pam_end patch

Fri, 05 Dec 2003 08:03:40 -0800 

hi folks,
looking into rlm_pam, I noticed that pam_end is always called with the
result_code = PAM_SUCCESS, even when user in not authenticated.This  is
a mistake when a pam module uses some internal data via the
pam_set_data/pam_get_data calls.
Taken from
http://www.it.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.1
"..
The function cleanup() is associated with the data and, if non-NULL, it
is called when this data is over-written or following a call to
pam_end() (see the Linux-PAM Application Developers' Guide).

The error_status argument is used to indicate to the module the sort of
action it is to take in cleaning this data item. As an example, Kerberos
creates a ticket file during the authentication phase, this file might
be associated with a data item. When pam_end() is called by the module,
the error_status carries the return value of the pam_authenticate() or
other libpam function as appropriate. Based on this value the Kerberos
module may choose to delete the ticket file (authentication failure) or
leave it in place."

A correct use of pam_end is
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.html

hope this help

in attach there's a patch to solve the problem
-- 
 Massimiliano Liccardo (maX) <[EMAIL PROTECTED]>
 jid:[EMAIL PROTECTED]
 GnuPG public key available on wwwkeys.eu.pgp.net
 Key fingerprint:  992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD

"la velocit� induce all'oblio,
 la lentezza al ricordo"



--- rlm_pam.c.orig      2003-07-11 21:51:34.000000000 +0200
+++ rlm_pam.c   2003-11-26 20:15:26.000000000 +0100
@@ -204,7 +204,7 @@
     if (retval != PAM_SUCCESS) {
       DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s",
            name, pam_strerror(pamh, retval));
-      pam_end(pamh, 0);
+      pam_end(pamh, retval);
       return -1;
     }
 
@@ -217,13 +217,13 @@
     if (retval != PAM_SUCCESS) {
       DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s",
            name, pam_strerror(pamh, retval));
-      pam_end(pamh, 0);
+      pam_end(pamh, retval);
       return -1;
     }
 #endif
 
     DEBUG("pam_pass: authentication succeeded for <%s>", name);
-    pam_end(pamh, 0);
+    pam_end(pamh, PAM_SUCCESS);
     return 0;
 }

Attachment: signature.asc
Description: PGP signature

Reply via email to