From e08bc8895045babcf4c41ed3147f44c1dcd77af0 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Thu, 19 Mar 2020 18:40:16 +0000
Subject: modules/pam_unix: fix gcc compilation warnings

When setreuid() fails, there is no way to proceed any further: either
the process credentials are unchanged but inappropriate, or they are
in an inconsistent state and nothing good could be made out of it.
This fixes the following compilation warnings:

  modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
  modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]

* modules/pam_unix/passverify.c (get_account_info) [HELPER_COMPILE]:
Always check setreuid return code and return PAM_CRED_INSUFFICIENT
if setreuid failed.
---
 modules/pam_unix/passverify.c | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

(limited to 'modules/pam_unix/passverify.c')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 65307e11..234db341 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -205,25 +205,30 @@ PAMH_ARG_DECL(int get_account_info,
 
 			save_euid = geteuid();
 			save_uid = getuid();
-			if (save_uid == (*pwd)->pw_uid)
-				setreuid(save_euid, save_uid);
-			else  {
-				setreuid(0, -1);
-				if (setreuid(-1, (*pwd)->pw_uid) == -1) {
-					setreuid(-1, 0);
-					setreuid(0, -1);
-					if(setreuid(-1, (*pwd)->pw_uid) == -1)
+			if (save_uid == (*pwd)->pw_uid) {
+				if (setreuid(save_euid, save_uid))
+					return PAM_CRED_INSUFFICIENT;
+			} else  {
+				if (setreuid(0, -1))
+					return PAM_CRED_INSUFFICIENT;
+				if (setreuid(-1, (*pwd)->pw_uid)) {
+					if (setreuid(-1, 0)
+					    || setreuid(0, -1)
+					    || setreuid(-1, (*pwd)->pw_uid)) {
 						return PAM_CRED_INSUFFICIENT;
+					}
 				}
 			}
 
 			*spwdent = pam_modutil_getspnam(pamh, name);
-			if (save_uid == (*pwd)->pw_uid)
-				setreuid(save_uid, save_euid);
-			else {
-				setreuid(-1, 0);
-				setreuid(save_uid, -1);
-				setreuid(-1, save_euid);
+			if (save_uid == (*pwd)->pw_uid) {
+				if (setreuid(save_uid, save_euid))
+					return PAM_CRED_INSUFFICIENT;
+			} else {
+				if (setreuid(-1, 0)
+				    || setreuid(save_uid, -1)
+				    || setreuid(-1, save_euid))
+					return PAM_CRED_INSUFFICIENT;
 			}
 
 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
-- 
cgit v1.2.3