diff options
| author | Luke Shumaker <lukeshu@sbcglobal.net> | 2014-12-22 15:46:43 -0500 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2015-01-02 09:16:20 +0100 |
| commit | c1023edd3d2e9dcd83a7822f1830a69f51101334 (patch) | |
| tree | b59e3751d296bcd2a4333c9d6378720fcf44d141 /libpam/pam_get_authtok.c | |
| parent | 9d1545efee73ec834b051c50a1bc0d2a63d8765b (diff) | |
| download | pam-c1023edd3d2e9dcd83a7822f1830a69f51101334.tar.gz pam-c1023edd3d2e9dcd83a7822f1830a69f51101334.tar.bz2 pam-c1023edd3d2e9dcd83a7822f1830a69f51101334.zip | |
libpam: Only print "Password change aborted" when it's true.
pam_get_authtok() may be used any time that a password needs to be entered,
unlike pam_get_authtok_{no,}verify(), which may only be used when
changing a password; yet when the user aborts, it prints "Password change
aborted." whether or not that was the operation being performed.
This bug was non-obvious because none of the modules distributed with
Linux-PAM use it for anything but changing passwords; pam_unix has its
own utility function that it uses instead. As an example, the
nss-pam-ldapd package uses it in pam_sm_authenticate().
libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
password is trying to be changed before printing a message about the
password change being aborted.
Diffstat (limited to 'libpam/pam_get_authtok.c')
| -rw-r--r-- | libpam/pam_get_authtok.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 31bb1627..663f1f36 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -151,8 +151,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, if (retval != PAM_SUCCESS || resp[0] == NULL || (chpass > 1 && resp[1] == NULL)) { - /* We want to abort the password change */ - pam_error (pamh, _("Password change aborted.")); + /* We want to abort */ + if (chpass) + pam_error (pamh, _("Password change aborted.")); return PAM_AUTHTOK_ERR; } |