Changeset 802 in openpam

Timestamp:

Sep 9, 2014, 8:08:13 AM (6 years ago)

Author:

Dag-Erling Smørgrav

Message:

From NetBSD: require at least one service function to have succeeded.

File:

• trunk/lib/libpam/openpam_dispatch.c (modified) (5 diffs)

trunk/lib/libpam/openpam_dispatch.c

@@ -64 +64 @@
 {
         pam_chain_t *chain;
-        int err, fail, r;
+        int err, fail, nsuccess, r;
         int debug;
 
@@ -102 +102 @@
 
         /* execute */
-        for (err = fail = 0; chain != NULL; chain = chain->next) {
+        err = PAM_SUCCESS;
+        fail = nsuccess = 0;
+        for (; chain != NULL; chain = chain->next) {
                 if (chain->module->func[primitive] == NULL) {
                         openpam_log(PAM_LOG_ERROR, "%s: no %s()",
@@ -127 +129 @@
                 if (r == PAM_IGNORE)
                         continue;
-                if (r == PAM_SUCCESS) {
+                if (r == PAM_SUCCESS) { 
+                        ++nsuccess;
                         /*
                          * For pam_setcred() and pam_chauthtok() with the
@@ -149 +152 @@
                  * return code from the first required module to fail.
                  */
-                if (err == 0)
+                if (err == PAM_SUCCESS)
                         err = r;
                 if ((chain->flag == PAM_REQUIRED ||
@@ -171 +174 @@
         if (!fail && err != PAM_NEW_AUTHTOK_REQD)
                 err = PAM_SUCCESS;
+
+        /*
+         * Require the chain to be non-empty, and at least one module
+         * in the chain to be successful, so that we don't fail open.
+         */
+        if (err == PAM_SUCCESS && nsuccess < 1) {
+                openpam_log(PAM_LOG_ERROR,
+                    "all modules were unsuccessful for %s()",
+                    pam_sm_func_name[primitive]);
+                err = PAM_SYSTEM_ERR;
+        }
+
         RETURNC(err);
 }