Changeset 802 in openpam for trunk/lib


Ignore:
Timestamp:
Sep 9, 2014, 8:08:13 AM (6 years ago)
Author:
Dag-Erling Smørgrav
Message:

From NetBSD: require at least one service function to have succeeded.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/lib/libpam/openpam_dispatch.c

    r649 r802  
    6464{
    6565        pam_chain_t *chain;
    66         int err, fail, r;
     66        int err, fail, nsuccess, r;
    6767        int debug;
    6868
     
    102102
    103103        /* execute */
    104         for (err = fail = 0; chain != NULL; chain = chain->next) {
     104        err = PAM_SUCCESS;
     105        fail = nsuccess = 0;
     106        for (; chain != NULL; chain = chain->next) {
    105107                if (chain->module->func[primitive] == NULL) {
    106108                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
     
    127129                if (r == PAM_IGNORE)
    128130                        continue;
    129                 if (r == PAM_SUCCESS) {
     131                if (r == PAM_SUCCESS) {
     132                        ++nsuccess;
    130133                        /*
    131134                         * For pam_setcred() and pam_chauthtok() with the
     
    149152                 * return code from the first required module to fail.
    150153                 */
    151                 if (err == 0)
     154                if (err == PAM_SUCCESS)
    152155                        err = r;
    153156                if ((chain->flag == PAM_REQUIRED ||
     
    171174        if (!fail && err != PAM_NEW_AUTHTOK_REQD)
    172175                err = PAM_SUCCESS;
     176
     177        /*
     178         * Require the chain to be non-empty, and at least one module
     179         * in the chain to be successful, so that we don't fail open.
     180         */
     181        if (err == PAM_SUCCESS && nsuccess < 1) {
     182                openpam_log(PAM_LOG_ERROR,
     183                    "all modules were unsuccessful for %s()",
     184                    pam_sm_func_name[primitive]);
     185                err = PAM_SYSTEM_ERR;
     186        }
     187
    173188        RETURNC(err);
    174189}
Note: See TracChangeset for help on using the changeset viewer.