Relevant BUGIDs: none

Purpose of commit: bugfix

Commit summary:
---------------

Be fail-close on user lookups, always log failures, not just with "debug".

Based on patch for Linux-PAM-0.75 from Solar Designer.

diff --git a/CHANGELOG b/CHANGELOG
index 25663bfc423de5d7e3b91e060d70f8ddba6bfbc1..62e26283a483ce00b96fdc416af210eadd8e690a 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -74,6 +74,8 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
 * pam_userdb: Fix regression - crash when crypt param not specified (t8m)
 * libpam: Remove pam_authenticate_secondary stub (kukuk)
 * Use autoconf/automake/libtool (kukuk)
+* pam_securetty: Be fail-close on user lookups, always log failures,
+  not just with "debug" (Solar Designer)
 
 0.80: Wed Jul 13 13:23:20 CEST 2005
 * pam_tally: test for NULL data before dereferencing them (t8m)

diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 7a29d95652edd2fdaf3d13dc89f963010ba2a222..c45ef3514e13085aa7dae3665c8c9b1411b482d4 100644 (file)
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -93,15 +93,13 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl,
 
     retval = pam_get_user(pamh, &username, NULL);
     if (retval != PAM_SUCCESS || username == NULL) {
-       if (ctrl & PAM_DEBUG_ARG) {
-            _pam_log(LOG_WARNING, "cannot determine username");
-       }
+       _pam_log(LOG_WARNING, "cannot determine username");
        return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
     }
 
     user_pwd = _pammodutil_getpwnam(pamh, username);
     if (user_pwd == NULL) {
-       return PAM_IGNORE;
+       return PAM_USER_UNKNOWN;
     } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
                                           securetty's does not apply
                                           to them */
@@ -111,9 +109,7 @@ static int securetty_perform_check(pam_handle_t *pamh, int flags, int ctrl,
     retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
     uttyname = void_uttyname;
     if (retval != PAM_SUCCESS || uttyname == NULL) {
-        if (ctrl & PAM_DEBUG_ARG) {
-            _pam_log(LOG_WARNING, "cannot determine user's tty");
-       }
+        _pam_log(LOG_WARNING, "cannot determine user's tty");
        return PAM_SERVICE_ERR;
     }