libpam: Only print "Password change aborted" when it's true.

pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.

This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead.  As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().

libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.

diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb1627153b2b96697359becb0ffcea1b84dac3..663f1f367bf5ea74dea214573f528be93eb958cb 100644 (file)
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
   if (retval != PAM_SUCCESS || resp[0] == NULL ||
       (chpass > 1 && resp[1] == NULL))
     {
-      /* We want to abort the password change */
-      pam_error (pamh, _("Password change aborted."));
+      /* We want to abort */
+      if (chpass)
+        pam_error (pamh, _("Password change aborted."));
       return PAM_AUTHTOK_ERR;
     }