On (24/01/2012 15:25), Jean-S?bastien P?dron wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > If the specified program exits with non-zero, current implementation > of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore, > applications have no idea what went wrong with authentication. > > Attached is a patch that changes the behaviour to always return the > program exit code as-is. This lets the program returns meaningful > informations to applications. > > I also added a small paragraph explaining this to the man page. > > I'm planning to commit this to -CURRENT (maybe in a week or two) and > merge it to 9 and 8 if there're no objections. Please consider making it optional. It will break for generic applications because pam_sm_chauthtok error codes are documented and standardized. I'm not aware of any application that uses PAM error constants as exit code. Thanks, Gleb. > > Thanks for any comments! > > - -- > Jean-Sébastien Pédron > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd > rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY > =JEte > -----END PGP SIGNATURE----- > diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 > index 311d64c..c5d2404 100644 > --- a/lib/libpam/modules/pam_exec/pam_exec.8 > +++ b/lib/libpam/modules/pam_exec/pam_exec.8 > _at__at_ -32,7 +32,7 _at__at_ > .\" > .\" $FreeBSD$ > .\" > -.Dd February 1, 2005 > +.Dd January 24, 2012 > .Dt PAM_EXEC 8 > .Os > .Sh NAME > _at__at_ -59,6 +59,12 _at__at_ variables: > .Ev PAM_TTY , > and > .Ev PAM_USER . > +.Pp > +The program exit code should be one of the codes defined in > +.Pa /usr/include/security/pam_constants.h > +under section "XSSO 5.2". Authentication is successful if the return code is > +.Er PAM_SUCCESS > +(0), failed otherwise. > .Sh SEE ALSO > .Xr pam_get_item 3 , > .Xr pam.conf 5 , > diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c > index b7a870f..d497479 100644 > --- a/lib/libpam/modules/pam_exec/pam_exec.c > +++ b/lib/libpam/modules/pam_exec/pam_exec.c > _at__at_ -141,12 +141,7 _at__at_ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, > openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status); > return (PAM_SYSTEM_ERR); > } > - if (WEXITSTATUS(status) != 0) { > - openpam_log(PAM_LOG_ERROR, "%s returned code %d", > - argv[0], WEXITSTATUS(status)); > - return (PAM_SYSTEM_ERR); > - } > - return (PAM_SUCCESS); > + return (WEXITSTATUS(status)); > } > > PAM_EXTERN int > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"Received on Thu Jan 26 2012 - 09:38:39 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:23 UTC