On Čt, 2014-09-18 at 02:17 +0400, Dmitry V. Levin wrote:
On Fri, Sep 05, 2014 at 07:24:31AM +0000, Tomáš Mráz wrote:
[...]
I've discovered an inconsistency in the way how grantor is initialized:
> --- a/libpam/pam_dispatch.c
> +++ b/libpam/pam_dispatch.c
> @@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags,
struct handler *h,
> status = retval;
> }
> }
> - if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
> - goto decision_made;
> + if ( impression == _PAM_POSITIVE ) {
> + if ( retval == PAM_SUCCESS ) {
> + h->grantor = 1;
> + }
> +
> + if ( action == _PAM_ACTION_DONE ) {
> + goto decision_made;
> + }
> }
> break;
>
Here grantor is being set every time retval is PAM_SUCCESS and
impression is _PAM_POSITIVE, ...
> @@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags,
struct handler *h,
> || (impression == _PAM_POSITIVE
> && status == PAM_SUCCESS) ) {
> if ( retval != PAM_IGNORE || cached_retval == retval ) {
> + if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
> + h->grantor = 1;
> + }
> impression = _PAM_POSITIVE;
> status = retval;
while here grantor is set only if retval is PAM_SUCCESS and
impression is not yet _PAM_POSITIVE, so if impression is already
_PAM_POSITIVE, grantor will not be set.
I did that on purpose. In this case (jump in the second chain), the
module is really grantor only when the impression is not set yet. In
other cases it is just a jump and impression is kept as _PAM_POSITIVE.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)