Re: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR

From: Jean-Sébastien Pédron <dumbbell_at_FreeBSD.org>
Date: Fri, 27 Jan 2012 18:34:19 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26.01.2012 11:07, Gleb Kurtsou wrote:
> On (24/01/2012 15:25), Jean-Sébastien Pédron wrote:
>> Attached is a patch that changes the behaviour to always return
>> the program exit code as-is.
> 
> Please consider making it optional.  It will break for generic 
> applications because pam_sm_chauthtok error codes are documented
> and standardized.

You're right, thanks. I attached a new patch with the following changes:

    o  Instead of making it optionnal, I preferred to check the exit
       code for each pam_sm_* functions supported. Here are the rules:
           - If the code is allowed, it's returned as is.
           - If the exit code is 1 (not an allowed PAM code here),
             PAM_PERM_DENIED is returned. I added this because 1 is a
             common exit code for errors.
           - For any other codes, a message is logged about this
             invalid value and PAM_SERVICE_ERR is returned.

    o  I changed return code from PAM_SYSTEM_ERR to PAM_SERVICE_ERR for
       the WIFSIGNALED(status) and !WIFEXITED(status) cases.
       PAM_SYSTEM_ERR is still returned if a syscall fails.

    o  A new environment variable is set before calling the program:
       PAM_SM_FUNC. It contains the name of the pam_sm_* function. The
       program can use it to determine which exit codes are allowed.

    o  The pam_sm_* function name is also added to messages logged from
       _pam_exec().

    o  waitpid() is now called in a loop. If it returned because of
       EINTR, do it again. Before, it would return PAM_SYSTEM_ERR
       without waiting for the child to exit.

I expanded the man page with these informations.

Again, thanks for your comments! If you have more, they're welcome :)

- -- 
Jean-Sébastien Pédron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8i4BsACgkQa+xGJsFYOlN/EQCg0D3uHsJC2y9jO/Sk9LHTg/xf
POcAnjUUjLwWd035bHqg4o4Ry/htfEkJ
=l4+1
-----END PGP SIGNATURE-----

Received on Fri Jan 27 2012 - 16:34:25 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:23 UTC