From 5aca62a102b7309f1d96ded01ad1e7f94310fade Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 15 May 2020 08:00:00 +0000 Subject: modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS If pam_get_user returned PAM_SUCCESS, the user name is guaranteed to be a valid C string, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check for NULL the user name returned by pam_get_user when the latter returned PAM_SUCCESS. * modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise. * modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise. * modules/pam_filter/pam_filter.c (process_args): Likewise. * modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise. * modules/pam_group/pam_group.c (pam_sm_setcred): Likewise. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise. * modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_nologin/pam_nologin.c (perform_check): Likewise. * modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise. * modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise. * modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise. * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise. * modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise. * modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise. * modules/pam_wheel/pam_wheel.c (perform_check): Likewise. * modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt): Likewise. --- modules/pam_access/pam_access.c | 2 +- modules/pam_cracklib/pam_cracklib.c | 2 +- modules/pam_debug/pam_debug.c | 2 +- modules/pam_filter/pam_filter.c | 3 +-- modules/pam_ftp/pam_ftp.c | 2 +- modules/pam_group/pam_group.c | 3 +-- modules/pam_lastlog/pam_lastlog.c | 3 +-- modules/pam_listfile/pam_listfile.c | 4 ++-- modules/pam_localuser/pam_localuser.c | 2 +- modules/pam_mail/pam_mail.c | 2 +- modules/pam_nologin/pam_nologin.c | 2 +- modules/pam_permit/pam_permit.c | 2 +- modules/pam_pwhistory/pam_pwhistory.c | 2 +- modules/pam_rhosts/pam_rhosts.c | 2 +- modules/pam_securetty/pam_securetty.c | 2 +- modules/pam_sepermit/pam_sepermit.c | 3 +-- modules/pam_shells/pam_shells.c | 4 ++-- modules/pam_stress/pam_stress.c | 4 +--- modules/pam_succeed_if/pam_succeed_if.c | 2 +- modules/pam_time/pam_time.c | 3 +-- modules/pam_timestamp/pam_timestamp.c | 5 +---- modules/pam_umask/pam_umask.c | 10 +++------- modules/pam_unix/pam_unix_auth.c | 2 +- modules/pam_unix/pam_unix_passwd.c | 2 +- modules/pam_userdb/pam_userdb.c | 4 ++-- modules/pam_usertype/pam_usertype.c | 2 +- modules/pam_wheel/pam_wheel.c | 2 +- 27 files changed, 32 insertions(+), 46 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index be726180..b0289a3a 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -819,7 +819,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index a6ce9395..f6fb0130 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -687,7 +687,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, } retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh,LOG_ERR,"Can not get username"); return PAM_AUTHTOK_ERR; diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c index 75d475f0..61b39d75 100644 --- a/modules/pam_debug/pam_debug.c +++ b/modules/pam_debug/pam_debug.c @@ -73,7 +73,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } - if (user == NULL || *user == '\0') { + if (*user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 9b523da2..2f0af4fb 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -171,8 +171,7 @@ static int process_args(pam_handle_t *pamh #define USER_NAME "USER=" #define USER_OFFSET (sizeof(USER_NAME) - 1) - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || - user == NULL) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { user = ""; } size = USER_OFFSET+strlen(user); diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 0d53e5a5..36979d57 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -119,7 +119,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, ctrl = _pam_parse(pamh, argc, argv, &users); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "no user specified"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c index b5532b81..8fd8584e 100644 --- a/modules/pam_group/pam_group.c +++ b/modules/pam_group/pam_group.c @@ -771,8 +771,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 1c46d03a..3e27b3ed 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -669,8 +669,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 74ebae1a..4d30d017 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -188,7 +188,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int rval; rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name && user_name[0]) { + if(rval==PAM_SUCCESS && user_name[0]) { /* Got it ? Valid ? */ if(apply_type==APPLY_TYPE_USER) { if(strcmp(user_name, apply_val)) { @@ -225,7 +225,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } if((citem == PAM_USER) && !citemp) { retval = pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS || !citemp) { + if (retval != PAM_SUCCESS) { free(ifname); return PAM_SERVICE_ERR; } diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index 3633b535..6f4f8aea 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -100,7 +100,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, return PAM_SYSTEM_ERR; } - if ((user == NULL) || (strlen(user) == 0)) { + if (strlen(user) == 0) { pam_syslog (pamh, LOG_ERR, "user name not valid"); fclose(fp); return PAM_SYSTEM_ERR; diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c index c923817d..0dc12e1e 100644 --- a/modules/pam_mail/pam_mail.c +++ b/modules/pam_mail/pam_mail.c @@ -382,7 +382,7 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount); retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "cannot determine username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c index 8666251a..4ba33602 100644 --- a/modules/pam_nologin/pam_nologin.c +++ b/modules/pam_nologin/pam_nologin.c @@ -64,7 +64,7 @@ static int perform_check(pam_handle_t *pamh, struct opt_s *opts) int retval = opts->retval_when_nofile; int fd = -1; - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { + if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS)) { pam_syslog(pamh, LOG_ERR, "cannot determine username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_permit/pam_permit.c b/modules/pam_permit/pam_permit.c index 9e2aedf4..4f973686 100644 --- a/modules/pam_permit/pam_permit.c +++ b/modules/pam_permit/pam_permit.c @@ -29,7 +29,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } - if (user == NULL || *user == '\0') { + if (*user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index c77eb3ea..9b44cd87 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -139,7 +139,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) return retval; - if (user == NULL || strlen (user) == 0) + if (strlen (user) == 0) { if (options.debug) pam_syslog (pamh, LOG_DEBUG, diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c index ab2fbd09..4dabfa13 100644 --- a/modules/pam_rhosts/pam_rhosts.c +++ b/modules/pam_rhosts/pam_rhosts.c @@ -94,7 +94,7 @@ int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, return retval; } - if (rhost == NULL || ruser == NULL || luser == NULL) + if (rhost == NULL || ruser == NULL) return PAM_AUTH_ERR; if (opt_superuser && strcmp(opt_superuser, luser) == 0) diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c index 9a2835ef..355a23ab 100644 --- a/modules/pam_securetty/pam_securetty.c +++ b/modules/pam_securetty/pam_securetty.c @@ -83,7 +83,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl, } retval = pam_get_user(pamh, &username, NULL); - if (retval != PAM_SUCCESS || username == NULL) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "cannot determine username"); return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR); } diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index b6fde6c5..b49b0097 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -384,8 +384,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile); - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index eec86dc4..9e15a566 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -40,7 +40,7 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; } - if (!userName || (userName[0] == '\0')) { + if (userName[0] == '\0') { /* Don't let them use a NULL username... */ retval = pam_get_user(pamh,&userName,NULL); @@ -48,7 +48,7 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; /* It could still be NULL the second time. */ - if (!userName || (userName[0] == '\0')) + if (userName[0] == '\0') return PAM_SERVICE_ERR; } diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c index 62348fab..9baba321 100644 --- a/modules/pam_stress/pam_stress.c +++ b/modules/pam_stress/pam_stress.c @@ -217,11 +217,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* try to get the username */ retval = pam_get_user(pamh, &username, "username: "); - if (retval != PAM_SUCCESS || !username) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "pam_sm_authenticate: failed to get username"); - if (retval == PAM_SUCCESS) - retval = PAM_USER_UNKNOWN; /* username was null */ return retval; } else if (ctrl & PAM_ST_DEBUG) { diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c index 76bc9825..db2c2db5 100644 --- a/modules/pam_succeed_if/pam_succeed_if.c +++ b/modules/pam_succeed_if/pam_succeed_if.c @@ -501,7 +501,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } else { /* Get the user's name. */ ret = pam_get_user(pamh, &user, NULL); - if ((ret != PAM_SUCCESS) || (user == NULL)) { + if (ret != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", pam_strerror(pamh, ret)); diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index e786d0f9..d965cabd 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -623,8 +623,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c index 249a9692..30be883c 100644 --- a/modules/pam_timestamp/pam_timestamp.c +++ b/modules/pam_timestamp/pam_timestamp.c @@ -296,10 +296,7 @@ get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, return i; } /* Get the name of the target user. */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { - user = NULL; - } - if ((user == NULL) || (strlen(user) == 0)) { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user[0] == '\0') { return PAM_AUTH_ERR; } if (debug) { diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 1b5df4b6..e17d0fc1 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -205,14 +205,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); } - if (name == NULL || name[0] == '\0') + if (name[0] == '\0') { - if (name) - { - pam_syslog (pamh, LOG_NOTICE, "bad username [%s]", name); - return PAM_USER_UNKNOWN; - } - return PAM_SERVICE_ERR; + pam_syslog (pamh, LOG_NOTICE, "bad username [%s]", name); + return PAM_USER_UNKNOWN; } pw = pam_modutil_getpwnam (pamh, name); diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 9a0cd372..4eccff8e 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -121,7 +121,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow this characters here. */ - if (name == NULL || name[0] == '-' || name[0] == '+') { + if (name[0] == '-' || name[0] == '+') { pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", name); retval = PAM_USER_UNKNOWN; AUTH_RETURN; diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index e9c960a2..e988b2e3 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -631,7 +631,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) * '+' or '-' as the first character of a user name. Don't * allow them. */ - if (user == NULL || user[0] == '-' || user[0] == '+') { + if (user[0] == '-' || user[0] == '+') { pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", user); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index d7d41233..3692465d 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -346,7 +346,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_SERVICE_ERR; } @@ -437,7 +437,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR,"can not get the username"); return PAM_SERVICE_ERR; } diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index 76325063..eb656c09 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -126,7 +126,7 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, /* Get uid of user that is being authenticated. */ ret = pam_get_user(pamh, &username, NULL); - if (ret != PAM_SUCCESS || username == NULL) { + if (ret != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "error retrieving user name: %s", pam_strerror(pamh, ret)); return ret; diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 94f8887a..f40eafff 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -107,7 +107,7 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) int retval = PAM_AUTH_ERR; retval = pam_get_user(pamh, &username, NULL); - if ((retval != PAM_SUCCESS) || (!username)) { + if (retval != PAM_SUCCESS) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "can not get the username"); } -- cgit v1.2.3