Am 25.10.24 um 13:32 schrieb Jeremy Harris via Exim-users:
On 25/10/2024 11:22, Frank Richter via Exim-users wrote:
Oh well … now how to avoid this? Is this a workaround:
server_condition = "${if pam{$auth2:<:${sg{$auth3}{:}{::}}}{yes}{no}}"
Almost. You need
pam{<: $auth2:${sg{$auth3}{:}{::}}
since the list-sep specification has to lead the list content
(per the documentation. Do not rely on current behaviour,
where setting it part-way through a list happens to work; the
implementation could change in a future release.)
Note that this also changes the interpretation of usernames
that start with a "<". I hope you have none such...
Also, the docs suggest a "listquote" rather than the "sg"
you have for dealing with colons embedded in the string,
giving
pam{<: $auth2:${listquote{:}{$auth3}}
It could be argued that the "listquote" expansion item should
itself handle a leading "<" - but that would not work for cases
like this where we're dealing with a non-first list member.
Maybe we need another way of building lists; eg.
pam{ ${listmake {:}{$auth2}{$auth3}{third_element}{last_element}} }
Thanks.
This works:
server_condition = ${if pam{$auth2:<:${listquote{:}{$auth3}}}}
1:36:53 1940682 ╭considering: ${if pam{$auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682 ╭considering: $auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682 ╭considering: :}{$auth3}}}}
11:36:53 1940682 ├──expanding: :
11:36:53 1940682 ╰─────result: :
11:36:53 1940682 ╭considering: $auth3}}}}
11:36:53 1940682 ├──expanding: $auth3
11:36:53 1940682 ╰─────result: <#My
11:36:53 1940682 ╰──(tainted)
11:36:53 1940682 ├──expanding: $auth2:<:${listquote{:}{$auth3}}
11:36:53 1940682 ╰─────result: fri-test2:<:<#My
11:36:53 1940682 ╰──(tainted)
11:36:53 1940682 Running PAM authentication for user "fri-test2"
11:36:53 1940682 PAM success
But this doesn't work:
server_condition = ${if pam{<: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: ${if pam{<: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: <: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: :}{$auth3}}}}
11:41:22 1940842 ├──expanding: :
11:41:22 1940842 ╰─────result: :
11:41:22 1940842 ╭considering: $auth3}}}}
11:41:22 1940842 ├──expanding: $auth3
11:41:22 1940842 ╰─────result: <#My
11:41:22 1940842 ╰──(tainted)
11:41:22 1940842 ├──expanding: <: $auth2:${listquote{:}{$auth3}}
11:41:22 1940842 ╰─────result: <: fri-test2:<#My
11:41:22 1940842 ╰──(tainted)
11:41:22 1940842 Running PAM authentication for user "fri-test2"
11:41:22 1940842 PAM error: Authentication failure
I think this is a special thing with pam … IMHO it has to do how the PAM
module gets the password (callback function?). I can send some output from gdb …
Frank
--
Frank Richter, Chemnitz University of Technology, Germany
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
