From owner-freebsd-current@FreeBSD.ORG Tue Jan 24 14:25:09 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1024106564A for ; Tue, 24 Jan 2012 14:25:09 +0000 (UTC) (envelope-from dumbbell@FreeBSD.org) Received: from mail.made4.biz (unknown [IPv6:2001:41d0:1:7018::1:3]) by mx1.freebsd.org (Postfix) with ESMTP id 37D408FC08 for ; Tue, 24 Jan 2012 14:25:09 +0000 (UTC) Received: from [46.255.176.2] (helo=viking.yzserv.com) by mail.made4.biz with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RphJ5-0003uW-3b; Tue, 24 Jan 2012 15:25:07 +0100 Message-ID: <4F1EBF42.4050307@FreeBSD.org> Date: Tue, 24 Jan 2012 15:25:06 +0100 From: =?ISO-8859-1?Q?Jean-S=E9bastien_P=E9dron?= User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20111229 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-current@freebsd.org X-Enigmail-Version: 1.3.5 Content-Type: multipart/mixed; boundary="------------070505030600020006010808" Cc: Pierre-Gilles Mialon , Romain Vrignaud Subject: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2012 14:25:09 -0000 This is a multi-part message in MIME format. --------------070505030600020006010808 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, If the specified program exits with non-zero, current implementation of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore, applications have no idea what went wrong with authentication. Attached is a patch that changes the behaviour to always return the program exit code as-is. This lets the program returns meaningful informations to applications. I also added a small paragraph explaining this to the man page. I'm planning to commit this to -CURRENT (maybe in a week or two) and merge it to 9 and 8 if there're no objections. Thanks for any comments! - -- Jean-Sébastien Pédron -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY =JEte -----END PGP SIGNATURE----- --------------070505030600020006010808 Content-Type: text/plain; name="pam_exec-return-exit-code-c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pam_exec-return-exit-code-c.patch" diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 index 311d64c..c5d2404 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.8 +++ b/lib/libpam/modules/pam_exec/pam_exec.8 @@ -32,7 +32,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 1, 2005 +.Dd January 24, 2012 .Dt PAM_EXEC 8 .Os .Sh NAME @@ -59,6 +59,12 @@ variables: .Ev PAM_TTY , and .Ev PAM_USER . +.Pp +The program exit code should be one of the codes defined in +.Pa /usr/include/security/pam_constants.h +under section "XSSO 5.2". Authentication is successful if the return code is +.Er PAM_SUCCESS +(0), failed otherwise. .Sh SEE ALSO .Xr pam_get_item 3 , .Xr pam.conf 5 , diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c index b7a870f..d497479 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.c +++ b/lib/libpam/modules/pam_exec/pam_exec.c @@ -141,12 +141,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status); return (PAM_SYSTEM_ERR); } - if (WEXITSTATUS(status) != 0) { - openpam_log(PAM_LOG_ERROR, "%s returned code %d", - argv[0], WEXITSTATUS(status)); - return (PAM_SYSTEM_ERR); - } - return (PAM_SUCCESS); + return (WEXITSTATUS(status)); } PAM_EXTERN int --------------070505030600020006010808--