diff options
| author | Dmitry V. Levin <ldv@altlinux.org> | 2021-08-19 08:00:00 +0000 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@altlinux.org> | 2021-08-19 08:00:00 +0000 |
| commit | 470823c4aacef5cb3b1180be6ed70846b61a3752 (patch) | |
| tree | 6c07161caed93dad2bb3559c1c8d4bb8ff1433a6 /modules/pam_unix/passverify.c | |
| parent | 9e788e4b84a7c57508db785a3e200b5d3e407c30 (diff) | |
| download | pam-470823c4aacef5cb3b1180be6ed70846b61a3752.tar.gz pam-470823c4aacef5cb3b1180be6ed70846b61a3752.tar.bz2 pam-470823c4aacef5cb3b1180be6ed70846b61a3752.zip | |
pam_unix: workaround the problem caused by libnss_systemd
The getspnam(3) manual page says that errno shall be set to EACCES when
the caller does not have permission to access the shadow password file.
Unfortunately, this contract is broken when libnss_systemd is used in
the nss stack.
Workaround this problem by falling back to the helper invocation when
pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
already behaves this way when selinux is enabled, it should be OK
for the case when selinux is not enabled, too.
* modules/pam_unix/passverify.c (get_account_info): When
pam_modutil_getspnam returns NULL, unconditionally fall back
to the helper invocation.
Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
Resolves: https://github.com/linux-pam/linux-pam/issues/379
Diffstat (limited to 'modules/pam_unix/passverify.c')
| -rw-r--r-- | modules/pam_unix/passverify.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 5460b057..fd81051d 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -245,8 +245,7 @@ PAMH_ARG_DECL(int get_account_info, if (*spwdent == NULL) { #ifndef HELPER_COMPILE /* still a chance the user can authenticate */ - if (errno == EACCES || SELINUX_ENABLED) - return PAM_UNIX_RUN_HELPER; + return PAM_UNIX_RUN_HELPER; #endif return PAM_AUTHINFO_UNAVAIL; } |