diff options
Diffstat (limited to 'debian/patches-applied/dont_freeze_password_chain')
-rw-r--r-- | debian/patches-applied/dont_freeze_password_chain | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain new file mode 100644 index 00000000..799d0a0e --- /dev/null +++ b/debian/patches-applied/dont_freeze_password_chain @@ -0,0 +1,117 @@ +Don't freeze the chain for chauthtok. + +bugzilla.novell.com#470337, LP: #303515. + +Author: Thorsten Kukuk <kukuk@thkukuk.de> + +Upstream status: cherry-picked from upstream. + +=== modified file 'doc/man/pam_sm_chauthtok.3.xml' +--- doc/man/pam_sm_chauthtok.3.xml 2006-06-28 14:22:40 +0000 ++++ doc/man/pam_sm_chauthtok.3.xml 2009-02-18 00:34:47 +0000 +@@ -40,7 +40,7 @@ + </citerefentry> interface. + </para> + <para> +- This function is used to (re-)set the authentication token of the user. ++ This function is used to (re-)set the authentication token of the user. + </para> + <para> + Valid flags, which may be logically OR'd with +@@ -60,10 +60,10 @@ + <listitem> + <para> + This argument indicates to the module that the users +- authentication token (password) should only be changed if +- it has expired. This flag is optional and +- <emphasis>must</emphasis> be combined with one of the +- following two flags. Note, however, the following two options ++ authentication token (password) should only be changed if ++ it has expired. This flag is optional and ++ <emphasis>must</emphasis> be combined with one of the ++ following two flags. Note, however, the following two options + are <emphasis>mutually exclusive</emphasis>. + </para> + </listitem> +@@ -72,15 +72,20 @@ + <term>PAM_PRELIM_CHECK</term> + <listitem> + <para> +- This indicates that the modules are being probed as to +- their ready status for altering the user's authentication +- token. If the module requires access to another system over +- some network it should attempt to verify it can connect to +- this system on receiving this flag. If a module cannot establish +- it is ready to update the user's authentication token it should ++ This indicates that the modules are being probed as to ++ their ready status for altering the user's authentication ++ token. If the module requires access to another system over ++ some network it should attempt to verify it can connect to ++ this system on receiving this flag. If a module cannot establish ++ it is ready to update the user's authentication token it should + return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this + information will be passed back to the application. + </para> ++ <para> ++ If the control value <emphasis>sufficient</emphasis> is used in ++ the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section ++ of the modules following that control value is not always executed. ++ </para> + </listitem> + </varlistentry> + <varlistentry> +@@ -89,18 +94,18 @@ + <para> + This informs the module that this is the call it should change + the authorization tokens. If the flag is logically OR'd with +- <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the ++ <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the + token is only changed if it has actually expired. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> +- The PAM library calls this function twice in succession. The first +- time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, +- if the module does not return ++ The PAM library calls this function twice in succession. The first ++ time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, ++ if the module does not return + <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with +- <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on ++ <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on + the second call that the authorization token is (possibly) changed. + </para> + </refsect1> + +=== modified file 'libpam/pam_dispatch.c' +--- libpam/pam_dispatch.c 2008-12-03 22:16:33 +0000 ++++ libpam/pam_dispatch.c 2009-02-18 00:34:47 +0000 +@@ -132,11 +132,10 @@ + } + + /* +- * use_cached_chain is how we ensure that the setcred/close_session +- * and chauthtok(2) modules are called in the same order as they did +- * when they were invoked as auth/open_session/chauthtok(1). This +- * feature was added in 0.75 to make the behavior of pam_setcred +- * sane. It was debugged by release 0.76. ++ * use_cached_chain is how we ensure that the setcred and ++ * close_session modules are called in the same order as they did ++ * when they were invoked as auth/open_session. This feature was ++ * added in 0.75 to make the behavior of pam_setcred sane. + */ + if (use_cached_chain != _PAM_PLEASE_FREEZE) { + +@@ -358,9 +357,6 @@ + break; + case PAM_CHAUTHTOK: + h = pamh->handlers.conf.chauthtok; +- if (flags & PAM_UPDATE_AUTHTOK) { +- use_cached_chain = _PAM_MUST_BE_FROZEN; +- } + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); + |