From b838197cab25d5e2d83ef74d36401ff8a4f2ffdf Mon Sep 17 00:00:00 2001
From: Alexander Zubkov <green@qrator.net>
Date: Mon, 23 Mar 2020 19:24:15 +0100
Subject: pam_exec: require user name to be ready for the command

pam_exec module can be called when a user name has not been prompted
yet. And thus the command is called without a user name available.
This fix asks PAM for the user name to ensure it is ready or to force
the prompt.

Resolves: https://github.com/linux-pam/linux-pam/issues/131
Resolves: https://github.com/linux-pam/linux-pam/pull/195
---
 modules/pam_exec/pam_exec.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index d37f555a..918422cf 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -108,6 +108,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
   int fds[2];
   int stdout_fds[2];
   FILE *stdout_file = NULL;
+  int retval;
+  const char *name;
 
   if (argc < 1) {
     pam_syslog (pamh, LOG_ERR,
@@ -143,6 +145,16 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	break; /* Unknown option, assume program to execute. */
     }
 
+  /* Request user name to be available. */
+
+  retval = pam_get_user(pamh, &name, NULL);
+  if (retval != PAM_SUCCESS)
+    {
+      if (retval == PAM_CONV_AGAIN)
+        retval = PAM_INCOMPLETE;
+      return retval;
+    }
+
   if (expose_authtok == 1)
     {
       if (strcmp (pam_type, "auth") != 0)
@@ -154,7 +166,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
       else
 	{
 	  const void *void_pass;
-	  int retval;
 
 	  retval = pam_get_item (pamh, PAM_AUTHTOK, &void_pass);
 	  if (retval != PAM_SUCCESS)
@@ -224,7 +235,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
   if (pid > 0) /* parent */
     {
       int status = 0;
-      pid_t retval;
+      pid_t rc;
 
       if (expose_authtok) /* send the password to the child */
 	{
@@ -253,9 +264,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 	  fclose(stdout_file);
 	}
 
-      while ((retval = waitpid (pid, &status, 0)) == -1 &&
+      while ((rc = waitpid (pid, &status, 0)) == -1 &&
 	     errno == EINTR);
-      if (retval == (pid_t)-1)
+      if (rc == (pid_t)-1)
 	{
 	  pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m");
 	  return PAM_SYSTEM_ERR;
-- 
cgit v1.2.3