-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26.01.2012 11:07, Gleb Kurtsou wrote: > On (24/01/2012 15:25), Jean-Sébastien Pédron wrote: >> Attached is a patch that changes the behaviour to always return >> the program exit code as-is. > > Please consider making it optional. It will break for generic > applications because pam_sm_chauthtok error codes are documented > and standardized. You're right, thanks. I attached a new patch with the following changes: o Instead of making it optionnal, I preferred to check the exit code for each pam_sm_* functions supported. Here are the rules: - If the code is allowed, it's returned as is. - If the exit code is 1 (not an allowed PAM code here), PAM_PERM_DENIED is returned. I added this because 1 is a common exit code for errors. - For any other codes, a message is logged about this invalid value and PAM_SERVICE_ERR is returned. o I changed return code from PAM_SYSTEM_ERR to PAM_SERVICE_ERR for the WIFSIGNALED(status) and !WIFEXITED(status) cases. PAM_SYSTEM_ERR is still returned if a syscall fails. o A new environment variable is set before calling the program: PAM_SM_FUNC. It contains the name of the pam_sm_* function. The program can use it to determine which exit codes are allowed. o The pam_sm_* function name is also added to messages logged from _pam_exec(). o waitpid() is now called in a loop. If it returned because of EINTR, do it again. Before, it would return PAM_SYSTEM_ERR without waiting for the child to exit. I expanded the man page with these informations. Again, thanks for your comments! If you have more, they're welcome :) - -- Jean-Sébastien Pédron -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8i4BsACgkQa+xGJsFYOlN/EQCg0D3uHsJC2y9jO/Sk9LHTg/xf POcAnjUUjLwWd035bHqg4o4Ry/htfEkJ =l4+1 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:23 UTC