diff options
| author | Alexander Zubkov <green@qrator.net> | 2020-03-23 19:24:15 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@altlinux.org> | 2020-03-23 18:57:39 +0000 |
| commit | b838197cab25d5e2d83ef74d36401ff8a4f2ffdf (patch) | |
| tree | a793bcba13af2c88a10d8b389cb989e5528f91e5 /modules | |
| parent | 68aff3a5e29facecfb603bb3d2dd8f8225b8bdde (diff) | |
| download | pam-b838197cab25d5e2d83ef74d36401ff8a4f2ffdf.tar.gz pam-b838197cab25d5e2d83ef74d36401ff8a4f2ffdf.tar.bz2 pam-b838197cab25d5e2d83ef74d36401ff8a4f2ffdf.zip | |
pam_exec: require user name to be ready for the command
pam_exec module can be called when a user name has not been prompted
yet. And thus the command is called without a user name available.
This fix asks PAM for the user name to ensure it is ready or to force
the prompt.
Resolves: https://github.com/linux-pam/linux-pam/issues/131
Resolves: https://github.com/linux-pam/linux-pam/pull/195
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_exec/pam_exec.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index d37f555a..918422cf 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -108,6 +108,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int fds[2]; int stdout_fds[2]; FILE *stdout_file = NULL; + int retval; + const char *name; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -143,6 +145,16 @@ call_exec (const char *pam_type, pam_handle_t *pamh, break; /* Unknown option, assume program to execute. */ } + /* Request user name to be available. */ + + retval = pam_get_user(pamh, &name, NULL); + if (retval != PAM_SUCCESS) + { + if (retval == PAM_CONV_AGAIN) + retval = PAM_INCOMPLETE; + return retval; + } + if (expose_authtok == 1) { if (strcmp (pam_type, "auth") != 0) @@ -154,7 +166,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, else { const void *void_pass; - int retval; retval = pam_get_item (pamh, PAM_AUTHTOK, &void_pass); if (retval != PAM_SUCCESS) @@ -224,7 +235,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (pid > 0) /* parent */ { int status = 0; - pid_t retval; + pid_t rc; if (expose_authtok) /* send the password to the child */ { @@ -253,9 +264,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh, fclose(stdout_file); } - while ((retval = waitpid (pid, &status, 0)) == -1 && + while ((rc = waitpid (pid, &status, 0)) == -1 && errno == EINTR); - if (retval == (pid_t)-1) + if (rc == (pid_t)-1) { pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); return PAM_SYSTEM_ERR; |