Bug 3008

Summary:

pam_putenv used regardless of whether or not it is available

Product:

Portable OpenSSH

Reporter:

The Written Word <bugs-openssh>

Component:

PAM support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

8.0p1

Hardware:

HPPA

OS:

HP-UX

Bug Depends on:

Bug Blocks:

2988

Attachments:

Description	Flags
Possible patch	none
Add no-op implementation of pam_putenv	djm: ok+

Description The Written Word 2019-05-14 08:00:18 AEST

configure.ac has:
                        AC_CHECK_FUNCS([pam_putenv])

yet auth-pam.c uses pam_putenv regardless:
        if (sshpam_rhost != NULL) {
                debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
                sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
                    sshpam_rhost);
                if (sshpam_err != PAM_SUCCESS) {
                        pam_end(sshpam_handle, sshpam_err);
                        sshpam_handle = NULL;
                        return (-1);
                }
                /* Put SSH_CONNECTION in the PAM environment too */
                pam_putenv(sshpam_handle, sshpam_conninfo);
        }

This is despite earlier uses of pam_putenv being wrapped with #ifdef HAVE_PAM_PUTENV:
#ifdef HAVE_PAM_PUTENV
                /* Errors are not fatal here */
                if ((r = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) {
                        error("PAM: pam_putenv: %s",
                            pam_strerror(sshpam_handle, r));
                }
#endif

Comment 1 The Written Word 2019-05-14 08:03:09 AEST

Created attachment 3281 [details]
Possible patch

Comment 2 Darren Tucker 2019-05-14 10:59:01 AEST

Created attachment 3282 [details]
Add no-op implementation of pam_putenv

I think we would be better off adding a no-op implementation of pam_putenv similar to what we already do with pam_getenvlist.

Your diff has some other unrelated changes in configure.ac, what's the deal with those?

Comment 3 The Written Word 2019-05-14 11:01:12 AEST

(In reply to Darren Tucker from comment #2)
> Created attachment 3282 [details]
> Add no-op implementation of pam_putenv
> 
> I think we would be better off adding a no-op implementation of
> pam_putenv similar to what we already do with pam_getenvlist.
> 
> Your diff has some other unrelated changes in configure.ac, what's
> the deal with those?

Oops, my bad. Internal changes. Let me test your patch on our HP-UX systems.

Comment 4 Darren Tucker 2019-05-17 13:25:54 AEST

Thanks for the report.  Patch (attachment #3282 [details]) has been committed and will be in the next release.  I'm pretty sure that will resolve it, but if you discover any problems please reopen.

Comment 5 Damien Miller 2021-04-23 15:00:56 AEST

closing resolved bugs as of 8.6p1 release