From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sun, 20 Jan 2002 00:46:44 +0000 (+0000)
Subject: Don't check the return value of pam_setcred().  In Linux-PAM 0.75
X-Git-Tag: SUDO_1_6_6~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3a6c0ea2e67197df1ab29624d02240b7b8d79069;p=sudo

Don't check the return value of pam_setcred().  In Linux-PAM 0.75
pam_setcred() returns the last saved return code, not the return
code for the setcred module.  Because we haven't called pam_authenticate(),
this is not set and so pam_setcred() returns PAM_PERM_DENIED.
---

diff --git a/auth/pam.c b/auth/pam.c
index a1fc4b62a..c375c83e4 100644
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -163,7 +163,6 @@ pam_prep_user(pw)
     struct pam_conv pam_conv;
     pam_handle_t *pamh;
     const char *s;
-    int error;
 
     /* We need to setup a new PAM session for the user we are changing *to*. */
     pam_conv.conv = sudo_conv;
@@ -176,16 +175,19 @@ pam_prep_user(pw)
     if (strcmp(user_tty, "unknown"))
 	(void) pam_set_item(pamh, PAM_TTY, user_tty);
 
-    /* Set credentials (may include resource limits, device ownership, etc). */
-    if ((error = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
-	if ((s = pam_strerror(pamh, error)))
-	    log_error(NO_EXIT|NO_MAIL, "pam_setcred: %s", s);
-    }
-
-    if (pam_end(pamh, error) != PAM_SUCCESS)
+    /*
+     * Set credentials (may include resource limits, device ownership, etc).
+     * We don't check the return value here because in Linux-PAM 0.75
+     * it returns the last saved return code, not the return code
+     * for the setcred module.  Because we haven't called pam_authenticate(),
+     * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
+     */
+    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
+
+    if (pam_end(pamh, PAM_SUCCESS) == PAM_SUCCESS)
+	return(PAM_SUCCESS);
+    else
 	return(AUTH_FAILURE);
-
-    return(error == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
 }
 
 /*