--------------Boundary-00=_U9GAQPFJ7DJYJ30A2LB4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit I am writing a module that is stacked below pam_unix in order to have access to PAM_OLDAUTHTOK and PAM_AUTHTOK after a password change. Normally, this works great: a non-null PAM_AUTHTOK is passed down the stack only upon a successful password change. However, in certain situations, a non-null PAM_AUTHTOK is passed down the stack after a failed password change. For example, using a module which simply prints out PAM_OLDAUTHTOK and PAM_AUTHTOK and is stacked below pam_unix, we can see the following exchange: [user@redhat72 user]$ passwd Changing password for user (current) UNIX password: [password] stacked module: old authtok obtained for user user: password stacked module: new authtok obtained for user user: (null) Enter new UNIX password: [a] Retype new UNIX password: [a] You must choose a longer password Enter new UNIX password: [a] Retype new UNIX password: [a] You must choose a longer password Enter new UNIX password: [a] Retype new UNIX password: [a] You must choose a longer password stacked module: old authtok obtained for user user: arrowhead stacked module: new authtok obtained for user user: a passwd: Authentication token manipulation error So, here the stacked module thinks that the password has been successfully changed to "a", when it, in fact, has not. I went into the code and discovered that the problem was pam_sm_chauthtok() calls _unix_read_password(), which sets PAM_AUTHTOK to the new password, but pam_sm_chauthtok() does not set it back to NULL if a subsequent error occurs (e.g. _pam_unix_approve_pass() fails). I have attached a patch which fixes this problem by setting PAM_AUTHTOK to NULL before returning such an error. Matt (note: patch is based on revision 1.12 of pam_unix_passwd.c) --------------Boundary-00=_U9GAQPFJ7DJYJ30A2LB4 Content-Type: text/x-c; charset="iso-8859-1"; name="pam_unix_passwd.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pam_unix_passwd.diff" LS0tIHBhbV91bml4X3Bhc3N3ZC5jLm9yaWcgICAgICBGcmkgQXVnICAyIDIxOjI3OjQ4IDIwMDIK KysrIHBhbV91bml4X3Bhc3N3ZC5jICAgRnJpIEF1ZyAgMiAyMTozNzoyNCAyMDAyCkBAIC05MzEs NiArOTMxLDkgQEAKICAgICAgICAgICAgICAgICAgICAgICAgIF9sb2dfZXJyKExPR19OT1RJQ0Us IHBhbWgsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAibmV3IHBhc3N3b3JkIG5v dCBhY2NlcHRhYmxlIik7CiAgICAgICAgICAgICAgICAgICAgICAgICBwYXNzX25ldyA9IHBhc3Nf b2xkID0gTlVMTDsgICAgIC8qIHRpZHkgdXAgKi8KKyAgICAgICAgICAgICAgICAgICAgICAgaWYg KG9mZihVTklYX05PVF9TRVRfUEFTUywgY3RybCkpIHsKKyAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBwYW1fc2V0X2l0ZW0ocGFtaCwgUEFNX0FVVEhUT0ssIE5VTEwpOworICAgICAgICAg ICAgICAgICAgICAgICB9CiAgI2lmZGVmIFVTRV9MQ0tQV0RGCiAgICAgICAgICAgICAgICAgICAg ICAgICB1bGNrcHdkZigpOwogICNlbmRpZgpAQCAtOTc0LDYgKzk3Nyw5IEBACiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgX2xvZ19lcnIoTE9HX0NSSVQsIHBhbWgsCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm91dCBvZiBt ZW1vcnkgZm9yIHBhc3N3b3JkIik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgcGFzc19uZXcgPSBwYXNzX29sZCA9IE5VTEw7ICAgICAvKiB0aWR5IHVwICovCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAob2ZmKFVOSVhfTk9UX1NFVF9Q QVNTLCBjdHJsKSkgeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBwYW1fc2V0X2l0ZW0ocGFtaCwgUEFNX0FVVEhUT0ssIE5VTEwpOworICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICNpZmRlZiBVU0VfTENLUFdERgogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVsY2twd2RmKCk7CiAgI2VuZGlmCkBA IC0xMDA4LDkgKzEwMTQsMTcgQEAKCiAgICAgICAgIEQoKCJyZXR2YWwgd2FzICVkIiwgcmV0dmFs KSk7CgorICAgICAgIGlmIChyZXR2YWwgIT0gUEFNX1NVQ0NFU1MpIHsKKyAgICAgICAgICAgICAg IHBhc3NfbmV3ID0gcGFzc19vbGQgPSBOVUxMOyAgICAgLyogdGlkeSB1cCAqLworICAgICAgICAg ICAgICAgaWYgKG9mZihVTklYX05PVF9TRVRfUEFTUywgY3RybCkpIHsKKyAgICAgICAgICAgICAg ICAgICAgICAgcGFtX3NldF9pdGVtKHBhbWgsIFBBTV9BVVRIVE9LLCBOVUxMKTsKKyAgICAgICAg ICAgICAgIH0KKyAgICAgICB9CisKICAjaWZkZWYgVVNFX0xDS1BXREYKICAgICAgICAgdWxja3B3 ZGYoKTsKICAjZW5kaWYKKwogICAgICAgICByZXR1cm4gcmV0dmFsOwogIH0KCg== --------------Boundary-00=_U9GAQPFJ7DJYJ30A2LB4--
