Date: Thu, 26 Jan 2012 12:07:46 +0200 From: Gleb Kurtsou <gleb.kurtsou@gmail.com> To: Jean-S?bastien P?dron <dumbbell@FreeBSD.org> Cc: Romain Vrignaud <romain@yakaz.com>, Pierre-Gilles Mialon <pierre-gilles@yakaz.com>, freebsd-current@freebsd.org Subject: Re: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR Message-ID: <20120126100745.GA62071@reks> In-Reply-To: <4F1EBF42.4050307@FreeBSD.org> References: <4F1EBF42.4050307@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On (24/01/2012 15:25), Jean-S?bastien P?dron wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > If the specified program exits with non-zero, current implementation > of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore, > applications have no idea what went wrong with authentication. > > Attached is a patch that changes the behaviour to always return the > program exit code as-is. This lets the program returns meaningful > informations to applications. > > I also added a small paragraph explaining this to the man page. > > I'm planning to commit this to -CURRENT (maybe in a week or two) and > merge it to 9 and 8 if there're no objections. Please consider making it optional. It will break for generic applications because pam_sm_chauthtok error codes are documented and standardized. I'm not aware of any application that uses PAM error constants as exit code. Thanks, Gleb. > > Thanks for any comments! > > - -- > Jean-Sébastien Pédron > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd > rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY > =JEte > -----END PGP SIGNATURE----- > diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 > index 311d64c..c5d2404 100644 > --- a/lib/libpam/modules/pam_exec/pam_exec.8 > +++ b/lib/libpam/modules/pam_exec/pam_exec.8 > @@ -32,7 +32,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd February 1, 2005 > +.Dd January 24, 2012 > .Dt PAM_EXEC 8 > .Os > .Sh NAME > @@ -59,6 +59,12 @@ variables: > .Ev PAM_TTY , > and > .Ev PAM_USER . > +.Pp > +The program exit code should be one of the codes defined in > +.Pa /usr/include/security/pam_constants.h > +under section "XSSO 5.2". Authentication is successful if the return code is > +.Er PAM_SUCCESS > +(0), failed otherwise. > .Sh SEE ALSO > .Xr pam_get_item 3 , > .Xr pam.conf 5 , > diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c > index b7a870f..d497479 100644 > --- a/lib/libpam/modules/pam_exec/pam_exec.c > +++ b/lib/libpam/modules/pam_exec/pam_exec.c > @@ -141,12 +141,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, > openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status); > return (PAM_SYSTEM_ERR); > } > - if (WEXITSTATUS(status) != 0) { > - openpam_log(PAM_LOG_ERROR, "%s returned code %d", > - argv[0], WEXITSTATUS(status)); > - return (PAM_SYSTEM_ERR); > - } > - return (PAM_SUCCESS); > + return (WEXITSTATUS(status)); > } > > PAM_EXTERN int > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120126100745.GA62071>
