[jira] [Updated] (RANGER-1187) In pamCredValidator.c, pam_end() is not called if authentication fails.

Wed, 02 Nov 2016 18:43:11 -0700 

     [ 
https://issues.apache.org/jira/browse/RANGER-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1187:
--------------------------------
    Attachment: 0001-RANGER-1187-call-pam_end-before-exit.patch

Review request : https://reviews.apache.org/r/53259/
Solution : When  authentication fails, call pam_end before exit.

> In pamCredValidator.c, pam_end() is not called if authentication fails.
> -----------------------------------------------------------------------
>
>                 Key: RANGER-1187
>                 URL: https://issues.apache.org/jira/browse/RANGER-1187
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: zhangqiang
>            Assignee: Qiang Zhang
>            Priority: Minor
>         Attachments: 0001-RANGER-1187-call-pam_end-before-exit.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> In main method of C file 
> "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
> when authentication fails, pam_end() is not called before exit(1),
> which result in PAM transaction is not closed.
> The pam_end() function terminates a PAM transaction and destroys the
> corresponding PAM context, releasing all resources allocated to it.
> int main(int ac, char **av, char **ev)
> {
>       char username[64] ;
>       char password[64] ;
>       char line[512] ;
>       int retval;
>       pam_handle_t *pamh = NULL;
>       fgets(line,512,stdin) ;
>       sscanf(line, "LOGIN:%s %s",username,password) ;
>       conv.appdata_ptr = (char *) password;
>       retval = pam_start("ranger-remote", username, &conv, &pamh);
>       if (retval != PAM_SUCCESS) {
>               /* why expose this? */
>               fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
>               exit(1);
>       }
>       retval = pam_authenticate(pamh, 0);
>       if (retval != PAM_SUCCESS) {
>               fprintf(stdout, "FAILED: Password did not match.\n") ;
>               exit(1);
>       }
>       /* authorize */
>       retval = pam_acct_mgmt(pamh, 0);
>       if (retval != PAM_SUCCESS) {
>               fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
>               exit(1);
>       }
>       /* establish the requested credentials */
>       if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
>                       fprintf(stdout, "FAILED: Error setting credentials for 
> [%s].\n", username) ;
>               exit(1);
>       }
>       /* not opening a session, as logout has not been implemented as a 
> remote service */
>       fprintf(stdout, "OK:\n") ;
>       if (pamh) {
>               pam_end(pamh, retval);
>       }
>       exit(0) ;
> }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to