Relevant BUGIDs: 483959, 113596

Purpose of commit: bugfix

Commit summary:
---------------
 * Restore pam_unix's handling of 'likeauth' argument to a known working
   state
 * prettify AUTH_RETURN macro
 * remove redundant argv checks in pam_sm_setcred()

diff --git a/CHANGELOG b/CHANGELOG
index 8e8417fc9bc8d154b1fcd4c403f2e57ab986c8e8..1e69e29b4b38a40537170f149296308841c814ac 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -49,6 +49,9 @@ bug report - outstanding bugs are listed here:
 0.76: please submit patches for this section with actual code/doc
       patches!
 
+* pam_unix: restore handling of 'likeauth' argument to a known working
+  state; prettify AUTH_RETURN macro; remove redundant argv checks in
+  pam_sm_setcred() (Bugs 483959, 113596 - vorlon)
 * pam_cracklib: another try at implementing similar() from Harald
   Welte and Nalin (Bugs 436053, 476957 - agmorgan)
 * documentation: random typo fixes from Nalin (Bug 476949 - agmorgan)

diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index f55ae4693e2c465d8aeb14581537f1992423a850..a42e492669f93ef4c4d9c277df7a02a11060ce6f 100644 (file)
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -81,28 +81,34 @@
 #define _UNIX_AUTHTOK  "-UN*X-PASS"
 
 #define AUTH_RETURN                                            \
-{                                                              \
-       if (on(UNIX_LIKE_AUTH, ctrl)) {                         \
+do {                                                           \
+       if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) {             \
                D(("recording return code for next time [%d]",  \
                                        retval));               \
+               *ret_data = retval;                             \
                pam_set_data(pamh, "unix_setcred_return",       \
-                               (void *) retval, NULL);         \
+                               (void *) ret_data, NULL);       \
        }                                                       \
        D(("done. [%s]", pam_strerror(pamh, retval)));          \
        return retval;                                          \
-}
+} while (0)
 
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                                   ,int argc, const char **argv)
 {
        unsigned int ctrl;
-       int retval;
+       int retval, *ret_data = NULL;
        const char *name, *p;
 
        D(("called."));
 
        ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
 
+       /* Get a few bytes so we can pass our return value to
+          pam_sm_setcred(). */
+       if (on(UNIX_LIKE_AUTH, ctrl))
+               ret_data = malloc(sizeof(int));
+
        /* get the user'name' */
 
        retval = pam_get_user(pamh, &name, "login: ");
@@ -116,7 +122,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                if (name == NULL || !isalnum(*name)) {
                        _log_err(LOG_ERR, pamh, "bad username [%s]", name);
                        retval = PAM_USER_UNKNOWN;
-                       AUTH_RETURN
+                       AUTH_RETURN;
                }
                if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
                        D(("username [%s] obtained", name));
@@ -129,7 +135,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                         */
                        retval = PAM_INCOMPLETE;
                }
-               AUTH_RETURN
+               AUTH_RETURN;
        }
 
        /* if this user does not have a password... */
@@ -138,7 +144,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                D(("user '%s' has blank passwd", name));
                name = NULL;
                retval = PAM_SUCCESS;
-               AUTH_RETURN
+               AUTH_RETURN;
        }
        /* get this user's authentication token */
 
@@ -157,7 +163,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
                        retval = PAM_INCOMPLETE;
                }
                name = NULL;
-               AUTH_RETURN
+               AUTH_RETURN;
        }
        D(("user=%s, password=[%s]", name, p));
 
@@ -165,7 +171,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
        retval = _unix_verify_password(pamh, name, p, ctrl);
        name = p = NULL;
 
-       AUTH_RETURN
+       AUTH_RETURN;
 }
 
 
@@ -181,29 +187,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
 PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags
                              ,int argc, const char **argv)
 {
-       unsigned int ctrl;
        int retval;
+       int *pretval = NULL;
 
        D(("called."));
 
-       /* FIXME: it shouldn't be necessary to parse the arguments again. The
-          only argument we need is UNIX_LIKE_AUTH: if it was set,
-          pam_get_data will succeed. If it wasn't, it will fail, and we
-          return PAM_SUCCESS.  -SRL */
-       ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
        retval = PAM_SUCCESS;
 
-       if (on(UNIX_LIKE_AUTH, ctrl)) {
-               int *pretval = NULL;
-
-               D(("recovering return code from auth call"));
-               pam_get_data(pamh, "unix_setcred_return", (const void **) pretval);
-               if(pretval) {
-                       retval = *pretval;
-                       free(pretval);
-                       D(("recovered data indicates that old retval was %d", retval));
-               }
+       D(("recovering return code from auth call"));
+       /* We will only find something here if UNIX_LIKE_AUTH is set -- 
+          don't worry about an explicit check of argv. */
+       pam_get_data(pamh, "unix_setcred_return", (const void **) &pretval);
+       pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
+       if(pretval) {
+               retval = *pretval;
+               free(pretval);
+               D(("recovered data indicates that old retval was %d", retval));
        }
+
        return retval;
 }