From owner-freebsd-bugs  Mon May  7  9:40:20 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 4888B37B424
	for <freebsd-bugs@hub.freebsd.org>; Mon,  7 May 2001 09:40:04 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f47Ge4244147;
	Mon, 7 May 2001 09:40:04 -0700 (PDT)
	(envelope-from gnats)
Date: Mon, 7 May 2001 09:40:04 -0700 (PDT)
Message-Id: <200105071640.f47Ge4244147@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Peter Pentchev <roam@orbitel.bg>
Subject: Re: bin/27153: login(1) doesn't call pam_open_session
Reply-To: Peter Pentchev <roam@orbitel.bg>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR bin/27153; it has been noted by GNATS.

From: Peter Pentchev <roam@orbitel.bg>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/27153: login(1) doesn't call pam_open_session
Date: Mon, 7 May 2001 19:32:52 +0300

 I think this should really make it into GNATS, not just the list,
 shouldn't it now..
 
 G'luck,
 Peter
 
 -- 
 This sentence claims to be an Epimenides paradox, but it is lying.
 
 ----- Forwarded message from Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE> -----
 
 Date: Sun, 6 May 2001 19:22:23 +0200
 From: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
 To: gnats-admin@FreeBSD.org, freebsd-bugs@FreeBSD.org
 Subject: Patch (Re: bin/27153: login(1) doesn't call pam_open_session)
 User-Agent: Mutt/1.3.17i
 In-Reply-To: <200105061240.f46Ce1b15863@freefall.freebsd.org>; from gnats-admin@FreeBSD.org on Sun, May 06, 2001 at 05:40:01AM -0700
 
 This patch works(tm), pam_ssh.so from /usr/src works now, too.
 -- 
 Abstrakte Syntaxtraume.
 Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
 
 --- login.c.orig	Sun May  6 17:02:55 2001
 +++ login.c	Sun May  6 19:18:14 2001
 @@ -132,6 +132,7 @@
  char    full_hostname[MAXHOSTNAMELEN];
  #ifndef NO_PAM
  static char **environ_pam;
 +pam_handle_t *pamh = NULL;
  #endif
  
  int
 @@ -147,6 +148,9 @@
  	int rootok, retries, backoff;
  	int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
  	int changepass;
 +#ifndef NO_PAM
 +	int e=PAM_SUCCESS; /* pam_end() error code*/
 +#endif
  	time_t warntime;
  	uid_t uid, euid;
  	gid_t egid;
 @@ -321,6 +325,13 @@
  		 * then fall back to using traditional Unix authentication.
  		 */
  		if ((rval = auth_pam()) == -1)
 +		  if ((pamh) && (e = pam_end(pamh, e)) != PAM_SUCCESS) {
 +		    syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
 +		  }
 +		if (rval == -1) /* auth_pam/ifdef-stupidity :-/
 +				   FIXME: Rewrite auth_pam() to call pam_end()
 +				   on errors instead of just returning.
 +				*/
  #endif /* NO_PAM */
  			rval = auth_traditional();
  
 @@ -560,6 +571,15 @@
  	 */
  	if (environ_pam)
  		export_pam_environment();
 +
 +	/*
 +	 * NOTE: Don't call pam_end()! Otherwise all the resources
 +	 * allocated will be freed. pam_end() is for ending *all*
 +	 * interaction with PAM, i.e. on logout.
 +	 *
 +	 * FIXME: We've got nowhere to call pam_end()/pam_session_close
 +	 * after the user logs out?!
 +	 */
  #endif
  
  	/*
 @@ -677,7 +697,6 @@
  static int
  auth_pam()
  {
 -	pam_handle_t *pamh = NULL;
  	const char *tmpl_user;
  	const void *item;
  	int rval;
 @@ -732,6 +751,7 @@
  		    PAM_SUCCESS)
  			syslog(LOG_ERR, "Couldn't establish credentials: %s",
  			    pam_strerror(pamh, e));
 +		if (pamh) pam_open_session(pamh, 0);
  		environ_pam = pam_getenvlist(pamh);
  		rval = 0;
  		break;
 @@ -747,10 +767,6 @@
  		rval = -1;
  		break;
  	}
 -	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
 -		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
 -		rval = -1;
 -	}
  	return rval;
  }
  
 @@ -762,7 +778,7 @@
  	for (pp = environ_pam; *pp != NULL; pp++) {
  		if (ok_to_export(*pp))
  			(void) putenv(*pp);
 -		free(*pp);
 +		/* pp is not ours to free!*/
  	}
  	return PAM_SUCCESS;
  }
 
 
 
 
 ----- End forwarded message -----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message