Relevant BUGIDs: bugzilla.novell.com#470337

Purpose of commit: bugfix

Commit summary:
---------------

2009-02-17  Thorsten Kukuk  <kukuk@thkukuk.de>

        * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient
        can break the PRELIM_CHECK chain.

        * libpam/pam_dispatch.c: Don't freeze chain for chauthtok
        [bugzilla.novell.com#470337]

3 files changed, 33 insertions, 24 deletions

diff --git a/ChangeLog b/ChangeLog
index fc3ed661..402e54fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-02-17  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* doc/man/pam_sm_chauthtok.3.xml: Document that sufficient
+	can break the PRELIM_CHECK chain.
+
+	* libpam/pam_dispatch.c: Don't freeze chain for chauthtok
+	[bugzilla.novell.com#470337]
+
 2009-02-11  Daniel Nylander <po@danielnylander.se>
 
 	* po/sv.po: Updated translations.
diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml
index c36a0baf..40ab191e 100644
--- a/doc/man/pam_sm_chauthtok.3.xml
+++ b/doc/man/pam_sm_chauthtok.3.xml
@@ -40,7 +40,7 @@
       </citerefentry> interface.
     </para>
     <para>
-      This function is used to (re-)set the authentication token of the user. 
+      This function is used to (re-)set the authentication token of the user.
     </para>
     <para>
        Valid flags, which may be logically OR'd with
@@ -60,10 +60,10 @@
         <listitem>
           <para>
             This argument indicates to the module that the users
-            authentication token (password) should only be changed if 
-            it has expired. This flag is optional and 
-            <emphasis>must</emphasis> be combined with one of the 
-            following two flags. Note, however, the following two options 
+            authentication token (password) should only be changed if
+            it has expired. This flag is optional and
+            <emphasis>must</emphasis> be combined with one of the
+            following two flags. Note, however, the following two options
             are <emphasis>mutually exclusive</emphasis>.
           </para>
         </listitem>
@@ -72,15 +72,20 @@
         <term>PAM_PRELIM_CHECK</term>
         <listitem>
           <para>
-            This indicates that the modules are being probed as to 
-            their ready status for altering the user's authentication 
-            token. If the module requires access to another system over 
-            some network it should attempt to verify it can connect to 
-            this system on receiving this flag. If a module cannot establish 
-            it is ready to update the user's authentication token it should 
+            This indicates that the modules are being probed as to
+            their ready status for altering the user's authentication
+            token. If the module requires access to another system over
+            some network it should attempt to verify it can connect to
+            this system on receiving this flag. If a module cannot establish
+            it is ready to update the user's authentication token it should
             return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
             information will be passed back to the application.
           </para>
+          <para>
+             If the control value <emphasis>sufficient</emphasis> is used in
+             the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
+             of the modules following that control value is not always executed.
+          </para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -89,18 +94,18 @@
           <para>
             This informs the module that this is the call it should change
             the authorization tokens. If the flag is logically OR'd with
-            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the 
+            <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
             token is only changed if it has actually expired.
           </para>
         </listitem>
       </varlistentry>
     </variablelist>
     <para>
-      The PAM library calls this function twice in succession. The first 
-      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, 
-      if the module does not return 
+      The PAM library calls this function twice in succession. The first
+      time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
+      if the module does not return
       <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
-      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on 
+      <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
       the second call that the authorization token is (possibly) changed.
     </para>
   </refsect1>
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index 42482573..98c69c60 100644
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -132,11 +132,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	}
 
 	/*
-	 * use_cached_chain is how we ensure that the setcred/close_session
-	 * and chauthtok(2) modules are called in the same order as they did
-	 * when they were invoked as auth/open_session/chauthtok(1). This
-	 * feature was added in 0.75 to make the behavior of pam_setcred
-	 * sane. It was debugged by release 0.76.
+	 * use_cached_chain is how we ensure that the setcred and
+         * close_session modules are called in the same order as they did
+	 * when they were invoked as auth/open_session. This feature was
+	 * added in 0.75 to make the behavior of pam_setcred sane.
 	 */
 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
 
@@ -358,9 +357,6 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
 	break;
     case PAM_CHAUTHTOK:
 	h = pamh->handlers.conf.chauthtok;
-	if (flags & PAM_UPDATE_AUTHTOK) {
-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
-	}
 	break;
     default:
 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);