* src/login.c: Open the PAM session before pam_setcred and before

	initgroups. This is more consistent with rfc86.0.

diff --git a/ChangeLog b/ChangeLog
index 37463eb4b9067710d3aa9db0edae36ea82b3dce5..de02729a6d1b4ddd052c7b2d45408b29e7e05276 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>
+
+       * src/login.c: Open the PAM session before pam_setcred and before
+       initgroups. This is more consistent with rfc86.0.
+
 2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>
 
        * src/login.c: Added helper functions get_pam_user() and

diff --git a/src/login.c b/src/login.c
index 7a05d2d40b54a74b5ba5dd9dab3de27ea92935e6..a5a0063a09b4701217dcc234f8543f19e130f7d5 100644 (file)
--- a/src/login.c
+++ b/src/login.c
@@ -849,6 +849,11 @@ int main (int argc, char **argv)
        }
        PAM_FAIL_CHECK;
 
+       /* Open the PAM session */
+       get_pam_user (&pam_user);
+       retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
+       PAM_FAIL_CHECK;
+
        /* Grab the user information out of the password file for future usage
         * First get the username that we are actually using, though.
         *
@@ -880,9 +885,9 @@ int main (int argc, char **argv)
 
        retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
        PAM_FAIL_CHECK;
-
-       retcode = pam_open_session (pamh, hushed (username) ? PAM_SILENT : 0);
-       PAM_FAIL_CHECK;
+       /* NOTE: If pam_setcred changes PAM_USER, this will not be taken
+        * into account.
+        */
 
 #else                          /* ! USE_PAM */
        while (true) {  /* repeatedly get login/password pairs */