From 4e53d8d8c64e89a05c24e4a208675f28680f7aa7 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 17 Feb 2009 16:34:47 +0000 Subject: [PATCH] Relevant BUGIDs: bugzilla.novell.com#470337 Purpose of commit: bugfix Commit summary: --------------- 2009-02-17 Thorsten Kukuk * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient can break the PRELIM_CHECK chain. * libpam/pam_dispatch.c: Don't freeze chain for chauthtok [bugzilla.novell.com#470337] --- ChangeLog | 8 ++++++++ doc/man/pam_sm_chauthtok.3.xml | 37 +++++++++++++++++++--------------- libpam/pam_dispatch.c | 12 ++++------- 3 files changed, 33 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc3ed661..402e54fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2009-02-17 Thorsten Kukuk + + * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient + can break the PRELIM_CHECK chain. + + * libpam/pam_dispatch.c: Don't freeze chain for chauthtok + [bugzilla.novell.com#470337] + 2009-02-11 Daniel Nylander * po/sv.po: Updated translations. diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml index c36a0baf..40ab191e 100644 --- a/doc/man/pam_sm_chauthtok.3.xml +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -40,7 +40,7 @@ interface. - This function is used to (re-)set the authentication token of the user. + This function is used to (re-)set the authentication token of the user. Valid flags, which may be logically OR'd with @@ -60,10 +60,10 @@ This argument indicates to the module that the users - authentication token (password) should only be changed if - it has expired. This flag is optional and - must be combined with one of the - following two flags. Note, however, the following two options + authentication token (password) should only be changed if + it has expired. This flag is optional and + must be combined with one of the + following two flags. Note, however, the following two options are mutually exclusive. @@ -72,15 +72,20 @@ PAM_PRELIM_CHECK - This indicates that the modules are being probed as to - their ready status for altering the user's authentication - token. If the module requires access to another system over - some network it should attempt to verify it can connect to - this system on receiving this flag. If a module cannot establish - it is ready to update the user's authentication token it should + This indicates that the modules are being probed as to + their ready status for altering the user's authentication + token. If the module requires access to another system over + some network it should attempt to verify it can connect to + this system on receiving this flag. If a module cannot establish + it is ready to update the user's authentication token it should return PAM_TRY_AGAIN, this information will be passed back to the application. + + If the control value sufficient is used in + the password stack, the PAM_PRELIM_CHECK section + of the modules following that control value is not always executed. + @@ -89,18 +94,18 @@ This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with - PAM_CHANGE_EXPIRED_AUTHTOK, the + PAM_CHANGE_EXPIRED_AUTHTOK, the token is only changed if it has actually expired. - The PAM library calls this function twice in succession. The first - time with PAM_PRELIM_CHECK and then, - if the module does not return + The PAM library calls this function twice in succession. The first + time with PAM_PRELIM_CHECK and then, + if the module does not return PAM_TRY_AGAIN, subsequently with - PAM_UPDATE_AUTHTOK. It is only on + PAM_UPDATE_AUTHTOK. It is only on the second call that the authorization token is (possibly) changed. diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index 42482573..98c69c60 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -132,11 +132,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* - * use_cached_chain is how we ensure that the setcred/close_session - * and chauthtok(2) modules are called in the same order as they did - * when they were invoked as auth/open_session/chauthtok(1). This - * feature was added in 0.75 to make the behavior of pam_setcred - * sane. It was debugged by release 0.76. + * use_cached_chain is how we ensure that the setcred and + * close_session modules are called in the same order as they did + * when they were invoked as auth/open_session. This feature was + * added in 0.75 to make the behavior of pam_setcred sane. */ if (use_cached_chain != _PAM_PLEASE_FREEZE) { @@ -358,9 +357,6 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) break; case PAM_CHAUTHTOK: h = pamh->handlers.conf.chauthtok; - if (flags & PAM_UPDATE_AUTHTOK) { - use_cached_chain = _PAM_MUST_BE_FROZEN; - } break; default: pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); -- 2.40.0