zhangqiang created RANGER-1187:
----------------------------------
Summary: In pamCredValidator.c, pam_end() is not called if
authentication fails.
Key: RANGER-1187
URL: https://issues.apache.org/jira/browse/RANGER-1187
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: Ranger
Reporter: zhangqiang
Priority: Minor
Fix For: Ranger
In main method of C file
"\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
when authentication fails, pam_end() is not called before exit(1),
which result in PAM transaction is not closed.
The pam_end() function terminates a PAM transaction and destroys the
corresponding PAM context, releasing all resources allocated to it.
int main(int ac, char **av, char **ev)
{
char username[64] ;
char password[64] ;
char line[512] ;
int retval;
pam_handle_t *pamh = NULL;
fgets(line,512,stdin) ;
sscanf(line, "LOGIN:%s %s",username,password) ;
conv.appdata_ptr = (char *) password;
retval = pam_start("ranger-remote", username, &conv, &pamh);
if (retval != PAM_SUCCESS) {
/* why expose this? */
fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
exit(1);
}
retval = pam_authenticate(pamh, 0);
if (retval != PAM_SUCCESS) {
fprintf(stdout, "FAILED: Password did not match.\n") ;
exit(1);
}
/* authorize */
retval = pam_acct_mgmt(pamh, 0);
if (retval != PAM_SUCCESS) {
fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
exit(1);
}
/* establish the requested credentials */
if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
fprintf(stdout, "FAILED: Error setting credentials for
[%s].\n", username) ;
exit(1);
}
/* not opening a session, as logout has not been implemented as a
remote service */
fprintf(stdout, "OK:\n") ;
if (pamh) {
pam_end(pamh, retval);
}
exit(0) ;
}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
