From 52e49e17acba24d2a1dd211bae857043c20931f7 Mon Sep 17 00:00:00 2001
From: Jonathan Krebs <jonny@git2022.olpp.net>
Date: Mon, 15 May 2023 13:57:46 +0200
Subject: pam_shells: return PAM_USER_UNKNOWN if getpwnam fails

Until before, in this case PAM_AUTH_ERR was returned. This leads to unknown
users being logged with the unknown username.
Now it resembles the behaviour of other modules like pam_unix in this case.
---
 modules/pam_shells/pam_shells.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'modules/pam_shells/pam_shells.c')

diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index abebdd0c..05c09c65 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -61,8 +61,16 @@ static int perform_check(pam_handle_t *pamh)
     }
 
     pw = pam_modutil_getpwnam(pamh, userName);
-    if (pw == NULL || pw->pw_shell == NULL) {
-	return PAM_AUTH_ERR;		/* user doesn't exist */
+    if (pw == NULL) {
+	return PAM_USER_UNKNOWN;
+    }
+    if (pw->pw_shell == NULL) {
+	/* TODO: when does this happen? I would join it with
+	 * the case userShell[0] == '\0' below.
+	 *
+	 * For now, keep the existing stricter behaviour
+	 */
+	return PAM_AUTH_ERR;
     }
     userShell = pw->pw_shell;
     if (userShell[0] == '\0')
-- 
cgit v1.2.3