YEAR)/!s/$Copyright (c) [-0-9, ]*2[0-9]*$$,\? *Russell Stuart$/\1,$(RELEASE_YEAR)\2/" "$${f}"; \ 78 | done 79 | set -e; for f in $$(find . -name "setup.py"); do \ 80 | sed -i 's/^$[ ]*version="$[0-9]\+[.][0-9.]\+/\1$(RELEASE_VERSION)/' "$${f}"; \ 81 | done 82 | ifneq ($(wildcard $(RELEASE_PACKAGE_NAME).spec),) 83 | sed -i "s/$Version:[ ]\+$[0-9]\+[.][0-9.]\+/\1$(RELEASE_VERSION)/" "$(RELEASE_PACKAGE_NAME).spec" 84 | endif 85 | ifneq ($(wildcard configure.ac),) 86 | sed -i "s/$AC_INIT(\[\?$(RELEASE_PACKAGE_NAME)\]\?, *\[\?$[0-9]\+[.][0-9.]\+/\1$(RELEASE_VERSION)/" configure.ac 87 | endif 88 | ifneq ($(wildcard doc/conf.py),) 89 | sed -i "/$(RELEASE_YEAR)/!s/^$ *copyright *= *u'[-0-9, ]*2[0-9]*$$,\?[ ]*Russell Stuart$/\1,$(RELEASE_YEAR)\2/" doc/conf.py 90 | sed -i "s/^$ *\(version\|release$ *= *u\?'\)[0-9]\+[.][0-9.]\+'/\1$(RELEASE_VERSION)'/" doc/conf.py 91 | endif 92 | sed -i "/$(RELEASE_YEAR)/!s/$.* is copyright © [-0-9, ]*2[0-9]*$$,\?[ ]*Russell Stuart$/\1,$(RELEASE_YEAR)\2/" "$(RELEASE_PACKAGE_NAME).html" 93 | sed -i "s/$(RELEASE_PACKAGE_NAME)-[1-9][0-9]*[.][0-9]\+/$(RELEASE_ME)/g" "$(RELEASE_PACKAGE_NAME).html" 94 | sed -i "/$(RELEASE_YEAR)/!s/$Copyright (c) [-0-9, ]*2[0-9]*$$,\? *Russell Stuart$/\1,$(RELEASE_YEAR)\2/" README.txt 95 | # 96 | # Do any custom stuff. 97 | # 98 | $(MAKE) release-customise 99 | # 100 | # Build the release source tarball. 101 | # 102 | (set -exv; d="$${PWD##*/}" && sd=$$(echo "$$d" | sed 's/\./[.]/g') && cd .. && tar cfz "$(RELEASE_PACKAGE_NAME)_$(RELEASE_VERSION).orig.tar.gz" --exclude="$${d}/debian" --exclude="$${d}/.hg*" --exclude-vcs --transform "s;^$${sd}$/\|\$$$;$(RELEASE_ME)\1;" "$${d}") 103 | # 104 | # Insert the debian packates into the release. 105 | # 106 | DEBIAN_KERNEL_USE_CCACHE="yes" debuild --preserve-env --preserve-envvar="PATH" -k0xF5231C62E7843A8C -sa --lintian-opts --info --display-info --display-experimental 107 | mkdir -p "$(RELEASE_FILES)" 108 | rm ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.build 109 | set -xve; mv $$(sed -n '1,/^Files:/d;/^$$/q;s:.* :../:p' ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.changes) ../$(RELEASE_PACKAGE_NAME)_$(RELEASE_DEBIAN_VERSION)_*.changes $(RELEASE_FILES) 110 | mv "$(RELEASE_FILES)/$(RELEASE_PACKAGE_NAME)_$(RELEASE_VERSION).orig.tar.gz" "$(RELEASE_FILES)/$(RELEASE_ME).tar.gz" 111 | ifneq ($(wildcard $(RELEASE_PACKAGE_NAME).spec),) 112 | # 113 | # Build the RPM package. 114 | # 115 | mkdir -p "$(RELEASE_DIR)/rpm/BUILD" 116 | mkdir -p "$(RELEASE_DIR)/rpm/RPMS" 117 | mkdir -p "$(RELEASE_DIR)/rpm/SOURCES" 118 | mkdir -p "$(RELEASE_DIR)/rpm/SPECS" 119 | mkdir -p "$(RELEASE_DIR)/rpm/SRPMS" 120 | echo >"$(RELEASE_DIR)/rpm/rpmmacros" "%_topdir $(PWD)/$(RELEASE_DIR)/rpm" 121 | TAR_OPTIONS=--wildcards rpmbuild -ta --macros "/usr/lib/rpm/macros:/usr/lib/rpm/platform/$(shell dpkg-architecture -qDEB_HOST_GNU_CPU)-$(shell dpkg-architecture -qDEB_HOST_ARCH_OS)linux/macros:/usr/lib/rpm/platform/noarch-$(shell dpkg-architecture -qDEB_HOST_ARCH_OS)/macros:$(RELEASE_DIR)/rpm/rpmmacros" "$(RELEASE_FILES)/$(RELEASE_ME).tar.gz" 122 | mv "$(RELEASE_DIR)/rpm/SRPMS/$(RELEASE_ME)-1ras.src.rpm" "$(RELEASE_FILES)" 123 | mv "$(RELEASE_DIR)/rpm/RPMS"/*/"$(RELEASE_ME)-1ras".*."rpm" "$(RELEASE_FILES)" 124 | cp ChangeLog.txt "$(RELEASE_FILES)/README.txt" 125 | endif 126 | # 127 | # Build the htdocs directory as it will appear on the host. 128 | # 129 | mkdir -p "$(RELEASE_HTDOCS)" 130 | cp -a $(RELEASE_PACKAGE_NAME).html $(RELEASE_HTDOCS) 131 | set -e; for f in $$(sed -n 's,<$a href\|img src$="https\?://[^"]*"[^>]*>,,;ta;:a;s/.*<$a href\|img src$="$[^#/"][^#"]*$"[^>]*>/\2@@@/g;T;s/@@@$[^@]\|@[^@]\|@@[^@]$*$$//;s/@@@/ /g;p' "$(RELEASE_PACKAGE_NAME).html"); do \ 132 | f="$${f%/}"; \ 133 | [ ."$${f%%/*}" = ."$${f}" ] || mkdir -p "$(RELEASE_HTDOCS)/$${f%/*}"; \ 134 | case "$${f}" in \ 135 | *.[12345678].html) man2html <"$${f%.html}" | sed >"$(RELEASE_HTDOCS)/$${f}" '1,2d;7,8d;/^

/,/^Time: /d';; \ 136 | *) cp -a "$${f}" "$(RELEASE_HTDOCS)/$${f}";; \ 137 | esac; \ 138 | done 139 | ln -s "$(RELEASE_PACKAGE_NAME).html" "$(RELEASE_HTDOCS)/index.html" 140 | echo "Options +Indexes" >"$(RELEASE_HTDOCS)/.htaccess" 141 | # 142 | # Verify there is no rubbish lying wround. 143 | # 144 | ! hg status | grep '^?' || { echo '.hgignore: is missing some files' 1>&2; exit 1; } 145 | touch $@ 146 | 147 | .PHONY: release-customise 148 | release-customise:: 149 | 150 | .PHONY: release-upload 151 | release-upload: release-upload-htdocs release-upload-files 152 | 153 | .PHONY: release-upload-htdocs 154 | release-upload-htdocs: $(RELEASE_DIR)/release.stamp 155 | # 156 | # Send the files that a symlink'ed first, otherwise it fails on the 157 | # 1st send. 158 | # 159 | cd $(RELEASE_DIR); rsync -avPR $$(for f in $$(find htdocs -name index.html -type l); do ff=$$(readlink "$${f}"); echo $${f%/*}/$${ff}; done) rstuart,$(RELEASE_PACKAGE_NAME)@web.sourceforge.net:. 160 | rsync -avP --delete $(RELEASE_HTDOCS)/. rstuart,$(RELEASE_PACKAGE_NAME)@web.sourceforge.net:htdocs/. 161 | 162 | .PHONY: release-upload-files 163 | release-upload-files: $(RELEASE_DIR)/release.stamp 164 | rsync -avP --delete $(RELEASE_FILES) rstuart,$(RELEASE_PACKAGE_NAME)@frs.sourceforge.net:/home/frs/project/$(RELEASE_PACKAGE_NAME)/. 165 | 166 | .PHONY: release-clean 167 | release-clean: release-project-clean 168 | -[ "$(RELEASE_CLEAN_DONE)" = "yes" -o ! -d debian ] || RELEASE_CLEAN_DONE=yes debian/rules clean 169 | [ ! -d .pc ] || { quilt pop -a; rm -r .pc; } 170 | [ ! -f Makefile-automake ] || $(MAKE) maintainer-clean 171 | rm -rf $(RELEASE_DIR) "$(RELEASE_PACKAGE_NAME).1.html" 172 | rm -rf $$(find . -name "*.orig" -o -name ".*.sw?") 173 | 174 | .PHONY: release-tag 175 | release-tag: $(RELEASE_DIR)/release.stamp 176 | ! hg status | grep '^?' || { echo "hg add hasn't been done" 1>&2; exit 1; } 177 | ! hg status | grep '^!' || { echo "hg rm hasn't been done" 1>&2; exit 1; } 178 | [ -z "$$(hg resolv --list)" ] || { echo "There are unresolved merge conflicts" 1>&2; exit 1; } 179 | [ -z "$$(hg status)" ] || \ 180 | hg commit -m "Release $(RELEASE_PACKAGE_NAME)-$(RELEASE_DEBIAN_VERSION) - see ChangeLog.txt" 181 | hg tag "$(RELEASE_PACKAGE_NAME)-$(RELEASE_DEBIAN_VERSION)" 182 | 183 | 184 | .PHONY: release-project-clean 185 | release-project-clean:: 186 | -------------------------------------------------------------------------------- /README.txt: -------------------------------------------------------------------------------- 1 | pam_python 2 | ========== 3 | 4 | pam_python is a PAM module that runs the Python interpreter 5 | and so allows PAM modules to be written in Python. 6 | 7 | There is extensive documentation shipped as reStructured 8 | text. The build system renders this in the standard Python 9 | HTML documentation style. 10 | 11 | All documentation is readable online at the home page: 12 | http://pam-python.sourceforge.net/ 13 | 14 | 15 | Dependencies 16 | ------------ 17 | 18 | Python >= 2.6, http://www.python.org 19 | pam >= 0.76, http://pam.sourceforge.net/ 20 | PyPAM (Debian package python-pam, needed for testing only) 21 | 22 | 23 | 24 | Building and Installing 25 | ----------------------- 26 | 27 | The build dependencies are: 28 | - Python2 development system, http://www.python.org 29 | - A POSIX system (make, unix shell, sed, etc). 30 | - The PAM development libraries, 31 | http://pam.sourceforge.net 32 | 33 | In addition the unit test requires: 34 | - sudo, http://www.sudo.ws/ 35 | - An account with root privileges. 36 | - PyPAM (for testing only) 37 | 38 | To build the re-distributable, in the directory containing 39 | this file run: 40 | make 41 | 42 | To install, in the directory containing this file run: 43 | make install 44 | 45 | To run the test suite, in the directory containing this file run: 46 | make test 47 | 48 | 49 | License 50 | ------- 51 | 52 | Copyright (c) 2007-2014,2016,2019 Russell Stuart. 53 | 54 | This program is free software: you can redistribute it and/or modify it 55 | under the terms of the GNU Affero General Public License as published by 56 | the Free Software Foundation, either version 3 of the License, or (at your 57 | option) any later version. 58 | 59 | The copyright holders grant you an additional permission under Section 7 60 | of the GNU Affero General Public License, version 3, exempting you from 61 | the requirement in Section 6 of the GNU General Public License, version 3, 62 | to accompany Corresponding Source with Installation Information for the 63 | Program or any work based on the Program. You are still required to 64 | comply with all other Section 6 requirements to provide Corresponding 65 | Source. 66 | 67 | This program is distributed in the hope that it will be useful, 68 | but WITHOUT ANY WARRANTY; without even the implied warranty of 69 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 70 | GNU Affero General Public License for more details. 71 | 72 | 73 | -- 74 | Russell Stuart 75 | 2014-May-29 76 | -------------------------------------------------------------------------------- /agpl-3.0.txt: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published by 637 | the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | pam-python (1.0.7-1) unstable; urgency=high 2 | 3 | * New upstream. 4 | 5 | -- Russell Stuart Wed, 18 Sep 2019 20:25:13 +1000 6 | 7 | pam-python (1.0.6-1) unstable; urgency=low 8 | 9 | * New upstream. 10 | * Add debian specific patch to link sphinx to python-doc instead 11 | of online version. (Closes: #833411). 12 | * Bump standards version. 13 | 14 | -- Russell Stuart Sat, 27 Aug 2016 21:37:03 +1000 15 | 16 | pam-python (1.0.5-1) unstable; urgency=low 17 | 18 | * New upstream. 19 | * Bump standards version. 20 | 21 | -- Russell Stuart Fri, 19 Feb 2016 20:51:53 +1000 22 | 23 | pam-python (1.0.4-1) unstable; urgency=low 24 | 25 | * New upstream, moved to AGPL-3.0. 26 | * debian/rules now uses dpkg-buildflags to harden binary. 27 | (Closes: #744156). 28 | * Now ships examples. (Closes: #686652). 29 | 30 | -- Russell Stuart Fri, 30 May 2014 06:31:46 +1000 31 | 32 | pam-python (1.0.3-1) unstable; urgency=low 33 | 34 | * Fix lintian warnings under jessie. 35 | * New upstream, improving compatibility with older python versions. 36 | 37 | -- Russell Stuart Sun, 4 May 2014 23:30:32 +1000 38 | 39 | pam-python (1.0.2-1) unstable; urgency=low 40 | 41 | * New upstream. 42 | * Bumped standards version to 3.9.3. 43 | 44 | -- Russell Stuart Thu, 5 Apr 2012 15:23:06 +1000 45 | 46 | pam-python (1.0.1-1) unstable; urgency=low 47 | 48 | * New upstream incorporating --load-as-needed patch from Ubuntu. 49 | (Closes: #606700). 50 | * Removed Petter Reinholdtsen from Uploaders at his suggestion. 51 | 52 | -- Russell Stuart Mon, 13 Dec 2010 09:12:09 +1000 53 | 54 | pam-python (1.0.0-2) unstable; urgency=low 55 | 56 | * debian/watch: fixed url. 57 | 58 | -- Russell Stuart Sun, 4 Jul 2010 09:55:20 +1000 59 | 60 | pam-python (1.0.0-1) unstable; urgency=low 61 | 62 | * New upsteam release - documentation format changed to sphinx. 63 | (Closes: #582754). 64 | * Split into binary and doc packages because documentation now 65 | depends on libjs-jquery. 66 | * Switch to dpkg-source 3.0 (quilt) format 67 | 68 | -- Russell Stuart Tue, 29 Jun 2010 13:27:36 +1000 69 | 70 | pam-python (0.1.1-2) unstable; urgency=low 71 | 72 | * Fix rules file to work properly when building arch dependent 73 | packages. 74 | * Correct clean target in the rules file to make sure unpatching is 75 | done after make clean is executed, to make sure the patches are in 76 | effect when cleaning is done. 77 | 78 | -- Petter Reinholdtsen Mon, 17 May 2010 16:57:49 +0200 79 | 80 | pam-python (0.1.1-1) unstable; urgency=low 81 | 82 | * Initial release based on package from upstream (Closes: #578650). 83 | * Drop build depend on latex2html to avoid non-free dependency. 84 | * Upgrade from debhelper 5 to 7. 85 | * Update standards-version from 3.7.3 to 3.8.4. No changes needed. 86 | 87 | -- Petter Reinholdtsen Wed, 05 May 2010 10:25:24 +0200 88 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: pam-python 2 | Section: admin 3 | Priority: optional 4 | Maintainer: Russell Stuart 5 | Build-Depends: debhelper (>= 9), python-all-dev (>= 2.2), python3-sphinx, 6 | python-doc, 7 | libpam0g-dev | libpam-dev 8 | Standards-Version: 4.3.0 9 | Homepage: http://pam-python.sourceforge.net/ 10 | 11 | Package: libpam-python 12 | Architecture: any 13 | Depends: ${misc:Depends}, ${shlibs:Depends} 14 | Suggests: libpam-python-doc 15 | Description: Enables PAM modules to be written in Python 16 | This PAM module runs the Python interpreter, thus allowing PAM 17 | modules to be written in Python. As a Python incurs a considerable 18 | overhead its intended audience is SysAdmins writing one off PAM 19 | modules. If you are doing that, you should probably install 20 | the documentation in libpam-python-doc as well. 21 | 22 | Package: libpam-python-doc 23 | Section: doc 24 | Architecture: all 25 | Depends: ${misc:Depends}, libjs-jquery, libjs-underscore 26 | Recommends: libpam-python 27 | Description: Documentation for the bindings provided by libpam-python 28 | The libpam-python PAM module runs the Python interpreter, thus allowing 29 | PAM modules to be written in Python. This package documents the bindings 30 | provided by libpam-python. 31 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: pam-python 3 | Upstream-Contact: Russell Stuart 4 | Source: http://pam-python.sourceforge.net/ 5 | 6 | Files: * 7 | Copyright: Copyright (c) 2007-2012,2013 Russell Stuart 8 | License: AGPL-3.0+ 9 | GNU AFFERO GENERAL PUBLIC LICENSE 10 | Version 3, 19 November 2007 11 | . 12 | Copyright (C) 2007 Free Software Foundation, Inc. 13 | Everyone is permitted to copy and distribute verbatim copies 14 | of this license document, but changing it is not allowed. 15 | . 16 | Preamble 17 | . 18 | The GNU Affero General Public License is a free, copyleft license for 19 | software and other kinds of works, specifically designed to ensure 20 | cooperation with the community in the case of network server software. 21 | . 22 | The licenses for most software and other practical works are designed 23 | to take away your freedom to share and change the works. By contrast, 24 | our General Public Licenses are intended to guarantee your freedom to 25 | share and change all versions of a program--to make sure it remains free 26 | software for all its users. 27 | . 28 | When we speak of free software, we are referring to freedom, not 29 | price. Our General Public Licenses are designed to make sure that you 30 | have the freedom to distribute copies of free software (and charge for 31 | them if you wish), that you receive source code or can get it if you 32 | want it, that you can change the software or use pieces of it in new 33 | free programs, and that you know you can do these things. 34 | . 35 | Developers that use our General Public Licenses protect your rights 36 | with two steps: (1) assert copyright on the software, and (2) offer 37 | you this License which gives you legal permission to copy, distribute 38 | and/or modify the software. 39 | . 40 | A secondary benefit of defending all users' freedom is that 41 | improvements made in alternate versions of the program, if they 42 | receive widespread use, become available for other developers to 43 | incorporate. Many developers of free software are heartened and 44 | encouraged by the resulting cooperation. However, in the case of 45 | software used on network servers, this result may fail to come about. 46 | The GNU General Public License permits making a modified version and 47 | letting the public access it on a server without ever releasing its 48 | source code to the public. 49 | . 50 | The GNU Affero General Public License is designed specifically to 51 | ensure that, in such cases, the modified source code becomes available 52 | to the community. It requires the operator of a network server to 53 | provide the source code of the modified version running there to the 54 | users of that server. Therefore, public use of a modified version, on 55 | a publicly accessible server, gives the public access to the source 56 | code of the modified version. 57 | . 58 | An older license, called the Affero General Public License and 59 | published by Affero, was designed to accomplish similar goals. This is 60 | a different license, not a version of the Affero GPL, but Affero has 61 | released a new version of the Affero GPL which permits relicensing under 62 | this license. 63 | . 64 | The precise terms and conditions for copying, distribution and 65 | modification follow. 66 | . 67 | TERMS AND CONDITIONS 68 | . 69 | 0. Definitions. 70 | . 71 | "This License" refers to version 3 of the GNU Affero General Public License. 72 | . 73 | "Copyright" also means copyright-like laws that apply to other kinds of 74 | works, such as semiconductor masks. 75 | . 76 | "The Program" refers to any copyrightable work licensed under this 77 | License. Each licensee is addressed as "you". "Licensees" and 78 | "recipients" may be individuals or organizations. 79 | . 80 | To "modify" a work means to copy from or adapt all or part of the work 81 | in a fashion requiring copyright permission, other than the making of an 82 | exact copy. The resulting work is called a "modified version" of the 83 | earlier work or a work "based on" the earlier work. 84 | . 85 | A "covered work" means either the unmodified Program or a work based 86 | on the Program. 87 | . 88 | To "propagate" a work means to do anything with it that, without 89 | permission, would make you directly or secondarily liable for 90 | infringement under applicable copyright law, except executing it on a 91 | computer or modifying a private copy. Propagation includes copying, 92 | distribution (with or without modification), making available to the 93 | public, and in some countries other activities as well. 94 | . 95 | To "convey" a work means any kind of propagation that enables other 96 | parties to make or receive copies. Mere interaction with a user through 97 | a computer network, with no transfer of a copy, is not conveying. 98 | . 99 | An interactive user interface displays "Appropriate Legal Notices" 100 | to the extent that it includes a convenient and prominently visible 101 | feature that (1) displays an appropriate copyright notice, and (2) 102 | tells the user that there is no warranty for the work (except to the 103 | extent that warranties are provided), that licensees may convey the 104 | work under this License, and how to view a copy of this License. If 105 | the interface presents a list of user commands or options, such as a 106 | menu, a prominent item in the list meets this criterion. 107 | . 108 | 1. Source Code. 109 | . 110 | The "source code" for a work means the preferred form of the work 111 | for making modifications to it. "Object code" means any non-source 112 | form of a work. 113 | . 114 | A "Standard Interface" means an interface that either is an official 115 | standard defined by a recognized standards body, or, in the case of 116 | interfaces specified for a particular programming language, one that 117 | is widely used among developers working in that language. 118 | . 119 | The "System Libraries" of an executable work include anything, other 120 | than the work as a whole, that (a) is included in the normal form of 121 | packaging a Major Component, but which is not part of that Major 122 | Component, and (b) serves only to enable use of the work with that 123 | Major Component, or to implement a Standard Interface for which an 124 | implementation is available to the public in source code form. A 125 | "Major Component", in this context, means a major essential component 126 | (kernel, window system, and so on) of the specific operating system 127 | (if any) on which the executable work runs, or a compiler used to 128 | produce the work, or an object code interpreter used to run it. 129 | . 130 | The "Corresponding Source" for a work in object code form means all 131 | the source code needed to generate, install, and (for an executable 132 | work) run the object code and to modify the work, including scripts to 133 | control those activities. However, it does not include the work's 134 | System Libraries, or general-purpose tools or generally available free 135 | programs which are used unmodified in performing those activities but 136 | which are not part of the work. For example, Corresponding Source 137 | includes interface definition files associated with source files for 138 | the work, and the source code for shared libraries and dynamically 139 | linked subprograms that the work is specifically designed to require, 140 | such as by intimate data communication or control flow between those 141 | subprograms and other parts of the work. 142 | . 143 | The Corresponding Source need not include anything that users 144 | can regenerate automatically from other parts of the Corresponding 145 | Source. 146 | . 147 | The Corresponding Source for a work in source code form is that 148 | same work. 149 | . 150 | 2. Basic Permissions. 151 | . 152 | All rights granted under this License are granted for the term of 153 | copyright on the Program, and are irrevocable provided the stated 154 | conditions are met. This License explicitly affirms your unlimited 155 | permission to run the unmodified Program. The output from running a 156 | covered work is covered by this License only if the output, given its 157 | content, constitutes a covered work. This License acknowledges your 158 | rights of fair use or other equivalent, as provided by copyright law. 159 | . 160 | You may make, run and propagate covered works that you do not 161 | convey, without conditions so long as your license otherwise remains 162 | in force. You may convey covered works to others for the sole purpose 163 | of having them make modifications exclusively for you, or provide you 164 | with facilities for running those works, provided that you comply with 165 | the terms of this License in conveying all material for which you do 166 | not control copyright. Those thus making or running the covered works 167 | for you must do so exclusively on your behalf, under your direction 168 | and control, on terms that prohibit them from making any copies of 169 | your copyrighted material outside their relationship with you. 170 | . 171 | Conveying under any other circumstances is permitted solely under 172 | the conditions stated below. Sublicensing is not allowed; section 10 173 | makes it unnecessary. 174 | . 175 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 176 | . 177 | No covered work shall be deemed part of an effective technological 178 | measure under any applicable law fulfilling obligations under article 179 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 180 | similar laws prohibiting or restricting circumvention of such 181 | measures. 182 | . 183 | When you convey a covered work, you waive any legal power to forbid 184 | circumvention of technological measures to the extent such circumvention 185 | is effected by exercising rights under this License with respect to 186 | the covered work, and you disclaim any intention to limit operation or 187 | modification of the work as a means of enforcing, against the work's 188 | users, your or third parties' legal rights to forbid circumvention of 189 | technological measures. 190 | . 191 | 4. Conveying Verbatim Copies. 192 | . 193 | You may convey verbatim copies of the Program's source code as you 194 | receive it, in any medium, provided that you conspicuously and 195 | appropriately publish on each copy an appropriate copyright notice; 196 | keep intact all notices stating that this License and any 197 | non-permissive terms added in accord with section 7 apply to the code; 198 | keep intact all notices of the absence of any warranty; and give all 199 | recipients a copy of this License along with the Program. 200 | . 201 | You may charge any price or no price for each copy that you convey, 202 | and you may offer support or warranty protection for a fee. 203 | . 204 | 5. Conveying Modified Source Versions. 205 | . 206 | You may convey a work based on the Program, or the modifications to 207 | produce it from the Program, in the form of source code under the 208 | terms of section 4, provided that you also meet all of these conditions: 209 | . 210 | a) The work must carry prominent notices stating that you modified 211 | it, and giving a relevant date. 212 | . 213 | b) The work must carry prominent notices stating that it is 214 | released under this License and any conditions added under section 215 | 7. This requirement modifies the requirement in section 4 to 216 | "keep intact all notices". 217 | . 218 | c) You must license the entire work, as a whole, under this 219 | License to anyone who comes into possession of a copy. This 220 | License will therefore apply, along with any applicable section 7 221 | additional terms, to the whole of the work, and all its parts, 222 | regardless of how they are packaged. This License gives no 223 | permission to license the work in any other way, but it does not 224 | invalidate such permission if you have separately received it. 225 | . 226 | d) If the work has interactive user interfaces, each must display 227 | Appropriate Legal Notices; however, if the Program has interactive 228 | interfaces that do not display Appropriate Legal Notices, your 229 | work need not make them do so. 230 | . 231 | A compilation of a covered work with other separate and independent 232 | works, which are not by their nature extensions of the covered work, 233 | and which are not combined with it such as to form a larger program, 234 | in or on a volume of a storage or distribution medium, is called an 235 | "aggregate" if the compilation and its resulting copyright are not 236 | used to limit the access or legal rights of the compilation's users 237 | beyond what the individual works permit. Inclusion of a covered work 238 | in an aggregate does not cause this License to apply to the other 239 | parts of the aggregate. 240 | . 241 | 6. Conveying Non-Source Forms. 242 | . 243 | You may convey a covered work in object code form under the terms 244 | of sections 4 and 5, provided that you also convey the 245 | machine-readable Corresponding Source under the terms of this License, 246 | in one of these ways: 247 | . 248 | a) Convey the object code in, or embodied in, a physical product 249 | (including a physical distribution medium), accompanied by the 250 | Corresponding Source fixed on a durable physical medium 251 | customarily used for software interchange. 252 | . 253 | b) Convey the object code in, or embodied in, a physical product 254 | (including a physical distribution medium), accompanied by a 255 | written offer, valid for at least three years and valid for as 256 | long as you offer spare parts or customer support for that product 257 | model, to give anyone who possesses the object code either (1) a 258 | copy of the Corresponding Source for all the software in the 259 | product that is covered by this License, on a durable physical 260 | medium customarily used for software interchange, for a price no 261 | more than your reasonable cost of physically performing this 262 | conveying of source, or (2) access to copy the 263 | Corresponding Source from a network server at no charge. 264 | . 265 | c) Convey individual copies of the object code with a copy of the 266 | written offer to provide the Corresponding Source. This 267 | alternative is allowed only occasionally and noncommercially, and 268 | only if you received the object code with such an offer, in accord 269 | with subsection 6b. 270 | . 271 | d) Convey the object code by offering access from a designated 272 | place (gratis or for a charge), and offer equivalent access to the 273 | Corresponding Source in the same way through the same place at no 274 | further charge. You need not require recipients to copy the 275 | Corresponding Source along with the object code. If the place to 276 | copy the object code is a network server, the Corresponding Source 277 | may be on a different server (operated by you or a third party) 278 | that supports equivalent copying facilities, provided you maintain 279 | clear directions next to the object code saying where to find the 280 | Corresponding Source. Regardless of what server hosts the 281 | Corresponding Source, you remain obligated to ensure that it is 282 | available for as long as needed to satisfy these requirements. 283 | . 284 | e) Convey the object code using peer-to-peer transmission, provided 285 | you inform other peers where the object code and Corresponding 286 | Source of the work are being offered to the general public at no 287 | charge under subsection 6d. 288 | . 289 | A separable portion of the object code, whose source code is excluded 290 | from the Corresponding Source as a System Library, need not be 291 | included in conveying the object code work. 292 | . 293 | A "User Product" is either (1) a "consumer product", which means any 294 | tangible personal property which is normally used for personal, family, 295 | or household purposes, or (2) anything designed or sold for incorporation 296 | into a dwelling. In determining whether a product is a consumer product, 297 | doubtful cases shall be resolved in favor of coverage. For a particular 298 | product received by a particular user, "normally used" refers to a 299 | typical or common use of that class of product, regardless of the status 300 | of the particular user or of the way in which the particular user 301 | actually uses, or expects or is expected to use, the product. A product 302 | is a consumer product regardless of whether the product has substantial 303 | commercial, industrial or non-consumer uses, unless such uses represent 304 | the only significant mode of use of the product. 305 | . 306 | "Installation Information" for a User Product means any methods, 307 | procedures, authorization keys, or other information required to install 308 | and execute modified versions of a covered work in that User Product from 309 | a modified version of its Corresponding Source. The information must 310 | suffice to ensure that the continued functioning of the modified object 311 | code is in no case prevented or interfered with solely because 312 | modification has been made. 313 | . 314 | If you convey an object code work under this section in, or with, or 315 | specifically for use in, a User Product, and the conveying occurs as 316 | part of a transaction in which the right of possession and use of the 317 | User Product is transferred to the recipient in perpetuity or for a 318 | fixed term (regardless of how the transaction is characterized), the 319 | Corresponding Source conveyed under this section must be accompanied 320 | by the Installation Information. But this requirement does not apply 321 | if neither you nor any third party retains the ability to install 322 | modified object code on the User Product (for example, the work has 323 | been installed in ROM). 324 | . 325 | The requirement to provide Installation Information does not include a 326 | requirement to continue to provide support service, warranty, or updates 327 | for a work that has been modified or installed by the recipient, or for 328 | the User Product in which it has been modified or installed. Access to a 329 | network may be denied when the modification itself materially and 330 | adversely affects the operation of the network or violates the rules and 331 | protocols for communication across the network. 332 | . 333 | Corresponding Source conveyed, and Installation Information provided, 334 | in accord with this section must be in a format that is publicly 335 | documented (and with an implementation available to the public in 336 | source code form), and must require no special password or key for 337 | unpacking, reading or copying. 338 | . 339 | 7. Additional Terms. 340 | . 341 | "Additional permissions" are terms that supplement the terms of this 342 | License by making exceptions from one or more of its conditions. 343 | Additional permissions that are applicable to the entire Program shall 344 | be treated as though they were included in this License, to the extent 345 | that they are valid under applicable law. If additional permissions 346 | apply only to part of the Program, that part may be used separately 347 | under those permissions, but the entire Program remains governed by 348 | this License without regard to the additional permissions. 349 | . 350 | When you convey a copy of a covered work, you may at your option 351 | remove any additional permissions from that copy, or from any part of 352 | it. (Additional permissions may be written to require their own 353 | removal in certain cases when you modify the work.) You may place 354 | additional permissions on material, added by you to a covered work, 355 | for which you have or can give appropriate copyright permission. 356 | . 357 | Notwithstanding any other provision of this License, for material you 358 | add to a covered work, you may (if authorized by the copyright holders of 359 | that material) supplement the terms of this License with terms: 360 | . 361 | a) Disclaiming warranty or limiting liability differently from the 362 | terms of sections 15 and 16 of this License; or 363 | . 364 | b) Requiring preservation of specified reasonable legal notices or 365 | author attributions in that material or in the Appropriate Legal 366 | Notices displayed by works containing it; or 367 | . 368 | c) Prohibiting misrepresentation of the origin of that material, or 369 | requiring that modified versions of such material be marked in 370 | reasonable ways as different from the original version; or 371 | . 372 | d) Limiting the use for publicity purposes of names of licensors or 373 | authors of the material; or 374 | . 375 | e) Declining to grant rights under trademark law for use of some 376 | trade names, trademarks, or service marks; or 377 | . 378 | f) Requiring indemnification of licensors and authors of that 379 | material by anyone who conveys the material (or modified versions of 380 | it) with contractual assumptions of liability to the recipient, for 381 | any liability that these contractual assumptions directly impose on 382 | those licensors and authors. 383 | . 384 | All other non-permissive additional terms are considered "further 385 | restrictions" within the meaning of section 10. If the Program as you 386 | received it, or any part of it, contains a notice stating that it is 387 | governed by this License along with a term that is a further 388 | restriction, you may remove that term. If a license document contains 389 | a further restriction but permits relicensing or conveying under this 390 | License, you may add to a covered work material governed by the terms 391 | of that license document, provided that the further restriction does 392 | not survive such relicensing or conveying. 393 | . 394 | If you add terms to a covered work in accord with this section, you 395 | must place, in the relevant source files, a statement of the 396 | additional terms that apply to those files, or a notice indicating 397 | where to find the applicable terms. 398 | . 399 | Additional terms, permissive or non-permissive, may be stated in the 400 | form of a separately written license, or stated as exceptions; 401 | the above requirements apply either way. 402 | . 403 | 8. Termination. 404 | . 405 | You may not propagate or modify a covered work except as expressly 406 | provided under this License. Any attempt otherwise to propagate or 407 | modify it is void, and will automatically terminate your rights under 408 | this License (including any patent licenses granted under the third 409 | paragraph of section 11). 410 | . 411 | However, if you cease all violation of this License, then your 412 | license from a particular copyright holder is reinstated (a) 413 | provisionally, unless and until the copyright holder explicitly and 414 | finally terminates your license, and (b) permanently, if the copyright 415 | holder fails to notify you of the violation by some reasonable means 416 | prior to 60 days after the cessation. 417 | . 418 | Moreover, your license from a particular copyright holder is 419 | reinstated permanently if the copyright holder notifies you of the 420 | violation by some reasonable means, this is the first time you have 421 | received notice of violation of this License (for any work) from that 422 | copyright holder, and you cure the violation prior to 30 days after 423 | your receipt of the notice. 424 | . 425 | Termination of your rights under this section does not terminate the 426 | licenses of parties who have received copies or rights from you under 427 | this License. If your rights have been terminated and not permanently 428 | reinstated, you do not qualify to receive new licenses for the same 429 | material under section 10. 430 | . 431 | 9. Acceptance Not Required for Having Copies. 432 | . 433 | You are not required to accept this License in order to receive or 434 | run a copy of the Program. Ancillary propagation of a covered work 435 | occurring solely as a consequence of using peer-to-peer transmission 436 | to receive a copy likewise does not require acceptance. However, 437 | nothing other than this License grants you permission to propagate or 438 | modify any covered work. These actions infringe copyright if you do 439 | not accept this License. Therefore, by modifying or propagating a 440 | covered work, you indicate your acceptance of this License to do so. 441 | . 442 | 10. Automatic Licensing of Downstream Recipients. 443 | . 444 | Each time you convey a covered work, the recipient automatically 445 | receives a license from the original licensors, to run, modify and 446 | propagate that work, subject to this License. You are not responsible 447 | for enforcing compliance by third parties with this License. 448 | . 449 | An "entity transaction" is a transaction transferring control of an 450 | organization, or substantially all assets of one, or subdividing an 451 | organization, or merging organizations. If propagation of a covered 452 | work results from an entity transaction, each party to that 453 | transaction who receives a copy of the work also receives whatever 454 | licenses to the work the party's predecessor in interest had or could 455 | give under the previous paragraph, plus a right to possession of the 456 | Corresponding Source of the work from the predecessor in interest, if 457 | the predecessor has it or can get it with reasonable efforts. 458 | . 459 | You may not impose any further restrictions on the exercise of the 460 | rights granted or affirmed under this License. For example, you may 461 | not impose a license fee, royalty, or other charge for exercise of 462 | rights granted under this License, and you may not initiate litigation 463 | (including a cross-claim or counterclaim in a lawsuit) alleging that 464 | any patent claim is infringed by making, using, selling, offering for 465 | sale, or importing the Program or any portion of it. 466 | . 467 | 11. Patents. 468 | . 469 | A "contributor" is a copyright holder who authorizes use under this 470 | License of the Program or a work on which the Program is based. The 471 | work thus licensed is called the contributor's "contributor version". 472 | . 473 | A contributor's "essential patent claims" are all patent claims 474 | owned or controlled by the contributor, whether already acquired or 475 | hereafter acquired, that would be infringed by some manner, permitted 476 | by this License, of making, using, or selling its contributor version, 477 | but do not include claims that would be infringed only as a 478 | consequence of further modification of the contributor version. For 479 | purposes of this definition, "control" includes the right to grant 480 | patent sublicenses in a manner consistent with the requirements of 481 | this License. 482 | . 483 | Each contributor grants you a non-exclusive, worldwide, royalty-free 484 | patent license under the contributor's essential patent claims, to 485 | make, use, sell, offer for sale, import and otherwise run, modify and 486 | propagate the contents of its contributor version. 487 | . 488 | In the following three paragraphs, a "patent license" is any express 489 | agreement or commitment, however denominated, not to enforce a patent 490 | (such as an express permission to practice a patent or covenant not to 491 | sue for patent infringement). To "grant" such a patent license to a 492 | party means to make such an agreement or commitment not to enforce a 493 | patent against the party. 494 | . 495 | If you convey a covered work, knowingly relying on a patent license, 496 | and the Corresponding Source of the work is not available for anyone 497 | to copy, free of charge and under the terms of this License, through a 498 | publicly available network server or other readily accessible means, 499 | then you must either (1) cause the Corresponding Source to be so 500 | available, or (2) arrange to deprive yourself of the benefit of the 501 | patent license for this particular work, or (3) arrange, in a manner 502 | consistent with the requirements of this License, to extend the patent 503 | license to downstream recipients. "Knowingly relying" means you have 504 | actual knowledge that, but for the patent license, your conveying the 505 | covered work in a country, or your recipient's use of the covered work 506 | in a country, would infringe one or more identifiable patents in that 507 | country that you have reason to believe are valid. 508 | . 509 | If, pursuant to or in connection with a single transaction or 510 | arrangement, you convey, or propagate by procuring conveyance of, a 511 | covered work, and grant a patent license to some of the parties 512 | receiving the covered work authorizing them to use, propagate, modify 513 | or convey a specific copy of the covered work, then the patent license 514 | you grant is automatically extended to all recipients of the covered 515 | work and works based on it. 516 | . 517 | A patent license is "discriminatory" if it does not include within 518 | the scope of its coverage, prohibits the exercise of, or is 519 | conditioned on the non-exercise of one or more of the rights that are 520 | specifically granted under this License. You may not convey a covered 521 | work if you are a party to an arrangement with a third party that is 522 | in the business of distributing software, under which you make payment 523 | to the third party based on the extent of your activity of conveying 524 | the work, and under which the third party grants, to any of the 525 | parties who would receive the covered work from you, a discriminatory 526 | patent license (a) in connection with copies of the covered work 527 | conveyed by you (or copies made from those copies), or (b) primarily 528 | for and in connection with specific products or compilations that 529 | contain the covered work, unless you entered into that arrangement, 530 | or that patent license was granted, prior to 28 March 2007. 531 | . 532 | Nothing in this License shall be construed as excluding or limiting 533 | any implied license or other defenses to infringement that may 534 | otherwise be available to you under applicable patent law. 535 | . 536 | 12. No Surrender of Others' Freedom. 537 | . 538 | If conditions are imposed on you (whether by court order, agreement or 539 | otherwise) that contradict the conditions of this License, they do not 540 | excuse you from the conditions of this License. If you cannot convey a 541 | covered work so as to satisfy simultaneously your obligations under this 542 | License and any other pertinent obligations, then as a consequence you may 543 | not convey it at all. For example, if you agree to terms that obligate you 544 | to collect a royalty for further conveying from those to whom you convey 545 | the Program, the only way you could satisfy both those terms and this 546 | License would be to refrain entirely from conveying the Program. 547 | . 548 | 13. Remote Network Interaction; Use with the GNU General Public License. 549 | . 550 | Notwithstanding any other provision of this License, if you modify the 551 | Program, your modified version must prominently offer all users 552 | interacting with it remotely through a computer network (if your version 553 | supports such interaction) an opportunity to receive the Corresponding 554 | Source of your version by providing access to the Corresponding Source 555 | from a network server at no charge, through some standard or customary 556 | means of facilitating copying of software. This Corresponding Source 557 | shall include the Corresponding Source for any work covered by version 3 558 | of the GNU General Public License that is incorporated pursuant to the 559 | following paragraph. 560 | . 561 | Notwithstanding any other provision of this License, you have 562 | permission to link or combine any covered work with a work licensed 563 | under version 3 of the GNU General Public License into a single 564 | combined work, and to convey the resulting work. The terms of this 565 | License will continue to apply to the part which is the covered work, 566 | but the work with which it is combined will remain governed by version 567 | 3 of the GNU General Public License. 568 | . 569 | 14. Revised Versions of this License. 570 | . 571 | The Free Software Foundation may publish revised and/or new versions of 572 | the GNU Affero General Public License from time to time. Such new versions 573 | will be similar in spirit to the present version, but may differ in detail to 574 | address new problems or concerns. 575 | . 576 | Each version is given a distinguishing version number. If the 577 | Program specifies that a certain numbered version of the GNU Affero General 578 | Public License "or any later version" applies to it, you have the 579 | option of following the terms and conditions either of that numbered 580 | version or of any later version published by the Free Software 581 | Foundation. If the Program does not specify a version number of the 582 | GNU Affero General Public License, you may choose any version ever published 583 | by the Free Software Foundation. 584 | . 585 | If the Program specifies that a proxy can decide which future 586 | versions of the GNU Affero General Public License can be used, that proxy's 587 | public statement of acceptance of a version permanently authorizes you 588 | to choose that version for the Program. 589 | . 590 | Later license versions may give you additional or different 591 | permissions. However, no additional obligations are imposed on any 592 | author or copyright holder as a result of your choosing to follow a 593 | later version. 594 | . 595 | 15. Disclaimer of Warranty. 596 | . 597 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 598 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 599 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 600 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 601 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 602 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 603 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 604 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 605 | . 606 | 16. Limitation of Liability. 607 | . 608 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 609 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 610 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 611 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 612 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 613 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 614 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 615 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 616 | SUCH DAMAGES. 617 | . 618 | 17. Interpretation of Sections 15 and 16. 619 | . 620 | If the disclaimer of warranty and limitation of liability provided 621 | above cannot be given local legal effect according to their terms, 622 | reviewing courts shall apply local law that most closely approximates 623 | an absolute waiver of all civil liability in connection with the 624 | Program, unless a warranty or assumption of liability accompanies a 625 | copy of the Program in return for a fee. 626 | . 627 | END OF TERMS AND CONDITIONS 628 | . 629 | How to Apply These Terms to Your New Programs 630 | . 631 | If you develop a new program, and you want it to be of the greatest 632 | possible use to the public, the best way to achieve this is to make it 633 | free software which everyone can redistribute and change under these terms. 634 | . 635 | To do so, attach the following notices to the program. It is safest 636 | to attach them to the start of each source file to most effectively 637 | state the exclusion of warranty; and each file should have at least 638 | the "copyright" line and a pointer to where the full notice is found. 639 | . 640 | 641 | Copyright (C) 642 | . 643 | This program is free software: you can redistribute it and/or modify 644 | it under the terms of the GNU Affero General Public License as published by 645 | the Free Software Foundation, either version 3 of the License, or 646 | (at your option) any later version. 647 | . 648 | This program is distributed in the hope that it will be useful, 649 | but WITHOUT ANY WARRANTY; without even the implied warranty of 650 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 651 | GNU Affero General Public License for more details. 652 | . 653 | You should have received a copy of the GNU Affero General Public License 654 | along with this program. If not, see . 655 | . 656 | Also add information on how to contact you by electronic and paper mail. 657 | . 658 | If your software can interact with users remotely through a computer 659 | network, you should also make sure that it provides a way for users to 660 | get its source. For example, if your program is a web application, its 661 | interface could display a "Source" link that leads users to an archive 662 | of the code. There are many ways you could offer source, and different 663 | solutions will be better for different programs; see section 13 for the 664 | specific requirements. 665 | . 666 | You should also get your employer (if you work as a programmer) or school, 667 | if any, to sign a "copyright disclaimer" for the program, if necessary. 668 | For more information on this, and how to apply and follow the GNU AGPL, see 669 | . 670 | . 671 | The copyright holders grant you an additional permission under Section 7 672 | of the GNU Affero General Public License, version 3, exempting you from 673 | the requirement in Section 6 of the GNU General Public License, version 3, 674 | to accompany Corresponding Source with Installation Information for the 675 | Program or any work based on the Program. You are still required to 676 | comply with all other Section 6 requirements to provide Corresponding 677 | Source. 678 | -------------------------------------------------------------------------------- /debian/libpam-python-doc.doc-base: -------------------------------------------------------------------------------- 1 | Document: pam-python-api 2 | Title: pam-python API 3 | Author: Russell Stuart 4 | Abstract: PAM Python API manual 5 | Section: Programming 6 | 7 | Format: HTML 8 | Index: /usr/share/doc/libpam-python-doc/html/index.html 9 | Files: /usr/share/doc/libpam-python-doc/html/*.html 10 | -------------------------------------------------------------------------------- /debian/libpam-python.README.Debian: -------------------------------------------------------------------------------- 1 | The documentation (including developers documentation) is in the 2 | libpam-python-doc package. 3 | -------------------------------------------------------------------------------- /debian/patches/intersphinx-localmapping.diff: -------------------------------------------------------------------------------- 1 | Description: Do not require Internet access during building. 2 | intersphinx want to fetch some mapping data, and was set up to use 3 | the Internet to find it. Use a local file from python-doc instead to 4 | avoid violating Debian policy 4.9. 5 | Author: Petter Reinholdtsen 6 | Bug-Debian: https://bugs.debian.org/830186 7 | Bug-Debian: https://bugs.debian.org/833411 8 | Forwarded: no 9 | Reviewed-By: Petter Reinholdtsen 10 | Last-Update: 2016-08-26 11 | 12 | --- pam-python-1.0.4.orig/doc/conf.py 13 | +++ pam-python-1.0.4/doc/conf.py 14 | @@ -4,1 +4,3 @@ 15 | -intersphinx_mapping = {'python': ('http://docs.python.org/2.7', None)} 16 | +intersphinx_mapping = { 17 | + 'python': ('/usr/share/doc/python-doc/html', None) 18 | +} 19 | -------------------------------------------------------------------------------- /debian/patches/series: -------------------------------------------------------------------------------- 1 | intersphinx-localmapping.diff 2 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | #export DH_VERBOSE=1 4 | 5 | DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) 6 | BIN_PACKAGE = libpam-python 7 | DOC_PACKAGE = libpam-python-doc 8 | DOC_DIR = usr/share/doc/$(DOC_PACKAGE) 9 | DEB_BUILD_MAINT_OPTIONS ?= hardening=+bindnow 10 | 11 | ME=$(shell sed 's,$[^ ]*$ .*,\1,;q' debian/changelog) 12 | 13 | ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) 14 | CFLAGS += -O0 15 | endif 16 | ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) 17 | CFLAGS += -g 18 | endif 19 | 20 | .PHONY: get-orig-source 21 | get-orig-source: 22 | version=$(shell \ 23 | wget -O - "http://sourceforge.net/projects/$(ME)/files/" | \ 24 | sed -n 's;.* 14 | 15 | 16 | .. _intro: 17 | 18 | Introduction 19 | ============ 20 | 21 | The |pam_python| PAM module runs the Python source file (aka Python PAM 22 | module) it is given in the Python interpreter, making the PAM module API 23 | available to it. This document describes the how the PAM Module API is exposed 24 | to the Python PAM module. It does not describe how to use the API. You must read 25 | the |PMWG|_ to learn how to do that. To re-iterate: this 26 | document does not tell you how to write PAM modules, it only tells you how to 27 | access the PAM module API from Python. 28 | 29 | Writing PAM modules from Python incurs a large performance penalty and requires 30 | Python to be installed, so it is not the best option for writing modules that 31 | will be used widely. On the other hand memory allocation / corruption problems 32 | can not be caused by bad Python code, and a Python module is generally shorter 33 | and easier to write than its C equivalent. This makes it ideal for the system 34 | administrator who just wants to make use of the the PAM API for his own ends 35 | while minimising the risk of introducing memory corruption problems into every 36 | program using PAM. 37 | 38 | 39 | .. _configuring: 40 | 41 | Configuring PAM 42 | =============== 43 | 44 | Tell PAM to use a Python PAM module in the usual way: add a rule to your PAM 45 | configuration. The PAM administrators manual gives the syntax of a rule as:: 46 | 47 | service type control module-path module-arguments 48 | 49 | The first three parameters are the same for all PAM modules and so aren't any 50 | different for |pam_python|. The *module-path* is the path to pam_python.so. 51 | Like all paths PAM modules it is relative to the default PAM module directory so 52 | is usually just the string ``pam_python.so``. The first *module-argument* is the 53 | path to the Python PAM module. If it doesn't start with a / it is relative to 54 | the ``/lib/security``. All *module-arguments*, including the path name to the 55 | Python PAM module are passed to it. 56 | 57 | 58 | .. _module: 59 | 60 | Python PAM modules 61 | ================== 62 | 63 | When a PAM handle created by the applications call to PAM's :samp:`pam_start()` 64 | function first uses a Python PAM module, |pam_python| invokes it using Python's 65 | ``execfile`` function. The following variables are passed to the invoked 66 | module in its global namespace: 67 | 68 | 69 | .. data:: __builtins__ 70 | 71 | The usual Python ``__builtins__``. 72 | 73 | 74 | .. data:: __file__ 75 | 76 | The absolute path name to the Python PAM module. 77 | 78 | As described in the |PMWG|, PAM interacts with your module by calling methods 79 | you provide in it. Each ``type`` in the PAM configuration rules results in one 80 | or more methods being called. The Python PAM module must define the methods that 81 | will be called by each rule ``type`` it can be used with. Those methods are: 82 | 83 | 84 | .. function:: pam_sm_acct_mgmt(pamh, flags, args) 85 | 86 | The service module's implementation of PAM's :manpage:`pam_acct_mgmt(3)` interface. 87 | 88 | 89 | .. function:: pam_sm_authenticate(pamh, flags, args) 90 | 91 | The service module's implementation of PAM's :manpage:`pam_authenticate(3)` 92 | interface. 93 | 94 | 95 | .. function:: pam_sm_close_session(pamh, flags, args) 96 | 97 | The service module's implementation of PAM's :manpage:`pam_close_session(3)` 98 | interface. 99 | 100 | 101 | .. function:: pam_sm_chauthtok(pamh, flags, args) 102 | 103 | The service module's implementation of PAM's :manpage:`pam_chauthtok(3)` interface. 104 | 105 | 106 | .. function:: pam_sm_open_session(pamh, flags, args) 107 | 108 | The service module's implementation of PAM's :manpage:`pam_open_session(3)` 109 | interface. 110 | 111 | 112 | .. function:: pam_sm_setcred(pamh, flags, args) 113 | 114 | The service module's implementation of PAM's :manpage:`pam_setcred(3)` interface. 115 | 116 | The arguments and return value of all these methods are the same. The *pamh* 117 | parameter is an instance of the :class:`PamHandle` class. It is used to interact 118 | with PAM and is described in the next section. The remaining arguments are as 119 | described in the |PMWG|. All functions must return an integer, 120 | eg :const:`pamh.PAM_SUCCESS`. The valid return codes for each function are 121 | defined |PMWG|. If the Python method isn't present 122 | |pam_python| will return :const:`pamh.PAM_SYMBOL_ERR` to PAM; if the method 123 | doesn't return an integer or throws an exception :const:`pamh.PAM_SERVICE_ERR` 124 | is returned. 125 | 126 | There is one other method that in the Python PAM module 127 | that may be called by |pam_python|. 128 | It is optional: 129 | 130 | 131 | .. function:: pam_sm_end(pamh) 132 | 133 | If present this will be called when the application calls PAM's 134 | :manpage:`pam_end(3)` function. 135 | If not present nothing happens. 136 | The parameter *pamh* is the :class:`PamHandle` object. 137 | The return value is ignored. 138 | 139 | 140 | .. _pamhandle: 141 | 142 | The PamHandle Class 143 | =================== 144 | 145 | An instance of this class is automatically created for a Python PAM module when 146 | it is first referenced, (ie when it is ``execfile``'ed). It is the first 147 | argument to every Python method called by PAM. It is destroyed automatically 148 | when PAM's :c:func:`pam_end` is called, right after the ``execfile``'ed 149 | module is destroyed. If any method fails, or any access to a member fails a 150 | :exc:`PamHandle.exception` exception will be thrown. It contains the following 151 | members: 152 | 153 | 154 | .. data:: PAM_??? 155 | 156 | All the :const:`PAM_???` constants defined in the PAM include files 157 | version 1.1.1 are available. They are all read-only :class:`int`'s. 158 | 159 | 160 | .. data:: authtok 161 | 162 | The :const:`PAM_AUTHTOK` PAM item. Reading this results in a call 163 | to the |pam-lib-func| :samp:`pam_get_item(PAM_AUTHTOK)`, writing it 164 | results in a call :samp:`pam_set_item(PAM_AUTHTOK, value)`. Its 165 | value will be either a :class:`string` or :const:`None` for the C 166 | value :c:macro:`NULL`. 167 | 168 | 169 | .. data:: authtok_type 170 | 171 | The :const:`PAM_AUTHTOK_TYPE` PAM item. Reading this results in a call 172 | to the |pam-lib-func| :samp:`pam_get_item(PAM_AUTHTOK_TYPE)`, writing it 173 | results in a call :samp:`pam_set_item(PAM_AUTHTOK_TYPE, value)`. Its 174 | value will be either a :class:`string` or :const:`None` for the C 175 | value :c:macro:`NULL`. 176 | New in version 1.0.0. 177 | Only present if the version of PAM |pam_python| is compiled with supports it. 178 | 179 | 180 | .. data:: env 181 | 182 | This is a mapping representing the PAM environment. |pam_python| implements 183 | accesses and changes to it via the |pam-lib-func| :samp:`pam_getenv()`, 184 | :samp:`pam_putenv()` and :samp:`pam_getenvlist()`. The PAM environment 185 | only supports :class:`string` keys and values, and the keys may not be 186 | blank nor contain '='. 187 | 188 | 189 | .. data:: exception 190 | 191 | The exception raised by methods defined here if they fail. It is a 192 | subclass of :class:`StandardError`. Instances contain the member 193 | :const:`pam_result`, which is the error code returned by PAM. The 194 | description is the PAM error message. 195 | 196 | 197 | .. data:: libpam_version 198 | 199 | The version of PAM |pam_python| was compiled with. This is a 200 | :class:`string`. In version 0.1.0 of |pam_python| and prior this was an 201 | :class:`int` holding the version of PAM library loaded. Newer versions of 202 | PAM no longer export that value. 203 | 204 | 205 | .. data:: pamh 206 | 207 | The PAM handle, as read-only :class:`int`. Possibly useful during debugging. 208 | 209 | 210 | .. data:: py_initialized 211 | 212 | A read-only :class:`int`. 213 | If the Python interpreter was initialised 214 | before the |pam_python| module was created this is 0. 215 | Otherwise it is 1, meaning |pam_python| has called :c:func:`Py_Initialize` 216 | and will call :c:func:`Py_Finalize` 217 | when the last |pam_python| module is destroyed. 218 | 219 | 220 | .. data:: oldauthtok 221 | 222 | The :const:`PAM_OLDAUTHTOK` PAM item. Reading this results in a call 223 | to the |pam-lib-func| :samp:`pam_get_item(PAM_OLDAUTHTOK)`, 224 | writing it results in a call :samp:`pam_set_item(PAM_OLDAUTHTOK, value)`. 225 | Its value will be either a :class:`string` or :const:`None` for the 226 | C value :c:macro:`NULL`. 227 | 228 | 229 | .. data:: rhost 230 | 231 | The :const:`PAM_RHOST` PAM item. Reading this results in a call 232 | to the |pam-lib-func| :samp:`pam_get_item(PAM_RHOST)`, 233 | writing it results in a call :samp:`pam_set_item(PAM_RHOST, value)`. 234 | Its value will be either a :class:`string` 235 | or :const:`None` for the C value :c:macro:`NULL`. 236 | 237 | 238 | .. data:: ruser 239 | 240 | The :const:`PAM_RUSER` PAM item. Reading this results in a call 241 | to the |pam-lib-func| :samp:`pam_get_item(PAM_RUSER)`, 242 | writing it results in a call :samp:`pam_set_item(PAM_RUSER, value)`. 243 | Its value will be either a :class:`string` 244 | or :const:`None` for the C value :c:macro:`NULL`. 245 | 246 | 247 | .. data:: service 248 | 249 | The :const:`PAM_SERVICE` PAM item. Reading this results in a call 250 | to the |pam-lib-func| :samp:`pam_get_item(PAM_SERVICE)`, 251 | writing it results in a call :samp:`pam_set_item(PAM_SERVICE, value)`. 252 | Its value will be either a :class:`string` 253 | or :const:`None` for the C value :c:macro:`NULL`. 254 | 255 | 256 | .. data:: tty 257 | 258 | The :const:`PAM_TTY` PAM item. Reading this results in a call 259 | to the |pam-lib-func| :samp:`pam_get_item(PAM_TTY)`, 260 | writing it results in a call :samp:`pam_set_item(PAM_TTY, value)`. 261 | Its value will be either a :class:`string` 262 | or :const:`None` for the C value :c:macro:`NULL`. 263 | 264 | 265 | .. data:: user 266 | 267 | The :const:`PAM_USER` PAM item. Reading this results in a call 268 | to the |pam-lib-func| :samp:`pam_get_item(PAM_USER)`, 269 | writing it results in a call :samp:`pam_set_item(PAM_USER, value)`. 270 | Its value will be either a :class:`string` 271 | or :const:`None` for the C value :c:macro:`NULL`. 272 | 273 | 274 | .. data:: user_prompt 275 | 276 | The :const:`PAM_USER_PROMPT` PAM item. Reading this results in a call 277 | to the |pam-lib-func| :samp:`pam_get_item(PAM_USER_PROMPT)`, 278 | writing it results in a call :samp:`pam_set_item(PAM_USER_PROMPT, value)`. 279 | Its value will be either a :class:`string` 280 | or :const:`None` for the C value :c:macro:`NULL`. 281 | 282 | 283 | .. data:: xauthdata 284 | 285 | The :const:`PAM_XAUTHDATA` PAM item. Reading this results in a call 286 | to the |pam-lib-func| :samp:`pam_get_item(PAM_XAUTHDATA)`, 287 | writing it results in a call :samp:`pam_set_item(PAM_XAUTHDATA, value)`. 288 | Its value is a :class:`XAuthData` instance. When setting its value you 289 | don't have to use an actual :class:`XAuthData` instance, 290 | any class that contains a :class:`string` member :attr:`name` 291 | and a :class:`string` member :attr:`data` will do. 292 | New in version 1.0.0. 293 | Only present if the version of PAM |pam_python| is compiled with supports it. 294 | 295 | 296 | .. data:: xdisplay 297 | 298 | The :const:`PAM_XDISPLAY` PAM item. Reading this results in a call 299 | to the |pam-lib-func| :samp:`pam_get_item(PAM_XDISPLAY)`, 300 | writing it results in a call :samp:`pam_set_item(PAM_XDISPLAY, value)`. 301 | Its value will be either a :class:`string` 302 | or :const:`None` for the C value :c:macro:`NULL`. 303 | New in version 1.0.0. 304 | Only present if the version of PAM |pam_python| is compiled with supports it. 305 | 306 | The following methods are available: 307 | 308 | 309 | .. method:: PamHandle.Message(msg_style,msg) 310 | 311 | Creates an instance of the :class:`Message` class. 312 | The arguments become the instance members of the same name. 313 | This class is used to represent the C API's ``struct pam_message`` type. 314 | An instance has two members corresponding 315 | to the C structure members of the same name: 316 | :attr:`msg_style` an :class:`int` 317 | and :attr:`data` a :class:`string`. 318 | Instances are immutable. 319 | Instances of this class can be passed to the :meth:`conversation` method. 320 | 321 | 322 | .. method:: PamHandle.Response(resp,ret_code) 323 | 324 | Creates an instance of the :class:`Response` class. 325 | The arguments become the instance members of the same name. 326 | This class is used to represent the C API's ``struct pam_response`` type. 327 | An instance has two members 328 | corresponding to the C structure members of the same name: 329 | :attr:`resp` a :class:`string` 330 | and :attr:`ret_code` an :class:`int`. 331 | Instances are immutable. 332 | Instances of this class are returned by the :meth:`conversation` method. 333 | 334 | 335 | .. method:: PamHandle.XAuthData(name,data) 336 | 337 | Creates an instance of the :class:`XAuthData` class. 338 | The arguments become the instance members of the same name. 339 | This class is used to represent the C API's ``struct pam_xauth_data`` type. 340 | An instance has two members 341 | corresponding to the C structure members of the same name: 342 | :attr:`name` a :class:`string` and :attr:`data` also a :class:`string`. 343 | Instances are immutable. 344 | The :data:`xauthdata` member returns instances of this class and 345 | can be set to an instance of this class. 346 | 347 | 348 | .. method:: PamHandle.conversation(prompts) 349 | 350 | Calls the function defined by the PAM :c:macro:`PAM_CONV` item. 351 | The *prompts* argument is a :class:`Message` object 352 | or a :class:`list` of them. 353 | You don't have to pass an actual :class:`Message` object, 354 | any class that contains a :class:`string` member :attr:`msg` 355 | and a :class:`int` member :attr:`msg_style` will do. 356 | These members are used to initialise the ``struct pam_message`` 357 | members of the same name. It returns either a single :class:`Response` 358 | object if a single :class:`Message` was passed, 359 | or a :class:`list` of them of the same length as the :class:`list` passed. 360 | These :class:`Response` objects contain the data the user entered. 361 | 362 | 363 | .. method:: PamHandle.fail_delay(delay) 364 | 365 | This results in a call to the |pam-lib-func| :samp:`pam_fail_delay()`, 366 | which sets the maximum random delay after an authentication failure 367 | to *delay* milliseconds. 368 | 369 | 370 | .. method:: PamHandle.get_user([prompt]) 371 | 372 | This results in a call to the |pam-lib-func| :samp:`pam_get_user()`, 373 | which returns the current user name (a :class:`string`) 374 | or :const:`None` if :samp:`pam_get_user()` returns :c:macro:`NULL`. 375 | If not known it asks the PAM application for the user name, 376 | giving it the :class:`string` *prompt* parameter 377 | to prompt the user to enter it. 378 | 379 | 380 | .. method:: PamHandle.strerror(errnum) 381 | 382 | This results in a call to the |pam-lib-func| :samp:`pam_strerror()`, 383 | which returns a :class:`string` description of the :class:`int` 384 | PAM return value *errnum*. 385 | 386 | There is no interface provided for the |pam-lib-func|\s :samp:`pam_get_data()` 387 | and :samp:`pam_set_data()`. There are two reasons for this. 388 | Firstly those two methods are provided so C code can have private storage 389 | local to the PAM handle. A Python PAM Module can use own module name space 390 | to do the same job, and it's easier to do so. But more importantly it's 391 | safer because there is no type-safe way of providing access to the facility 392 | from Python. 393 | 394 | 395 | .. _diagnostics: 396 | 397 | Diagnostics, Debugging, Bugs 398 | ============================ 399 | 400 | The way |pam_python| operates will be foreign to most Python programmers. 401 | It embeds Python into existing programs, primarily ones written in C. 402 | This means things like debugging and diagnostics 403 | are done differently to a normal Python program. 404 | 405 | 406 | .. _return-values: 407 | 408 | Diagnostics 409 | ----------- 410 | 411 | If |pam_python| returns something other than :const:`PAM_SUCCESS` to PAM a 412 | message will be written to the ``syslog`` ``LOG_AUTHPRIV`` facility. The only 413 | exception to this is when |pam_python| is passing on the return value from 414 | a Python :meth:`pam_sm_...` entry point - nothing is logged in that case. 415 | So, if your Python PAM Module is failing in mysterious ways 416 | check the log file your system is configured to write 417 | ``LOG_AUTHPRIV`` entries to. 418 | Usually this is :file:`/var/log/syslog` or :file:`/var/log/auth.log`. 419 | The diagnostic or traceback Python would normally print to :attr:`sys.stderr` 420 | will be in there. 421 | 422 | The PAM result codes returned directly by |pam_python| are: 423 | 424 | 425 | .. data:: PAM_BUF_ERR 426 | 427 | Memory allocation failed. 428 | 429 | 430 | .. data:: PAM_MODULE_UNKNOWN 431 | 432 | The Python PAM module name wasn't supplied. 433 | 434 | 435 | .. data:: PAM_OPEN_ERR 436 | 437 | The Python PAM module could not be opened. 438 | 439 | 440 | .. data:: PAM_SERVICE_ERR 441 | 442 | A Python exception was thrown, unless it was because of a memory allocation 443 | failure. 444 | 445 | 446 | .. data:: PAM_SYMBOL_ERR 447 | 448 | A :meth:`pam_sm_...` called by PAM wasn't defined by the Python PAM module. 449 | 450 | 451 | .. _debugging: 452 | 453 | Debugging 454 | --------- 455 | 456 | If you have Python bindings for the PAM Application library then you can write 457 | test units in Python and use Pythons :mod:`pdb` module debug a Python PAM 458 | module. This is how |pam_python| was developed. 459 | 460 | I used `PyPAM `_ for the Python Application 461 | library bindings. Distributions often package it as ``python-pam``. To set 462 | breakpoints in :mod:`pdb` either wait until PAM has loaded your module, or 463 | :keyword:`import` it before you start debugging. 464 | 465 | 466 | .. _bugs: 467 | 468 | Bugs 469 | ---- 470 | 471 | There are several design decisions you may stumble across when using 472 | |pam_python|. One is that the Python PAM module is isolated from the rest 473 | of the Python environment. This differs from a :keyword:`import`'ed Python module, 474 | where regardless of how many times a module is imported there is only one copy 475 | that shares the one global name space. 476 | For example, if you :keyword:`import` your Python PAM module 477 | and then debug it as suggested above then there will be 2 478 | copies of your Python PAM module in memory - 479 | the imported one and the one PAM is using. 480 | If the PAM module sets a global variable you won't see it in the 481 | :keyword:`import`'ed one. Indeed, obtaining any sort of handle to the module 482 | PAM is using is near impossible. This means the debugger can inspect variables 483 | in the module only when a breakpoint has one of the modules functions in its 484 | backtrace. 485 | 486 | There are a few of reasons for this. Firstly, the |PMWG| says 487 | this is the way it should be, so |pam_python| encourages it. Secondly, if a 488 | PAM application is using a Python PAM Module it's important the PAM module 489 | remains as near to invisible as possible to avoid conflicts. Finally, and most 490 | importantly, references to objects constructed by the Python PAM module must 491 | never leak. This is because the destructors to those objects are C functions 492 | that live in |pam_python|, and those destructors are called when all 493 | references to the objects are gone. When the application calls |pam-lib-func| 494 | :samp:`pam_end()` function |pam_python| is unloaded, and with it goes the 495 | destructor code. Should a reference to an object defined by |pam_python| exist 496 | after :samp:`pam_end()` returns the call to destructor 497 | will result in a jump to a non-existent address causing a ``SIGSEGV``. 498 | 499 | Another potential trap is the initialisation and finalisation of the Python 500 | interpreter itself. Calling the interpreter's finalisation routine while it is 501 | in use would I imagine be a big no-no. If |pam_python| has to initialise 502 | the interpreter (by calling :c:func:`Py_Initialize`) then it will call its 503 | finaliser :c:func:`Py_Finalize` when the last Python PAM module is destroyed. 504 | This is heuristic works in most scenarios. One example where is won't work is a 505 | sequence like:: 506 | 507 | start-python-pam-module; 508 | application-initialises-interpreter; 509 | stop-python-pam-module; 510 | application-stops-interpreter. 511 | 512 | The above is doomed to fail. 513 | 514 | 515 | .. _example: 516 | 517 | An example 518 | ========== 519 | 520 | This is one of the examples provided by the package: 521 | 522 | 523 | .. include:: pam_permit.py 524 | :literal: 525 | 526 | Assuming it and ``pam_python.so`` are in the directory ``/lib/security`` adding 527 | these rules to ``/etc/pam.conf`` would run it:: 528 | 529 | login account requisite pam_python.so pam_accept.py 530 | login auth requisite pam_python.so pam_accept.py 531 | login password requisite pam_python.so pam_accept.py 532 | login session requisite pam_python.so pam_accept.py 533 | 534 | .. |PMWG| replace:: PAM Module Writers Guide 535 | 536 | .. _PMWG: http://www.linux-pam.org/Linux-PAM-html/ 537 | 538 | .. |pam_python| replace:: `pam_python` 539 | 540 | .. |pam-lib-func| replace:: PAM library function 541 | -------------------------------------------------------------------------------- /examples/pam_deny.py: -------------------------------------------------------------------------------- 1 | # 2 | # Duplicates pam_deny.c 3 | # 4 | def pam_sm_authenticate(pamh, flags, argv): 5 | return pamh.PAM_AUTH_ERR 6 | 7 | def pam_sm_setcred(pamh, flags, argv): 8 | return pamh.PAM_CRED_UNAVAIL 9 | 10 | def pam_sm_acct_mgmt(pamh, flags, argv): 11 | return pamh.PAM_ACCT_EXPIRED 12 | 13 | def pam_sm_chauthtok(pamh, flags, argv): 14 | return pamh.PAM_AUTHTOK_ERR 15 | 16 | def pam_sm_open_session(pamh, flags, argv): 17 | return pamh.PAM_SYSTEM_ERR 18 | 19 | def pam_sm_close_session(pamh, flags, argv): 20 | return pamh.PAM_SYSTEM_ERR 21 | -------------------------------------------------------------------------------- /examples/pam_nologin.py: -------------------------------------------------------------------------------- 1 | # 2 | # Emulate what pam_nologin.c does. 3 | # 4 | import pwd 5 | 6 | # 7 | # Parse our command line. 8 | # 9 | def parse_args(pamh, argv): 10 | # 11 | # Parse the arguments. 12 | # 13 | nologin_file = "/etc/nologin" 14 | retval_when_nofile = pamh.PAM_IGNORE 15 | for arg in argv[1:]: 16 | if arg.starts_with("file="): 17 | nologin_file = arg[5:] 18 | elif arg == "successok": 19 | retval_when_nofile = pamh.PAM_SUCCESS 20 | return nologin_file, retval_when_nofile 21 | 22 | # 23 | # Check the /etc/nologin file. 24 | # 25 | def check_nologin(pamh, nologin_file, retval_when_nofile): 26 | # 27 | # Get the user name. 28 | # 29 | try: 30 | username = pamh.get_user() 31 | except pamh.exception: 32 | username = None 33 | if username == None: 34 | return pamh.PAM_USER_UNKNOWN 35 | # 36 | # Can we open the file? 37 | # 38 | try: 39 | handle = file(nologin_file, "r") 40 | except EnvironmentError: 41 | return retval_when_nofile 42 | # 43 | # Print the message. 44 | # 45 | try: 46 | try: 47 | msg = handle.read() 48 | except EnvironmentError: 49 | return pamh.PAM_SYSTEM_ERR 50 | finally: 51 | handle.close() 52 | # 53 | # Read the user's password entry so we can check if he is root. 54 | # Root can login regardless. 55 | # 56 | try: 57 | pwent = pwd.getpwnam(username) 58 | except KeyError: 59 | retval = pamh.PAM_USER_UNKNOWN 60 | msg_style = pamh.PAM_ERROR_MSG 61 | else: 62 | if pwent[2] == 0: # Is this root? 63 | retval = pamh.PAM_SUCCESS 64 | msg_style = pamh.PAM_TEXT_INFO 65 | else: 66 | retval = pamh.PAM_AUTH_ERR 67 | msg_style = pamh.PAM_ERROR_MSG 68 | # 69 | # Display the message 70 | # 71 | try: 72 | pamh.conversation(pamh.Message(msg_style, msg)) 73 | except pamh.exception: 74 | return pamh.PAM_SYSTEM_ERR 75 | return retval 76 | 77 | # 78 | # Entry points we handle. 79 | # 80 | def pam_sm_authenticate(pamh, flags, argv): 81 | nologin_file, retval_when_nofile = parse_args(pamh, argv) 82 | return check_nologin(pamh, nologin_file, retval_when_nofile) 83 | 84 | def pam_sm_setcred(pamh, flags, argv): 85 | nologin_file, retval_when_nofile = parse_args(pamh, argv) 86 | return retval_when_nofile 87 | 88 | def pam_sm_acct_mgmt(pamh, flags, argv): 89 | nologin_file, retval_when_nofile = parse_args(pamh, argv) 90 | return check_nologin(pamh, nologin_file, retval_when_nofile) 91 | -------------------------------------------------------------------------------- /examples/pam_permit.py: -------------------------------------------------------------------------------- 1 | # 2 | # Duplicates pam_permit.c 3 | # 4 | DEFAULT_USER = "nobody" 5 | 6 | def pam_sm_authenticate(pamh, flags, argv): 7 | try: 8 | user = pamh.get_user(None) 9 | except pamh.exception, e: 10 | return e.pam_result 11 | if user == None: 12 | pamh.user = DEFAULT_USER 13 | return pamh.PAM_SUCCESS 14 | 15 | def pam_sm_setcred(pamh, flags, argv): 16 | return pamh.PAM_SUCCESS 17 | 18 | def pam_sm_acct_mgmt(pamh, flags, argv): 19 | return pamh.PAM_SUCCESS 20 | 21 | def pam_sm_open_session(pamh, flags, argv): 22 | return pamh.PAM_SUCCESS 23 | 24 | def pam_sm_close_session(pamh, flags, argv): 25 | return pamh.PAM_SUCCESS 26 | 27 | def pam_sm_chauthtok(pamh, flags, argv): 28 | return pamh.PAM_SUCCESS 29 | -------------------------------------------------------------------------------- /pam-python.html: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | 6 | 7 | pam-python - write PAM modules in Python 8 | 9 | 10 | 11 | 17 | 18 | 19 | 20 | 21 | 22 |

23 | Pam-python
24 | Write PAM modules in Python 25 |

26 | 27 |

28 | Pam-python is a PAM Module that runs the Python interpreter, 29 | thus allowing PAM Modules to be written in Python. 30 |

31 | 32 |

Documentation

33 | 34 |

43 | 44 |

Copyright and License

45 | 46 |

50 | 51 |

52 | This program is free software: you can redistribute it and/or modify it 53 | under the terms of the GNU Affero General Public License as published by 54 | the Free Software Foundation, either version 3 of the License, or (at your 55 | option) any later version. 56 |

57 | 58 |

59 | The copyright holders grant you an additional permission under Section 7 60 | of the GNU Affero General Public License, version 3, exempting you from 61 | the requirement in Section 6 of the GNU General Public License, version 3, 62 | to accompany Corresponding Source with Installation Information for the 63 | Program or any work based on the Program. You are still required to 64 | comply with all other Section 6 requirements to provide Corresponding 65 | Source. 66 |

67 | 68 |

69 | This program is distributed in the hope that it will be useful, 70 | but WITHOUT ANY WARRANTY; without even the implied warranty of 71 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 72 | GNU Affero General Public License for more details. 73 |

74 | 75 |

Downloading, Feedback & Contributing

76 | 77 |

78 | Development for pam-python is hosted on 79 | Source forge: 80 |

81 | 82 |

84 | Download area, 85 | (.tar.gz, .deb). 86 |
88 | Issue tracker, 89 | bugs, features or just questions. 90 |
92 | Source repository. 93 |
95 | Pam-python is part of Debian. 96 | Most Debian derived distribution can install using apt-get. 97 |

99 | 100 |

101 | 102 |

103 |

104 | Russell Stuart, 2014-May-29. 105 |

106 | 107 | 108 | 109 | -------------------------------------------------------------------------------- /pam-python.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /src/Makefile: -------------------------------------------------------------------------------- 1 | all: ctest pam_python.so test-pam_python.pam 2 | 3 | WARNINGS=-Wall -Wextra -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Werror 4 | #WARNINGS=-Wunreachable-code # Gcc 4.1 .. 4.4 are too buggy to make this useful 5 | 6 | LIBDIR ?= /lib/security 7 | 8 | pam_python.so: pam_python.c setup.py Makefile 9 | @rm -f "$@" 10 | @[ ! -e build -o build/lib.*/$@ -nt setup.py -a build/lib.*/$@ -nt Makefile ] || rm -r build 11 | CFLAGS="$(WARNINGS) -I/usr/local/lib/ " ./setup.py build 12 | @#CFLAGS="-O0 $(WARNINGS)" ./setup.py build --debug 13 | @#CFLAGS="-O0 $(WARNINGS)" Py_DEBUG=1 ./setup.py build --debug 14 | ln -sf build/lib.*/$@ . 15 | 16 | .PHONY: install install-lib 17 | install: install-lib 18 | install-lib: 19 | mkdir -p $(DESTDIR)$(LIBDIR) 20 | cp build/lib.*/pam_python.so $(DESTDIR)$(LIBDIR) 21 | 22 | .PHONY: clean 23 | clean: 24 | rm -rf build ctest pam_python.so test-pam_python.pam test.pyc core 25 | [ ! -e /etc/pam.d/test-pam_python.pam ] || { s=$$([ $$(id -u) = 0 ] || echo sudo); $$s rm -f /etc/pam.d/test-pam_python.pam; } 26 | [ ! -e /etc/pam.d/test-pam_python-installed.pam ] || { s=$$([ $$(id -u) = 0 ] || echo sudo); $$s rm -f /etc/pam.d/test-pam_python-installed.pam; } 27 | 28 | .PHONY: ctest 29 | ctest: ctest.c Makefile 30 | gcc -O0 $(WARNINGS) -g -o $@ ctest.c -lpam 31 | 32 | test-pam_python.pam: test-pam_python.pam.in Makefile 33 | sed "s,\\\$$PWD,$$(pwd),g" "$@.in" >"$@.tmp" 34 | mv $@.tmp $@ 35 | 36 | /etc/pam.d/test-pam_python.pam: test-pam_python.pam 37 | s=$$([ $$(id -u) = 0 ] || echo sudo); $$s ln -sf $$(pwd)/test-pam_python.pam /etc/pam.d 38 | 39 | .PHONY: test 40 | test: pam_python.so ctest /etc/pam.d/test-pam_python.pam 41 | python test.py 42 | ./ctest 43 | 44 | test-pam_python-installed.pam: test-pam_python.pam.in Makefile 45 | sed "s,\\\$$PWD/pam-python.so,pam-python.so,;s,\\\$$PWD,$$(pwd),g" "$@.in" >"$@.tmp" 46 | mv $@.tmp $@ 47 | 48 | /etc/pam.d/test-pam_python-installed.pam: test-pam_python-installed.pam 49 | s=$$([ $$(id -u) = 0 ] || echo sudo); $$s ln -sf $$(pwd)/test-pam_python-installed.pam /etc/pam.d 50 | 51 | .PHONY: installed-test 52 | installed-test: ctest /etc/pam.d/test-pam_python-installed.pam 53 | python test.py 54 | ./ctest 55 | -------------------------------------------------------------------------------- /src/ctest.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Best compiled & run using the Makefile target "test". To compile and run 3 | * manually: 4 | * gcc -O0 -g -Wall -o test -lpam test.c 5 | * sudo ln -s $PWD/test-pam_python.pam /etc/pam.d 6 | * ./ctest 7 | * sudo rm /etc/pam.d/test-pam_python.pam 8 | */ 9 | #define _GNU_SOURCE 10 | 11 | #ifdef __APPLE__ 12 | #include 13 | #else 14 | #include 15 | #endif 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | struct walk_info { 23 | int libpam_python_seen; 24 | int python_seen; 25 | }; 26 | 27 | static int conv( 28 | int num_msg, const struct pam_message** msg, struct pam_response** resp, void *appdata_ptr) 29 | { 30 | int i; 31 | 32 | (void)appdata_ptr; 33 | *resp = malloc(num_msg * sizeof(**resp)); 34 | for (i = 0; i < num_msg; i += 1) 35 | { 36 | (*resp)[i].resp = strdup((*msg)[i].msg); 37 | (*resp)[i].resp_retcode = (*msg)[i].msg_style; 38 | } 39 | return 0; 40 | } 41 | 42 | static void call_pam( 43 | int* exit_status, const char* who, pam_handle_t* pamh, 44 | int (*func)(pam_handle_t*, int)) 45 | { 46 | int pam_result = (*func)(pamh, 0); 47 | 48 | if (pam_result == PAM_SUCCESS) 49 | return; 50 | fprintf( 51 | stderr, "%s failed: %d %s\n", 52 | who, pam_result, pam_strerror(pamh, pam_result)); 53 | *exit_status = 1; 54 | } 55 | 56 | #ifdef __APPLE__ 57 | static void walk_dlls(struct walk_info* walk_info) 58 | { 59 | int image_index; 60 | walk_info->libpam_python_seen = 0; 61 | walk_info->python_seen = 0; 62 | for (image_index = 0; image_index < _dyld_image_count(); image_index += 1) { 63 | const char* image_name = _dyld_get_image_name(image_index); 64 | if (strstr(image_name, "/pam_python.so") != 0) 65 | walk_info->libpam_python_seen = 1; 66 | if (strstr(image_name, "/libpython") != 0) 67 | walk_info->python_seen = 1; 68 | } 69 | } 70 | #else 71 | static int dl_walk(struct dl_phdr_info* info, size_t size, void* data) 72 | { 73 | struct walk_info* walk_info = data; 74 | 75 | (void)size; 76 | if (strstr(info->dlpi_name, "/pam_python.so") != 0) 77 | walk_info->libpam_python_seen = 1; 78 | if (strstr(info->dlpi_name, "/libpython") != 0) 79 | walk_info->python_seen = 1; 80 | return 0; 81 | } 82 | 83 | static void walk_dlls(struct walk_info* walk_info) 84 | { 85 | walk_info->libpam_python_seen = 0; 86 | walk_info->python_seen = 0; 87 | dl_iterate_phdr(dl_walk, walk_info); 88 | } 89 | #endif 90 | 91 | int main(int argc, char **argv) 92 | { 93 | int exit_status; 94 | struct pam_conv convstruct; 95 | pam_handle_t* pamh; 96 | struct walk_info walk_info_before; 97 | struct walk_info walk_info_after; 98 | 99 | (void)argc; 100 | (void)argv; 101 | if (access("/etc/pam.d/test-pam_python.pam", 0) != 0) 102 | { 103 | fprintf( 104 | stderr, 105 | "**WARNING**\n" 106 | " This test requires ./test-pam_python.pam configuration to be\n" 107 | " available to PAM But it doesn't appear to be in /etc/pam.d.\n" 108 | ); 109 | } 110 | printf("Testing calls from C"); 111 | fflush(stdout); 112 | convstruct.conv = conv; 113 | convstruct.appdata_ptr = 0; 114 | if (pam_start("test-pam_python.pam", "", &convstruct, &pamh) == -1) 115 | { 116 | fprintf(stderr, "pam_start failed\n"); 117 | exit(1); 118 | } 119 | exit_status = 0; 120 | call_pam(&exit_status, "pam_authenticate", pamh, pam_authenticate); 121 | call_pam(&exit_status, "pam_chauthtok", pamh, pam_chauthtok); 122 | call_pam(&exit_status, "pam_acct_mgmt", pamh, pam_acct_mgmt); 123 | call_pam(&exit_status, "pam_open_session", pamh, pam_open_session); 124 | call_pam(&exit_status, "pam_close_session", pamh, pam_close_session); 125 | walk_dlls(&walk_info_before); 126 | call_pam(&exit_status, "pam_end", pamh, pam_end); 127 | if (exit_status == 0) 128 | printf(" OK\n"); 129 | walk_dlls(&walk_info_after); 130 | printf("Testing dll load/unload "); 131 | if (!walk_info_before.libpam_python_seen) 132 | { 133 | fprintf(stderr, "It looks like pam_python.so wasn't loaded!\n"); 134 | exit_status = 1; 135 | } 136 | else if (!walk_info_before.python_seen) 137 | { 138 | fprintf(stderr, "It looks like libpythonX.Y.so wasn't loaded!\n"); 139 | exit_status = 1; 140 | } 141 | else if (walk_info_after.libpam_python_seen) 142 | { 143 | fprintf(stderr, "pam_python.so wasn't unloaded.\n"); 144 | exit_status = 1; 145 | } 146 | else if (walk_info_after.python_seen) 147 | { 148 | fprintf(stderr, "libpythonX.Y.so wasn't uloaded.\n"); 149 | exit_status = 1; 150 | } 151 | else 152 | printf("OK\n"); 153 | return exit_status; 154 | } 155 | -------------------------------------------------------------------------------- /src/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -W default 2 | import warnings; warnings.simplefilter('default') 3 | 4 | import distutils.sysconfig 5 | import os 6 | import sys 7 | 8 | try: 9 | from setuptools import setup, Extension 10 | except ImportError: 11 | from distutils.core import setup, Extension 12 | 13 | long_description = """\ 14 | Embeds the Python interpreter into PAM \ 15 | so PAM modules can be written in Python""" 16 | 17 | classifiers = [ 18 | "Development Status :: 4 - Beta", 19 | "Intended Audience :: Developers", 20 | "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)", 21 | "Natural Language :: English", 22 | "Operating System :: Unix", 23 | "Programming Language :: C", 24 | "Programming Language :: Python", 25 | "Topic :: Software Development :: Libraries :: Python Modules", 26 | "Topic :: System :: Systems Administration :: Authentication/Directory"] 27 | 28 | if not os.environ.has_key("Py_DEBUG"): 29 | Py_DEBUG = [] 30 | else: 31 | Py_DEBUG = [('Py_DEBUG',1)] 32 | 33 | libpython_so = distutils.sysconfig.get_config_var('INSTSONAME') 34 | ext_modules = [ 35 | Extension( 36 | "pam_python", 37 | sources=["pam_python.c"], 38 | include_dirs = [], 39 | library_dirs=[], 40 | define_macros=[('LIBPYTHON_SO','"'+libpython_so+'"')] + Py_DEBUG, 41 | libraries=["pam","python%d.%d" % sys.version_info[:2]], 42 | ), ] 43 | 44 | setup( 45 | name="pam_python", 46 | version="1.0.7", 47 | description="Enabled PAM Modules to be written in Python", 48 | keywords="pam,embed,authentication,security", 49 | platforms="Unix", 50 | long_description=long_description, 51 | author="Russell Stuart", 52 | author_email="russell-pampython@stuart.id.au", 53 | url="http://pam-python.sourceforge.net/", 54 | license="AGPL-3.0", 55 | classifiers=classifiers, 56 | ext_modules=ext_modules, 57 | ) 58 | -------------------------------------------------------------------------------- /src/test-pam_python.pam.in: -------------------------------------------------------------------------------- 1 | auth required $PWD/pam_python.so $PWD/test.py 2 | account required $PWD/pam_python.so $PWD/test.py arg1 arg2 3 | password required $PWD/pam_python.so $PWD/test.py 4 | session required $PWD/pam_python.so $PWD/test.py 5 | -------------------------------------------------------------------------------- /src/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -W default 2 | # 3 | # This is the test script for libpython-pam. There aren't many stones 4 | # left unturned. 5 | # 6 | # Best run from the Makefile using the target 'test'. To run manually: 7 | # sudo ln -s $PWD/test-pam_python.pam /etc/pam.d 8 | # python test.py 9 | # sudo rm /etc/pam.d/test-pam_python.pam 10 | # 11 | import warnings; warnings.simplefilter('default') 12 | import os 13 | import sys 14 | 15 | TEST_PAM_MODULE = "test-pam_python.pam" 16 | TEST_PAM_USER = "root" 17 | 18 | # 19 | # A Fairly straight forward test harness. 20 | # 21 | def pam_sm_end(pamh): 22 | return test(pam_sm_end, pamh, None, None) 23 | def pam_sm_authenticate(pamh, flags, argv): 24 | return test(pam_sm_authenticate, pamh, flags, argv) 25 | def pam_sm_setcred(pamh, flags, argv): 26 | return test(pam_sm_setcred, pamh, flags, argv) 27 | def pam_sm_acct_mgmt(pamh, flags, argv): 28 | return test(pam_sm_acct_mgmt, pamh, flags, argv) 29 | def pam_sm_open_session(pamh, flags, argv): 30 | return test(pam_sm_open_session, pamh, flags, argv) 31 | def pam_sm_close_session(pamh, flags, argv): 32 | return test(pam_sm_close_session, pamh, flags, argv) 33 | def pam_sm_chauthtok(pamh, flags, argv): 34 | return test(pam_sm_chauthtok, pamh, flags, argv) 35 | 36 | def test(who, pamh, flags, argv): 37 | import test 38 | if not hasattr(test, "test_function"):# only true if not called via "main" 39 | return pamh.PAM_SUCCESS # normally happens only if run by ctest 40 | test_function = globals()[test.test_function.__name__] 41 | return test_function(test.test_results, who, pamh, flags, argv) 42 | 43 | def run_test(caller): 44 | import test 45 | test_name = caller.__name__[4:] 46 | sys.stdout.write("Testing " + test_name + " ") 47 | sys.stdout.flush() 48 | test.test_results = [] 49 | test.test_function = globals()["test_" + test_name] 50 | caller(test.test_results) 51 | sys.stdout.write("OK\n") 52 | 53 | def pam_conv(auth, query_list, userData=None): 54 | return query_list 55 | 56 | # 57 | # Verify the results match. 58 | # 59 | def assert_results(expected_results, results): 60 | for i in range(min(len(expected_results), len(results))): 61 | assert expected_results[i] == results[i], (i, expected_results[i], results[i]) 62 | if len(expected_results) < len(results): 63 | assert len(expected_results) == len(results), (i, results[len(expected_results)]) 64 | else: 65 | assert len(expected_results) == len(results), (i, expected_results[len(results)]) 66 | 67 | # 68 | # Test all the calls happen. 69 | # 70 | def test_basic_calls(results, who, pamh, flags, argv): 71 | results.append((who.func_name, flags, argv)) 72 | return pamh.PAM_SUCCESS 73 | 74 | def run_basic_calls(results): 75 | pam = PAM.pam() 76 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 77 | pam.authenticate(0) 78 | pam.acct_mgmt() 79 | pam.chauthtok() 80 | pam.open_session() 81 | pam.close_session() 82 | del pam 83 | me = os.path.join(os.getcwd(), __file__) 84 | expected_results = [ 85 | (pam_sm_authenticate.func_name, 0, [me]), 86 | (pam_sm_acct_mgmt.func_name, 0, [me, 'arg1', 'arg2']), 87 | (pam_sm_chauthtok.func_name, 16384, [me]), 88 | (pam_sm_chauthtok.func_name, 8192, [me]), 89 | (pam_sm_open_session.func_name, 0, [me]), 90 | (pam_sm_close_session.func_name, 0, [me]), 91 | (pam_sm_end.func_name, None, None)] 92 | assert_results(expected_results, results) 93 | 94 | # 95 | # Test all the constants are defined. 96 | # 97 | PAM_CONSTANTS = { 98 | # 99 | # Constants defined in _pam_types.h. The item constants are omitted. 100 | # 101 | "PAM_SUCCESS": 0, 102 | "PAM_OPEN_ERR": 1, 103 | "PAM_SYMBOL_ERR": 2, 104 | "PAM_SERVICE_ERR": 3, 105 | "PAM_SYSTEM_ERR": 4, 106 | "PAM_BUF_ERR": 5, 107 | "PAM_PERM_DENIED": 6, 108 | "PAM_AUTH_ERR": 7, 109 | "PAM_CRED_INSUFFICIENT": 8, 110 | "PAM_AUTHINFO_UNAVAIL": 9, 111 | "PAM_USER_UNKNOWN": 10, 112 | "PAM_MAXTRIES": 11, 113 | "PAM_NEW_AUTHTOK_REQD": 12, 114 | "PAM_ACCT_EXPIRED": 13, 115 | "PAM_SESSION_ERR": 14, 116 | "PAM_CRED_UNAVAIL": 15, 117 | "PAM_CRED_EXPIRED": 16, 118 | "PAM_CRED_ERR": 17, 119 | "PAM_NO_MODULE_DATA": 18, 120 | "PAM_CONV_ERR": 19, 121 | "PAM_AUTHTOK_ERR": 20, 122 | "PAM_AUTHTOK_RECOVER_ERR": 21, 123 | "PAM_AUTHTOK_RECOVERY_ERR": 21, 124 | "PAM_AUTHTOK_LOCK_BUSY": 22, 125 | "PAM_AUTHTOK_DISABLE_AGING": 23, 126 | "PAM_TRY_AGAIN": 24, 127 | "PAM_IGNORE": 25, 128 | "PAM_ABORT": 26, 129 | "PAM_AUTHTOK_EXPIRED": 27, 130 | "PAM_MODULE_UNKNOWN": 28, 131 | "PAM_BAD_ITEM": 29, 132 | "PAM_CONV_AGAIN": 30, 133 | "PAM_INCOMPLETE": 31, 134 | "PAM_SERVICE": 1, 135 | "PAM_USER": 2, 136 | "PAM_TTY": 3, 137 | "PAM_RHOST": 4, 138 | "PAM_CONV": 5, 139 | "PAM_AUTHTOK": 6, 140 | "PAM_OLDAUTHTOK": 7, 141 | "PAM_RUSER": 8, 142 | "PAM_USER_PROMPT": 9, 143 | "PAM_FAIL_DELAY": 10, 144 | "PAM_XDISPLAY": 11, 145 | "PAM_XAUTHDATA": 12, 146 | "PAM_AUTHTOK_TYPE": 13, 147 | "PAM_SILENT": 0x8000, 148 | "PAM_DISALLOW_NULL_AUTHTOK": 0x0001, 149 | "PAM_ESTABLISH_CRED": 0x0002, 150 | "PAM_DELETE_CRED": 0x0004, 151 | "PAM_REINITIALIZE_CRED": 0x0008, 152 | "PAM_REFRESH_CRED": 0x0010, 153 | "PAM_CHANGE_EXPIRED_AUTHTOK": 0x0020, 154 | "PAM_DATA_SILENT": 0x40000000, 155 | "PAM_PROMPT_ECHO_OFF": 1, 156 | "PAM_PROMPT_ECHO_ON": 2, 157 | "PAM_ERROR_MSG": 3, 158 | "PAM_TEXT_INFO": 4, 159 | "PAM_RADIO_TYPE": 5, 160 | "PAM_BINARY_PROMPT": 7, 161 | "PAM_MAX_NUM_MSG": 32, 162 | "PAM_MAX_MSG_SIZE": 512, 163 | "PAM_MAX_RESP_SIZE": 512, 164 | "_PAM_RETURN_VALUES": 32, 165 | # 166 | # Constants defined in pam_modules.h. The item constants are omitted. 167 | # 168 | "PAM_PRELIM_CHECK": 0x4000, 169 | "PAM_UPDATE_AUTHTOK": 0x2000, 170 | "PAM_DATA_REPLACE": 0x20000000, 171 | } 172 | def test_constants(results, who, pamh, flags, argv): 173 | results.append(who.func_name) 174 | if who != pam_sm_authenticate: 175 | return pamh.PAM_SUCCESS 176 | pam_constants = dict([ 177 | (var, getattr(pamh,var)) 178 | for var in dir(pamh) 179 | if var.startswith("PAM_") or var.startswith("_PAM_")]) 180 | results.append(pam_constants) 181 | try: 182 | pamh.PAM_SUCCESS = 1 183 | results.append("Opps, pamh.PAM_SUCCESS = 1 worked!") 184 | except StandardError, e: 185 | results.append("except: %s" % e) 186 | return pamh.PAM_SUCCESS 187 | 188 | def run_constants(results): 189 | pam = PAM.pam() 190 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 191 | pam.authenticate(0) 192 | pam.close_session() 193 | del pam 194 | assert results[0] == pam_sm_authenticate.func_name, (results[0], pam_sm_authenticate.func_name) 195 | assert results[2] == "except: attribute 'PAM_SUCCESS' of 'PamHandle_type' objects is not writable", results[2] 196 | assert results[3] == pam_sm_close_session.func_name, (results[3], pam_sm_close_session.func_name) 197 | assert results[4] == pam_sm_end.func_name, (results[4], pam_sm_end.func_name) 198 | consts = results[1] 199 | for var in PAM_CONSTANTS.keys(): 200 | assert consts.has_key(var), var 201 | assert consts[var] == PAM_CONSTANTS[var], (var, consts[var], PAM_CONSTANTS[var]) 202 | for var in consts.keys(): 203 | assert PAM_CONSTANTS.has_key(var), var 204 | assert PAM_CONSTANTS[var] == consts[var], (var, PAM_CONSTANTS[var], consts[var]) 205 | assert len(results) == 5, len(results) 206 | 207 | # 208 | # Test the environment calls. 209 | # 210 | def test_environment(results, who, pamh, flags, argv): 211 | results.append(who.func_name) 212 | if who != pam_sm_acct_mgmt: 213 | return pamh.PAM_SUCCESS 214 | def test_exception(func): 215 | try: 216 | func() 217 | return str(None) 218 | except Exception, e: 219 | return e.__class__.__name__ + ": " + str(e) 220 | # 221 | # A few things to test here. First that PamEnv_as_mapping works. 222 | # 223 | results.append(len(pamh.env)) 224 | results.append(pamh.env["x1"]) 225 | pamh.env["yy"] = "y" 226 | results.append(pamh.env["yy"]) 227 | pamh.env["yy"] = "z" 228 | results.append(pamh.env["yy"]) 229 | def t(): pamh.env["yy"] = 1 230 | results.append(test_exception(t)) 231 | del pamh.env["yy"] 232 | results.append(test_exception(lambda: pamh.env["yy"])) 233 | results.append(test_exception(lambda: pamh.env[1])) 234 | results.append(test_exception(lambda: pamh.env['a='])) 235 | results.append(test_exception(lambda: pamh.env[''])) 236 | # 237 | # Now the dict functions. 238 | # 239 | pamh.env["xx"] = "x" 240 | results.append("not in" in pamh.env) 241 | results.append("xx" in pamh.env) 242 | results.append(pamh.env.has_key("not in")) 243 | results.append(pamh.env.has_key("xx")) 244 | results.append(test_exception(lambda: pamh.env.__getitem__("not in"))) 245 | results.append(pamh.env.get("not in")) 246 | results.append(pamh.env.get("not in", "default")) 247 | results.append(pamh.env.get("xx")) 248 | results.append(pamh.env.get("xx", "default")) 249 | del pamh.env["x1"] 250 | results.append(pamh.env.items()) 251 | results.append(pamh.env.keys()) 252 | results.append(pamh.env.values()) 253 | return pamh.PAM_SUCCESS 254 | 255 | def run_environment(results): 256 | pam = PAM.pam() 257 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 258 | pam.authenticate(0) 259 | pam.putenv("x1=1") 260 | pam.putenv("x2=2") 261 | pam.putenv("x3=3") 262 | pam.acct_mgmt() 263 | pam.close_session() 264 | del pam 265 | expected_results = [ 266 | pam_sm_authenticate.func_name, pam_sm_acct_mgmt.func_name, 267 | 3, '1', 'y', 'z', 268 | 'TypeError: PAM environment value must be a string', 269 | "KeyError: 'yy'", 270 | 'TypeError: PAM environment key must be a string', 271 | "ValueError: PAM environment key can't contain '='", 272 | "ValueError: PAM environment key mustn't be 0 length", 273 | False, True, False, True, 274 | "KeyError: 'not in'", 275 | None, 'default', 'x', 'x', 276 | [('x2', '2'), ('x3', '3'), ('xx', 'x')], 277 | ['x2', 'x3', 'xx'], 278 | ['2', '3', 'x'], 279 | pam_sm_close_session.func_name, pam_sm_end.func_name] 280 | assert_results(expected_results, results) 281 | 282 | # 283 | # Test strerror(). 284 | # 285 | def test_strerror(results, who, pamh, flags, argv): 286 | results.append(who.func_name) 287 | if who != pam_sm_authenticate: 288 | return pamh.PAM_SUCCESS 289 | results.extend([(e, pamh.strerror(e).lower()) for e in (0, 1, 30, 31)]) 290 | return pamh.PAM_SUCCESS 291 | 292 | def run_strerror(results): 293 | pam = PAM.pam() 294 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 295 | pam.authenticate(0) 296 | del pam 297 | expected_results = [ 298 | pam_sm_authenticate.func_name, 299 | ( 0, 'success'), 300 | ( 1, 'failed to load module'), 301 | (30, 'conversation is waiting for event'), 302 | (31, 'application needs to call libpam again'), 303 | pam_sm_end.func_name] 304 | assert_results(expected_results, results) 305 | 306 | # 307 | # Test items. 308 | # 309 | def test_items(results, who, pamh, flags, argv): 310 | results.append(who.func_name) 311 | if not who in (pam_sm_open_session, pam_sm_close_session): 312 | return pamh.PAM_SUCCESS 313 | items = { 314 | "authtok": "authtok-module", 315 | "authtok_type": "authtok_type-module", 316 | "oldauthtok": "oldauthtok-module", 317 | "rhost": "rhost-module", 318 | "ruser": "ruser-module", 319 | "tty": "tty-module", 320 | "user_prompt": "user_prompt-module", 321 | "user": "user-module", 322 | "xdisplay": "xdisplay-module", 323 | } 324 | keys = items.keys() 325 | keys.sort() 326 | for key in keys: 327 | results.append((key, getattr(pamh, key))) 328 | value = items[key] 329 | if value != None: 330 | setattr(pamh, key, value) 331 | try: 332 | setattr(pamh, "tty", 1) 333 | results.append("%r = %r" % (key, value)) 334 | except StandardError, e: 335 | results.append("except: %s" % e) 336 | results.append(pamh.get_user("a prompt")) 337 | return pamh.PAM_SUCCESS 338 | 339 | def run_items(results): 340 | pam = PAM.pam() 341 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 342 | pam.authenticate(0) 343 | items = { 344 | 2: "user", 345 | 3: "tty", 346 | 4: "rhost", 347 | 8: "ruser", 348 | 9: "user_prompt", 349 | 11: "xdisplay", 350 | 13: "authtok_type"} 351 | items_list = items.keys() 352 | items_list.sort() 353 | for item in items_list: 354 | pam.set_item(item, items[item]) 355 | pam.open_session() 356 | pam.close_session() 357 | del pam 358 | expected_results = [ 359 | pam_sm_authenticate.func_name, pam_sm_open_session.func_name, 360 | ('authtok', None), 361 | ('authtok_type', 'authtok_type'), 362 | ('oldauthtok', None), 363 | ('rhost', 'rhost'), 364 | ('ruser', 'ruser'), 365 | ('tty', 'tty'), 366 | ('user', 'user'), 367 | ('user_prompt', 'user_prompt'), 368 | ('xdisplay', 'xdisplay'), 369 | 'except: PAM item PAM_TTY must be set to a string', 370 | 'user-module', 371 | pam_sm_close_session.func_name, 372 | ('authtok', 'authtok-module'), 373 | ('authtok_type', 'authtok_type-module'), 374 | ('oldauthtok', 'oldauthtok-module'), 375 | ('rhost', 'rhost-module'), 376 | ('ruser', 'ruser-module'), 377 | ('tty', 'tty-module'), 378 | ('user', 'user-module'), 379 | ('user_prompt', 'user_prompt-module'), 380 | ('xdisplay', 'xdisplay-module'), 381 | 'except: PAM item PAM_TTY must be set to a string', 382 | 'user-module', 383 | pam_sm_end.func_name] 384 | assert_results(expected_results, results) 385 | 386 | # 387 | # Test the xauthdata item. 388 | # 389 | def test_xauthdata(results, who, pamh, flags, argv): 390 | results.append(who.func_name) 391 | if not who in (pam_sm_open_session, pam_sm_close_session): 392 | return pamh.PAM_SUCCESS 393 | xauthdata0 = pamh.XAuthData("name-module", "data-module") 394 | pamh.xauthdata = xauthdata0 395 | xauthdata1 = pamh.xauthdata 396 | results.append('name=%r, data=%r' % (xauthdata1.name, xauthdata1.data)) 397 | try: 398 | xauthdata2 = pamh.XAuthData(None, "x") 399 | results.append('pamh.XAuthData(%r, %r)' % (xauthdata2.name, xauthdata2.data)) 400 | except TypeError, e: 401 | results.append('except: %s' % e) 402 | try: 403 | xauthdata2 = pamh.XAuthData("x", 1) 404 | results.append('pamh.XAuthData(%r, %r)' % (xauthdata2.name, xauthdata2.data)) 405 | except TypeError, e: 406 | results.append('except: %s' % e) 407 | class XA: pass 408 | XA.name = "name-XA" 409 | XA.data = "data-XA" 410 | pamh.xauthdata = XA 411 | xauthdata2 = pamh.xauthdata 412 | results.append('name=%r, data=%r' % (xauthdata2.name, xauthdata2.data)) 413 | xa = XA() 414 | xa.name = "name-xa" 415 | xa.data = "data-xa" 416 | pamh.xauthdata = xa 417 | xauthdata4 = pamh.xauthdata 418 | results.append('name=%r, data=%r' % (xauthdata4.name, xauthdata4.data)) 419 | return pamh.PAM_SUCCESS 420 | 421 | def run_xauthdata(results): 422 | pam = PAM.pam() 423 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 424 | pam.authenticate(0) 425 | # 426 | # The PAM module doesn't support XAUTHDATA, so check what we can from the 427 | # module only. 428 | # 429 | pam.open_session() 430 | pam.close_session() 431 | del pam 432 | expected_results = [ 433 | pam_sm_authenticate.func_name, pam_sm_open_session.func_name, 434 | ("name='name-module', data='data-module'"), 435 | 'except: XAuthData() argument 1 must be string, not None', 436 | 'except: XAuthData() argument 2 must be string, not int', 437 | ("name='name-XA', data='data-XA'"), 438 | ("name='name-xa', data='data-xa'"), 439 | pam_sm_close_session.func_name, 440 | ("name='name-module', data='data-module'"), 441 | 'except: XAuthData() argument 1 must be string, not None', 442 | 'except: XAuthData() argument 2 must be string, not int', 443 | ("name='name-XA', data='data-XA'"), 444 | ("name='name-xa', data='data-xa'"), 445 | pam_sm_end.func_name] 446 | assert_results(expected_results, results) 447 | 448 | # 449 | # Test having no pam_sm_end. 450 | # 451 | def test_no_sm_end(results, who, pamh, flags, argv): 452 | results.append(who.func_name) 453 | global pam_sm_end 454 | del pam_sm_end 455 | return pamh.PAM_SUCCESS 456 | 457 | def run_no_sm_end(results): 458 | pam = PAM.pam() 459 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 460 | pam.authenticate(0) 461 | del pam 462 | expected_results = [pam_sm_authenticate.func_name] 463 | assert_results(expected_results, results) 464 | 465 | # 466 | # Test the conversation mechanism. 467 | # 468 | def test_conv(results, who, pamh, flags, argv): 469 | results.append(who.func_name) 470 | if who == pam_sm_end: 471 | return 472 | # 473 | # We must get rid of all references to pamh.Response objects. This instance 474 | # of the test.py module is running inside of libpam_python. That shared 475 | # library will be unloaded soon. Should a pamh.Response instance be 476 | # dealloc'ed after it is unloaded the now non-existant dealloc function will 477 | # be called, and a SIGSEGV will result. Normally instances would not leak, 478 | # but with the trickery we are performing with fake import's here they will 479 | # leak via the results variable unless we take special action. 480 | # 481 | def conv(convs): 482 | responses = pamh.conversation(convs) 483 | if type(responses) != type(()): 484 | return (responses.resp, responses.resp_retcode) 485 | return [(r.resp, r.resp_retcode) for r in responses] 486 | if who == pam_sm_authenticate: 487 | convs = [ 488 | pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Prompt_echo_off"), 489 | pamh.Message(pamh.PAM_PROMPT_ECHO_ON, "Prompt_echo_on"), 490 | pamh.Message(pamh.PAM_ERROR_MSG, "Error_msg"), 491 | pamh.Message(pamh.PAM_TEXT_INFO, "Text_info")] 492 | if who == pam_sm_acct_mgmt: 493 | convs = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "single") 494 | results.append(conv(convs)) 495 | return pamh.PAM_SUCCESS 496 | 497 | def run_conv(results): 498 | pam = PAM.pam() 499 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 500 | pam.authenticate(0) 501 | pam.acct_mgmt() 502 | del pam 503 | expected_results = [ 504 | pam_sm_authenticate.func_name, 505 | [('Prompt_echo_off', 1), ('Prompt_echo_on', 2), ('Error_msg', 3), ('Text_info', 4)], 506 | pam_sm_acct_mgmt.func_name, 507 | ('single', 1), 508 | pam_sm_end.func_name] 509 | assert_results(expected_results, results) 510 | 511 | # 512 | # Test pam error returns. 513 | # 514 | def test_pamerr(results, who, pamh, flags, argv): 515 | return results[-1] 516 | 517 | def run_pamerr(results): 518 | pam = PAM.pam() 519 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 520 | for err in range(0, PAM._PAM_RETURN_VALUES): 521 | results.append(err) 522 | try: 523 | pam.authenticate(0) 524 | except PAM.error, e: 525 | results[-1] = -e.args[1] 526 | del pam 527 | expected_results = [-r for r in range(PAM._PAM_RETURN_VALUES)] 528 | expected_results[25] = -6 529 | assert_results(expected_results, results) 530 | 531 | # 532 | # Test fail_delay. 533 | # 534 | def test_fail_delay(results, who, pamh, flags, argv): 535 | pamh.fail_delay(10) 536 | return pamh.PAM_SUCCESS 537 | 538 | def run_fail_delay(results): 539 | pam = PAM.pam() 540 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 541 | pam.authenticate(0) 542 | del pam 543 | 544 | # 545 | # Test raising an exception. 546 | # 547 | def test_exceptions(results, who, pamh, flags, argv): 548 | if who != pam_sm_end: 549 | return pamh.PAM_SUCCESS 550 | # 551 | # Here we have use of a backdoor put into pam_python.c specifically 552 | # for testing raising exceptions. Oddly, normally PAM should never 553 | # return anything other than PAM_SUCCESS to anything pam_python.c 554 | # calls. 555 | # 556 | debug_magic = 0x4567abcd 557 | results.append(pamh._PAM_RETURN_VALUES) 558 | for err in range(pamh._PAM_RETURN_VALUES): 559 | try: 560 | pamh.strerror(debug_magic + err) 561 | results.append(err) 562 | except pamh.exception, e: 563 | results.append((-e.pam_result,)) 564 | return pamh.PAM_SUCCESS 565 | 566 | def run_exceptions(results): 567 | pam = PAM.pam() 568 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 569 | pam.authenticate(0) 570 | del pam 571 | expected_results = [results[0], 0] 572 | expected_results += [(-r,) for r in range(1, results[0])] 573 | assert_results(expected_results, results) 574 | 575 | # 576 | # Test absent entry point. 577 | # 578 | def test_absent(results, who, pamh, flags, argv): 579 | results.append(who.func_name) 580 | if who != pam_sm_authenticate: 581 | return pamh.PAM_SUCCESS 582 | global pam_sm_acct_mgmt; del pam_sm_acct_mgmt 583 | global pam_sm_setcred; del pam_sm_setcred 584 | global pam_sm_open_session; del pam_sm_open_session 585 | global pam_sm_close_session; del pam_sm_close_session 586 | global pam_sm_chauthtok; del pam_sm_chauthtok 587 | return pamh.PAM_SUCCESS 588 | 589 | def run_absent(results): 590 | pam = PAM.pam() 591 | pam.start(TEST_PAM_MODULE, TEST_PAM_USER, pam_conv) 592 | pam.authenticate(0) 593 | funcs = ( 594 | pam.acct_mgmt, 595 | pam.setcred, 596 | pam.open_session, 597 | pam.close_session, 598 | pam.chauthtok 599 | ) 600 | for func in funcs: 601 | try: 602 | func(0) 603 | exception = None 604 | except Exception, e: 605 | exception = e 606 | results.append((exception.__class__.__name__, str(exception))) 607 | del pam 608 | expected_results = [ 609 | 'pam_sm_authenticate', 610 | ('error', "('Symbol not found', 2)"), 611 | ('error', "('Symbol not found', 2)"), 612 | ('error', "('Symbol not found', 2)"), 613 | ('error', "('Symbol not found', 2)"), 614 | ('error', "('Symbol not found', 2)"), 615 | ] 616 | assert_results(expected_results, results) 617 | 618 | # 619 | # Entry point. 620 | # 621 | def main(argv): 622 | run_test(run_basic_calls) 623 | run_test(run_constants) 624 | run_test(run_environment) 625 | run_test(run_strerror) 626 | run_test(run_items) 627 | run_test(run_xauthdata) 628 | run_test(run_no_sm_end) 629 | run_test(run_conv) 630 | run_test(run_pamerr) 631 | run_test(run_fail_delay) 632 | run_test(run_exceptions) 633 | run_test(run_absent) 634 | 635 | # 636 | # If run from Python run the test suite. Otherwse we are being used 637 | # as a real PAM module presumable from ctest, so just make every call 638 | # return success. 639 | # 640 | if __name__ == "__main__": 641 | import PAM 642 | main(sys.argv) 643 | --------------------------------------------------------------------------------

23 | Pam-python 24 | Write PAM modules in Python 25 |

Documentation

Copyright and License

Downloading, Feedback & Contributing

23 | Pam-python
24 | Write PAM modules in Python 25 |