Hello,chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and 'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be used when the PAM transaction be terminated.
This patch can fix this bug.
Signed-off-by: Yu Zhiguo <yuzg@xxxxxxxxxxxxxx>
---
chsh.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index 15733a2..eac0a9a 100644
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -46,6 +46,10 @@
#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H)
#include <security/pam_appl.h>
#include <security/pam_misc.h>
+#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
+ puts(_("Password error.")); \
+ pam_end(pamh, retcode); exit(1); \
+}
#endif
#ifdef HAVE_LIBSELINUX
@@ -174,27 +178,25 @@ main (int argc, char *argv[]) {
#ifdef REQUIRE_PASSWORD
#ifdef HAVE_SECURITY_PAM_MISC_H
if(uid != 0) {
- if (pam_start("chsh", pw->pw_name, &conv, &pamh)) {
- puts(_("Password error."));
- exit(1);
- }
- if (pam_authenticate(pamh, 0)) {
+ if (pam_start("chsh", pw->pw_name, &conv, &pamh)) {
puts(_("Password error."));
exit(1);
}
- retcode = pam_acct_mgmt(pamh, 0);
- if (retcode == PAM_NEW_AUTHTOK_REQD)
+
+ retcode = pam_authenticate(pamh, 0);
+ PAM_FAIL_CHECK;
+
+ retcode = pam_acct_mgmt(pamh, 0);
+ if (retcode == PAM_NEW_AUTHTOK_REQD)
retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (retcode) {
- puts(_("Password error."));
- exit(1);
- }
- if (pam_setcred(pamh, 0)) {
- puts(_("Password error."));
- exit(1);
- }
- /* no need to establish a session; this isn't a session-oriented
- * activity... */
+ PAM_FAIL_CHECK;
+
+ retcode = pam_setcred(pamh, 0);
+ PAM_FAIL_CHECK;
+
+ pam_end(pamh, 0);
+ /* no need to establish a session; this isn't a session-oriented
+ * activity... */
}
#else /* HAVE_SECURITY_PAM_MISC_H */
/* require password, unless root */
---
Attachment:
chsh-pam-end.patch
Description: Binary data
