From 52e49e17acba24d2a1dd211bae857043c20931f7 Mon Sep 17 00:00:00 2001 From: Jonathan Krebs Date: Mon, 15 May 2023 13:57:46 +0200 Subject: pam_shells: return PAM_USER_UNKNOWN if getpwnam fails Until before, in this case PAM_AUTH_ERR was returned. This leads to unknown users being logged with the unknown username. Now it resembles the behaviour of other modules like pam_unix in this case. --- modules/pam_shells/pam_shells.8.xml | 8 ++++++++ modules/pam_shells/pam_shells.c | 12 ++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) (limited to 'modules/pam_shells') diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml index b9f90e94..e1b35a3e 100644 --- a/modules/pam_shells/pam_shells.8.xml +++ b/modules/pam_shells/pam_shells.8.xml @@ -74,6 +74,14 @@ + + PAM_USER_UNKNOWN + + + The user does not exist or the user's login shell could not be determined. + + + PAM_SERVICE_ERR diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index abebdd0c..05c09c65 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -61,8 +61,16 @@ static int perform_check(pam_handle_t *pamh) } pw = pam_modutil_getpwnam(pamh, userName); - if (pw == NULL || pw->pw_shell == NULL) { - return PAM_AUTH_ERR; /* user doesn't exist */ + if (pw == NULL) { + return PAM_USER_UNKNOWN; + } + if (pw->pw_shell == NULL) { + /* TODO: when does this happen? I would join it with + * the case userShell[0] == '\0' below. + * + * For now, keep the existing stricter behaviour + */ + return PAM_AUTH_ERR; } userShell = pw->pw_shell; if (userShell[0] == '\0') -- cgit v1.2.3