Date: Mon, 7 May 2001 09:40:04 -0700 (PDT) From: Peter Pentchev <roam@orbitel.bg> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/27153: login(1) doesn't call pam_open_session Message-ID: <200105071640.f47Ge4244147@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/27153; it has been noted by GNATS.
From: Peter Pentchev <roam@orbitel.bg>
To: freebsd-gnats-submit@FreeBSD.org
Cc:
Subject: Re: bin/27153: login(1) doesn't call pam_open_session
Date: Mon, 7 May 2001 19:32:52 +0300
I think this should really make it into GNATS, not just the list,
shouldn't it now..
G'luck,
Peter
--
This sentence claims to be an Epimenides paradox, but it is lying.
----- Forwarded message from Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE> -----
Date: Sun, 6 May 2001 19:22:23 +0200
From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
To: gnats-admin@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Patch (Re: bin/27153: login(1) doesn't call pam_open_session)
User-Agent: Mutt/1.3.17i
In-Reply-To: <200105061240.f46Ce1b15863@freefall.freebsd.org>; from gnats-admin@FreeBSD.org on Sun, May 06, 2001 at 05:40:01AM -0700
This patch works(tm), pam_ssh.so from /usr/src works now, too.
--
Abstrakte Syntaxtraume.
Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
--- login.c.orig Sun May 6 17:02:55 2001
+++ login.c Sun May 6 19:18:14 2001
@@ -132,6 +132,7 @@
char full_hostname[MAXHOSTNAMELEN];
#ifndef NO_PAM
static char **environ_pam;
+pam_handle_t *pamh = NULL;
#endif
int
@@ -147,6 +148,9 @@
int rootok, retries, backoff;
int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
int changepass;
+#ifndef NO_PAM
+ int e=PAM_SUCCESS; /* pam_end() error code*/
+#endif
time_t warntime;
uid_t uid, euid;
gid_t egid;
@@ -321,6 +325,13 @@
* then fall back to using traditional Unix authentication.
*/
if ((rval = auth_pam()) == -1)
+ if ((pamh) && (e = pam_end(pamh, e)) != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+ }
+ if (rval == -1) /* auth_pam/ifdef-stupidity :-/
+ FIXME: Rewrite auth_pam() to call pam_end()
+ on errors instead of just returning.
+ */
#endif /* NO_PAM */
rval = auth_traditional();
@@ -560,6 +571,15 @@
*/
if (environ_pam)
export_pam_environment();
+
+ /*
+ * NOTE: Don't call pam_end()! Otherwise all the resources
+ * allocated will be freed. pam_end() is for ending *all*
+ * interaction with PAM, i.e. on logout.
+ *
+ * FIXME: We've got nowhere to call pam_end()/pam_session_close
+ * after the user logs out?!
+ */
#endif
/*
@@ -677,7 +697,6 @@
static int
auth_pam()
{
- pam_handle_t *pamh = NULL;
const char *tmpl_user;
const void *item;
int rval;
@@ -732,6 +751,7 @@
PAM_SUCCESS)
syslog(LOG_ERR, "Couldn't establish credentials: %s",
pam_strerror(pamh, e));
+ if (pamh) pam_open_session(pamh, 0);
environ_pam = pam_getenvlist(pamh);
rval = 0;
break;
@@ -747,10 +767,6 @@
rval = -1;
break;
}
- if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
- syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
- rval = -1;
- }
return rval;
}
@@ -762,7 +778,7 @@
for (pp = environ_pam; *pp != NULL; pp++) {
if (ok_to_export(*pp))
(void) putenv(*pp);
- free(*pp);
+ /* pp is not ours to free!*/
}
return PAM_SUCCESS;
}
----- End forwarded message -----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105071640.f47Ge4244147>