Attachment 3445 Details for Bug 3210 – pam: Correctly handle errors from pam_acct_mgmt

pam: Correctly handle errors from pam_acct_mgmt

file_3210.txt (text/plain), 1.60 KB, created by Jakub Jelen on 2020-09-08 21:18:20 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2020-09-08 21:18:20 AEST

Size: 1.60 KB

patch

obsolete

>commit 0108076deb6befd91bff6691a30ba12402950fbc
>Author: Jakub Jelen <jjelen@redhat.com>
>Date:   Mon Sep 7 16:28:48 2020 +0200
>
>    pam: Correctly handle errors from pam_acct_mgmt
>
>diff --git a/auth-pam.c b/auth-pam.c
>index 83238215..24d702fa 100644
>--- a/auth-pam.c
>+++ b/auth-pam.c
>@@ -523,7 +523,10 @@ sshpam_thread(void *ctxtp)
> 		goto auth_fail;
> 
> 	if (!do_pam_account()) {
>-		sshpam_err = PAM_ACCT_EXPIRED;
>+		/* Do not override error if already set */
>+		if (sshpam_err == PAM_SUCCESS) {
>+			sshpam_err = PAM_ACCT_EXPIRED;
>+		}
> 		goto auth_fail;
> 	}
> 	if (sshpam_authctxt->force_pwchange) {
>@@ -580,8 +583,10 @@ sshpam_thread(void *ctxtp)
> 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
> 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
> 	/* XXX - can't do much about an error here */
>-	if (sshpam_err == PAM_ACCT_EXPIRED)
>-		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
>+	if (sshpam_err == PAM_PERM_DENIED
>+		|| sshpam_err == PAM_USER_UNKNOWN
>+		|| sshpam_err == PAM_ACCT_EXPIRED)
>+		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
> 	else if (sshpam_maxtries_reached)
> 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
> 	else
>@@ -870,10 +875,12 @@ sshpam_query(void *ctx, char **name, char **info,
> 			plen++;
> 			free(msg);
> 			break;
>+		case PAM_USER_UNKNOWN:
>+		case PAM_PERM_DENIED:
> 		case PAM_ACCT_EXPIRED:
>+			sshpam_account_status = 0;
>+			/* FALLTHROUGH */
> 		case PAM_MAXTRIES:
>-			if (type == PAM_ACCT_EXPIRED)
>-				sshpam_account_status = 0;
> 			if (type == PAM_MAXTRIES)
> 				sshpam_set_maxtries_reached(1);
> 			/* FALLTHROUGH */

Actions: View

Attachments on bug 3210: 3445 | 3545