Re: couldn't log on to my -CURRENT machine after upgrade to latest PAM

From: Don Lewis <truckman_at_FreeBSD.org>
Date: Mon, 9 Jan 2012 06:25:48 -0800 (PST)
On  9 Jan, Dag-Erling Smørgrav wrote:
> Don Lewis <truckman_at_FreeBSD.org> writes:
>> The documentation says that /etc/pam.conf is only used if
>> /etc/pam.d/service-name isn't found, and the code appears to agree
>> with that, however this doesn't seem to be working as expected after
>> the latest import of PAM.
> 
> The culprit was this commit:
> 
> http://trac.des.no/openpam/changeset/487/trunk/lib/openpam_configure.c
> 
> However, I'm not confident that simply reverting this commit is the
> right way to go.

Thanks for the detective work.  It looks to me like the bug is caused by
the change in the openpam_parse_chain() return value.  In the previous
code it returned the value of count, which I would guess was greater
than zero if it found something.  In that case, the for loop in
openpam_load_chain() would be terminated because r != 0.  In the new
code, openpam_parse_chain() will return PAM_SUCCESS if it found
something, and the loop in openpam_load_chain() will go through another
iteration because ret == PAM_SUCCESS.  I think the code around the end
of the loop should look more like:
		if (ret == PAM_SUCCESS)
			break;
	}
	return (ret);
}
Received on Mon Jan 09 2012 - 13:27:13 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:23 UTC