From 8371672714bbe3a7c171143a657083271cad7c71 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 7 Jan 2005 15:31:26 +0000 Subject: Relevant BUGIDs: 629251, Red Hat bz 143750 Purpose of commit: bugfix Commit summary: --------------- libpam: don't return PAM_IGNORE if the impression is positive and using cached chain pam_nologin: don't overwrite return value with return from pam_get_item --- libpam/pam_dispatch.c | 14 ++++++++++---- libpam/pam_strerror.c | 4 ++-- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index c6fcd5f8..1daf0c9f 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -184,8 +184,12 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, if ( impression == _PAM_UNDEF || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) { - impression = _PAM_POSITIVE; - status = retval; + /* in case of using cached chain + we could get here with PAM_IGNORE - don't return it */ + if ( retval != PAM_IGNORE || cached_retval == retval ) { + impression = _PAM_POSITIVE; + status = retval; + } } if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { goto decision_made; @@ -227,8 +231,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, if (impression == _PAM_UNDEF || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) { - impression = _PAM_POSITIVE; - status = retval; + if ( retval != PAM_IGNORE || cached_retval == retval ) { + impression = _PAM_POSITIVE; + status = retval; + } } } diff --git a/libpam/pam_strerror.c b/libpam/pam_strerror.c index de857fd8..b2c6775a 100644 --- a/libpam/pam_strerror.c +++ b/libpam/pam_strerror.c @@ -48,7 +48,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum) case PAM_USER_UNKNOWN: return "User not known to the underlying authentication module"; case PAM_MAXTRIES: - return "Have exhasted maximum number of retries for service."; + return "Have exhausted maximum number of retries for service."; case PAM_NEW_AUTHTOK_REQD: return "Authentication token is no longer valid; new one required."; case PAM_ACCT_EXPIRED: @@ -78,7 +78,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum) case PAM_TRY_AGAIN: return "Failed preliminary check by password service"; case PAM_IGNORE: - return "Please ignore underlying account module"; + return "The return value should be ignored by PAM dispatch"; case PAM_MODULE_UNKNOWN: return "Module is unknown"; case PAM_AUTHTOK_EXPIRED: -- cgit v1.2.3