zhangqiang created RANGER-1187: ---------------------------------- Summary: In pamCredValidator.c, pam_end() is not called if authentication fails. Key: RANGER-1187 URL: https://issues.apache.org/jira/browse/RANGER-1187 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: Ranger Reporter: zhangqiang Priority: Minor Fix For: Ranger
In main method of C file "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c", when authentication fails, pam_end() is not called before exit(1), which result in PAM transaction is not closed. The pam_end() function terminates a PAM transaction and destroys the corresponding PAM context, releasing all resources allocated to it. int main(int ac, char **av, char **ev) { char username[64] ; char password[64] ; char line[512] ; int retval; pam_handle_t *pamh = NULL; fgets(line,512,stdin) ; sscanf(line, "LOGIN:%s %s",username,password) ; conv.appdata_ptr = (char *) password; retval = pam_start("ranger-remote", username, &conv, &pamh); if (retval != PAM_SUCCESS) { /* why expose this? */ fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ; exit(1); } retval = pam_authenticate(pamh, 0); if (retval != PAM_SUCCESS) { fprintf(stdout, "FAILED: Password did not match.\n") ; exit(1); } /* authorize */ retval = pam_acct_mgmt(pamh, 0); if (retval != PAM_SUCCESS) { fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ; exit(1); } /* establish the requested credentials */ if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ; exit(1); } /* not opening a session, as logout has not been implemented as a remote service */ fprintf(stdout, "OK:\n") ; if (pamh) { pam_end(pamh, retval); } exit(0) ; } -- This message was sent by Atlassian JIRA (v6.3.4#6332)