From ab4f7c33e2d6fb64ebf2e2ee0a2f3cfb06ed3f68 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Thu, 14 May 2020 08:00:00 +0000
Subject: pam_securetty: forward error values returned by pam_get_user

Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.

* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
new return values.
---
 modules/pam_securetty/pam_securetty.8.xml | 22 +++++++++++++++++++---
 modules/pam_securetty/pam_securetty.c     |  2 +-
 2 files changed, 20 insertions(+), 4 deletions(-)

(limited to 'modules/pam_securetty')

diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
index b5e83691..e49d572b 100644
--- a/modules/pam_securetty/pam_securetty.8.xml
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -114,13 +114,29 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+          <para>
+            Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_CONV_ERR</term>
+        <listitem>
+          <para>
+            The conversation method supplied by the application
+            failed to obtain the username.
+          </para>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>PAM_INCOMPLETE</term>
         <listitem>
           <para>
-            An application error occurred. pam_securetty was not able
-            to get information it required from the application that
-            called it.
+            The conversation method supplied by the application
+            returned PAM_CONV_AGAIN.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 355a23ab..5f52d3a9 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -85,7 +85,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
     retval = pam_get_user(pamh, &username, NULL);
     if (retval != PAM_SUCCESS) {
         pam_syslog(pamh, LOG_WARNING, "cannot determine username");
-	return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:PAM_SERVICE_ERR);
+	return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE : retval);
     }
 
     user_pwd = pam_modutil_getpwnam(pamh, username);
-- 
cgit v1.2.3