pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.

The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems
that use the unix_chkpwd helper.

The reason is that in unix_chkpwd.c, towards the end of main(), if
helper_verify_password() does not return PAM_SUCCESS, main() ignores
the actual error that helper_verify_password() returned and instead
returns PAM_AUTH_ERR.

This commit corrects this behavior.  Specifically, if
helper_verify_password() returns PAM_USER_UNKNOWN, which it does
when /etc/passwd entry indicates that shadow information is present
but the /etc/shadow entry is missing, the unix_chkpwd now exits
with PAM_AUTHINFO_UNAVAIL. For any other error from
helper_verify_password(), unix_chkpwd continues to exit with
PAM_AUTH_ERR.

* modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL
when helper_verify_password() returns PAM_USER_UNKNOWN.

1 files changed, 8 insertions, 1 deletions

diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 6aaf81a4..88647e58 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -188,7 +188,14 @@ int main(int argc, char *argv[])
 #endif
 			helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
 		}
-		return PAM_AUTH_ERR;
+		/* if helper_verify_password() returned PAM_USER_UNKNOWN, the
+		   most appropriate error to propagate to
+		   _unix_verify_password() is PAM_AUTHINFO_UNAVAIL; otherwise
+		   return general failure */
+		if (retval == PAM_USER_UNKNOWN)
+			return PAM_AUTHINFO_UNAVAIL;
+		else
+			return PAM_AUTH_ERR;
 	} else {
 	        if (getuid() != 0) {
 #ifdef HAVE_LIBAUDIT