commit c1023edd3d2e9dcd83a7822f1830a69f51101334
Author: Luke Shumaker <lukeshu(a)sbcglobal.net>
Date: Mon Dec 22 15:46:43 2014 -0500
libpam: Only print "Password change aborted" when it's true.
pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.
This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead. As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().
libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
libpam/pam_get_authtok.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 31bb162..663f1f3 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS || resp[0] == NULL ||
(chpass > 1 && resp[1] == NULL))
{
- /* We want to abort the password change */
- pam_error (pamh, _("Password change aborted."));
+ /* We want to abort */
+ if (chpass)
+ pam_error (pamh, _("Password change aborted."));
return PAM_AUTHTOK_ERR;
}
Show replies by date