From owner-freebsd-current@FreeBSD.ORG Wed Feb 8 17:11:38 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5E27106566B for ; Wed, 8 Feb 2012 17:11:38 +0000 (UTC) (envelope-from dumbbell@FreeBSD.org) Received: from mail.made4.biz (unknown [IPv6:2001:41d0:1:7018::1:3]) by mx1.freebsd.org (Postfix) with ESMTP id 369028FC1A for ; Wed, 8 Feb 2012 17:11:38 +0000 (UTC) Received: from [46.255.176.2] (helo=viking.yzserv.com) by mail.made4.biz with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RvB3Q-000Bp6-77; Wed, 08 Feb 2012 18:11:37 +0100 Message-ID: <4F32ACC8.8060906@FreeBSD.org> Date: Wed, 08 Feb 2012 18:11:36 +0100 From: =?UTF-8?B?SmVhbi1Tw6liYXN0aWVuIFDDqWRyb24=?= User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0) Gecko/20120208 Thunderbird/10.0 MIME-Version: 1.0 To: Gleb Kurtsou References: <4F1EBF42.4050307@FreeBSD.org> <20120126100745.GA62071@reks> In-Reply-To: <20120126100745.GA62071@reks> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Pierre-Gilles Mialon , Romain Vrignaud , freebsd-current@freebsd.org Subject: Re: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2012 17:11:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/26/2012 11:07, Gleb Kurtsou wrote: > Please consider making it optional. It will break for generic > applications because pam_sm_chauthtok error codes are documented > and standardized. I'm not aware of any application that uses PAM > error constants as exit code. des@ reviewed the patch too and suggested the same thing. Therefore I changed it to make this behaviour optional. Here's a new patch: http://people.freebsd.org/~dumbbell/pam_exec/pam_exec-return-exit-code-g.patch The changes compared to the original pam_exec(8) are: o [*] Add a "return_prog_exit_status" option to enable the behaviour. If this option is not enabled (default), the current behaviour remains. However, when the program fails, the return code is PAM_PERM_DENIED, not PAM_SYSTEM_ERR. If this option is enabled, the program exit status is used as the return value of the PAM service module function. If this code is invalid for the calling function, log an error and return PAM_SERVICE_ERR. o New environment variables are set: - $PAM_SM_FUNC: the name of the PAM service module function (eg. pam_sm_authenticate). - [*] All valid PAM return codes numerical values are available as environment variables ($PAM_SUCCESS, $PAM_USER_UNKNOWN, $PAM_PERM_DENIED, etc.). o Change some return codes from PAM_SYSTEM_ERR to PAM_SERVICE_ERR. o Change many log messages to include the PAM service module function name. o waitpid() is now called in a loop. If it returned because of EINTR, do it again. Before, it would return PAM_SYSTEM_ERR without waiting for the child to exit. o Update man page. [*] New compared to previous patch. - -- Jean-Sébastien Pédron -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8yrMgACgkQa+xGJsFYOlNOEwCgiGwpYh3G/7AJnVZe1V1EqXxC 8RkAoIk6bUhFsyE774h1TzkXooeR2FZg =7w2+ -----END PGP SIGNATURE-----