Hi,
This patch logs a message if getspnam() fails which, notably, happens if
the PAM using process does not have permissions to read /etc/shadow. As
such, this message serves debugging and security notification purposes.
Thanks,
Matthew W.S. Bell
---
diff -wruN pam-1.0.1/libpam/pam_modutil_getspnam.c pam-1.0.1.new/libpam/pam_modutil_getspnam.c
--- pam-1.0.1/libpam/pam_modutil_getspnam.c 2007-08-30 05:00:39.000000000 +0100
+++ pam-1.0.1.new/libpam/pam_modutil_getspnam.c 2009-08-12 05:45:00.000000000 +0100
@@ -14,6 +14,7 @@
#include <shadow.h>
#include <stdio.h>
#include <stdlib.h>
+#include <syslog.h>
static int intlen(int number)
{
@@ -100,6 +101,7 @@
return NULL;
} else if (errno != ERANGE && errno != EINTR) {
+ pam_syslog(pamh, LOG_ERR, "getspnam_r(): Failed to get shadow password entry");
/* no sense in repeating the call */
break;
}
@@ -115,13 +117 ,14 @@
return NULL;
#else /* ie. ifndef HAVE_GETSPNAM_R */
-
/*
* Sorry, there does not appear to be a reentrant version of
* getspnam(). So, we use the standard libc function.
*/
+ void *spwd = getspnam(user);
+ if (!spwd)
+ pam_syslog(pamh, LOG_ERR, "getspnam(): Failed to get shadow password entry");
+ return spwd;
- return getspnam(user);
-
#endif /* def HAVE_GETSPNAM_R */
}
---
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
