On Thu, Sep 06, 2007 at 02:28:49PM +0800, Yu Zhiguo wrote:
> chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
> 'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
> used when the PAM transaction be terminated.
You're right, but I did some small changes to your patch.
> +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
> + puts(_("Password error.")); \
> + pam_end(pamh, retcode); exit(1); \
> +}
> #endif
yes, I know it's from login.c, but I'm sick when I see this kind of
macros...
Please, see the patch below. I've committed same changes for chfn(1).
Thanks.
Karel
commit f41aff5a6799299f04989c1b9a89c43018aecb1a
Author: Yu Zhiguo <yuzg@xxxxxxxxxxxxxx>
Date: Thu Sep 6 14:28:49 2007 +0800
chsh: should use pam_end function to terminate the PAM transaction
chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
used when the PAM transaction be terminated.
This patch also cleanup PAM code in chsh(1).
Signed-off-by: Yu Zhiguo <yuzg@xxxxxxxxxxxxxx>
Co-Author: Karel Zak <kzak@xxxxxxxxxx>
Signed-off-by: Karel Zak <kzak@xxxxxxxxxx>
diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index 15733a2..430a34b 100644
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -46,7 +46,17 @@
#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H)
#include <security/pam_appl.h>
#include <security/pam_misc.h>
-#endif
+
+#define PAM_FAIL_CHECK(_ph, _rc) \
+ do { \
+ if ((_rc) != PAM_SUCCESS) { \
+ fprintf(stderr, "\n%s\n", pam_strerror((_ph), (_rc))); \
+ pam_end((_ph), (_rc)); \
+ exit(1); \
+ } \
+ } while(0)
+
+#endif /* PAM */
#ifdef HAVE_LIBSELINUX
#include <selinux/selinux.h>
@@ -86,11 +96,6 @@ main (int argc, char *argv[]) {
uid_t uid;
struct sinfo info;
struct passwd *pw;
-#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H)
- pam_handle_t *pamh = NULL;
- int retcode;
- struct pam_conv conv = { misc_conv, NULL };
-#endif
sanitize_env();
setlocale(LC_ALL, "");
@@ -174,27 +179,31 @@ main (int argc, char *argv[]) {
#ifdef REQUIRE_PASSWORD
#ifdef HAVE_SECURITY_PAM_MISC_H
if(uid != 0) {
- if (pam_start("chsh", pw->pw_name, &conv, &pamh)) {
- puts(_("Password error."));
- exit(1);
- }
- if (pam_authenticate(pamh, 0)) {
- puts(_("Password error."));
+ pam_handle_t *pamh = NULL;
+ struct pam_conv conv = { misc_conv, NULL };
+ int retcode;
+
+ retcode = pam_start("chsh", pw->pw_name, &conv, &pamh);
+ if(retcode != PAM_SUCCESS) {
+ fprintf(stderr, _("chsh: PAM Failure, aborting: %s\n"),
+ pam_strerror(pamh, retcode));
exit(1);
}
- retcode = pam_acct_mgmt(pamh, 0);
- if (retcode == PAM_NEW_AUTHTOK_REQD)
+
+ retcode = pam_authenticate(pamh, 0);
+ PAM_FAIL_CHECK(pamh, retcode);
+
+ retcode = pam_acct_mgmt(pamh, 0);
+ if (retcode == PAM_NEW_AUTHTOK_REQD)
retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (retcode) {
- puts(_("Password error."));
- exit(1);
- }
- if (pam_setcred(pamh, 0)) {
- puts(_("Password error."));
- exit(1);
- }
- /* no need to establish a session; this isn't a session-oriented
- * activity... */
+ PAM_FAIL_CHECK(pamh, retcode);
+
+ retcode = pam_setcred(pamh, 0);
+ PAM_FAIL_CHECK(pamh, retcode);
+
+ pam_end(pamh, 0);
+ /* no need to establish a session; this isn't a session-oriented
+ * activity... */
}
#else /* HAVE_SECURITY_PAM_MISC_H */
/* require password, unless root */
-
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
