pam_unix: workaround the problem caused by libnss_systemd - pam.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Dmitry V. Levin <ldv@altlinux.org>	2021-08-19 08:00:00 +0000
committer	Dmitry V. Levin <ldv@altlinux.org>	2021-08-19 08:00:00 +0000
commit	470823c4aacef5cb3b1180be6ed70846b61a3752 (patch)
tree	6c07161caed93dad2bb3559c1c8d4bb8ff1433a6 /configure.ac
parent	9e788e4b84a7c57508db785a3e200b5d3e407c30 (diff)
download	pam-470823c4aacef5cb3b1180be6ed70846b61a3752.tar.gz pam-470823c4aacef5cb3b1180be6ed70846b61a3752.tar.bz2 pam-470823c4aacef5cb3b1180be6ed70846b61a3752.zip

pam_unix: workaround the problem caused by libnss_systemd

The getspnam(3) manual page says that errno shall be set to EACCES when the caller does not have permission to access the shadow password file. Unfortunately, this contract is broken when libnss_systemd is used in the nss stack. Workaround this problem by falling back to the helper invocation when pam_modutil_getspnam returns NULL regardless of errno. As pam_unix already behaves this way when selinux is enabled, it should be OK for the case when selinux is not enabled, too. * modules/pam_unix/passverify.c (get_account_info): When pam_modutil_getspnam returns NULL, unconditionally fall back to the helper invocation. Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root") Resolves: https://github.com/linux-pam/linux-pam/issues/379

Diffstat (limited to 'configure.ac')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: