From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Mon, 22 Dec 2014 20:46:43 +0000 (-0500)
Subject: libpam: Only print "Password change aborted" when it's true.
X-Git-Tag: Linux-PAM-1_2_0~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c1023edd3d2e9dcd83a7822f1830a69f51101334;p=linux-pam

libpam: Only print "Password change aborted" when it's true.

pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.

This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead.  As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().

libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
---

diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb1627..663f1f36 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
   if (retval != PAM_SUCCESS || resp[0] == NULL ||
       (chpass > 1 && resp[1] == NULL))
     {
-      /* We want to abort the password change */
-      pam_error (pamh, _("Password change aborted."));
+      /* We want to abort */
+      if (chpass)
+        pam_error (pamh, _("Password change aborted."));
       return PAM_AUTHTOK_ERR;
     }