Re: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR

From: Jean-Sébastien Pédron <dumbbell_at_FreeBSD.org>
Date: Wed, 08 Feb 2012 18:11:36 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/26/2012 11:07, Gleb Kurtsou wrote:
> Please consider making it optional.  It will break for generic 
> applications because pam_sm_chauthtok error codes are documented
> and standardized. I'm not aware of any application that uses PAM
> error constants as exit code.

des_at_ reviewed the patch too and suggested the same thing. Therefore I
changed it to make this behaviour optional.

Here's a new patch:
http://people.freebsd.org/~dumbbell/pam_exec/pam_exec-return-exit-code-g.patch

The changes compared to the original pam_exec(8) are:

    o  [*] Add a "return_prog_exit_status" option to enable the
       behaviour.
       If this option is not enabled (default), the current behaviour
       remains. However, when the program fails, the return code is
       PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
       If this option is enabled, the program exit status is used as
       the return value of the PAM service module function. If this
       code is invalid for the calling function, log an error and
       return PAM_SERVICE_ERR.

    o  New environment variables are set:
         - $PAM_SM_FUNC: the name of the PAM service module function
           (eg. pam_sm_authenticate).
         - [*] All valid PAM return codes numerical values are
           available as environment variables ($PAM_SUCCESS,
           $PAM_USER_UNKNOWN, $PAM_PERM_DENIED, etc.).

    o  Change some return codes from PAM_SYSTEM_ERR to PAM_SERVICE_ERR.

    o  Change many log messages to include the PAM service module
       function name.

    o  waitpid() is now called in a loop. If it returned because of
       EINTR, do it again. Before, it would return PAM_SYSTEM_ERR
       without waiting for the child to exit.

    o  Update man page.

[*] New compared to previous patch.

- -- 
Jean-Sébastien Pédron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8yrMgACgkQa+xGJsFYOlNOEwCgiGwpYh3G/7AJnVZe1V1EqXxC
8RkAoIk6bUhFsyE774h1TzkXooeR2FZg
=7w2+
-----END PGP SIGNATURE-----
Received on Wed Feb 08 2012 - 16:11:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:23 UTC