summaryrefslogtreecommitdiff
path: root/modules/pam_unix
diff options
context:
space:
mode:
authorJames Ralston <ralston@pobox.com>2019-03-04 19:30:42 -0500
committerTomas Mraz <tmraz@fedoraproject.org>2020-03-30 14:44:11 +0200
commitcf4845be8b792a05da5698e07243b89ec0368b61 (patch)
treecb17c82bf79376dba2424fdea589ccba69ceefc2 /modules/pam_unix
parent897c7412b26ca618af6822dcaa7e6be68772dc52 (diff)
pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.
The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems that use the unix_chkpwd helper. The reason is that in unix_chkpwd.c, towards the end of main(), if helper_verify_password() does not return PAM_SUCCESS, main() ignores the actual error that helper_verify_password() returned and instead returns PAM_AUTH_ERR. This commit corrects this behavior. Specifically, if helper_verify_password() returns PAM_USER_UNKNOWN, which it does when /etc/passwd entry indicates that shadow information is present but the /etc/shadow entry is missing, the unix_chkpwd now exits with PAM_AUTHINFO_UNAVAIL. For any other error from helper_verify_password(), unix_chkpwd continues to exit with PAM_AUTH_ERR. * modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL when helper_verify_password() returns PAM_USER_UNKNOWN.
Diffstat (limited to 'modules/pam_unix')
-rw-r--r--modules/pam_unix/unix_chkpwd.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 6aaf81a4..88647e58 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -188,7 +188,14 @@ int main(int argc, char *argv[])
#endif
helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
}
- return PAM_AUTH_ERR;
+ /* if helper_verify_password() returned PAM_USER_UNKNOWN, the
+ most appropriate error to propagate to
+ _unix_verify_password() is PAM_AUTHINFO_UNAVAIL; otherwise
+ return general failure */
+ if (retval == PAM_USER_UNKNOWN)
+ return PAM_AUTHINFO_UNAVAIL;
+ else
+ return PAM_AUTH_ERR;
} else {
if (getuid() != 0) {
#ifdef HAVE_LIBAUDIT