From: Yu Zhiguo Date: Thu, 6 Sep 2007 06:28:49 +0000 (+0800) Subject: chsh: should use pam_end function to terminate the PAM transaction X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed46e62efb1ea15ffbedac70afa28c293e5ccd8f;p=util-linux chsh: should use pam_end function to terminate the PAM transaction chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and 'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be used when the PAM transaction be terminated. This patch also cleanup PAM code in chsh(1). Signed-off-by: Yu Zhiguo Co-Author: Karel Zak Signed-off-by: Karel Zak --- diff --git a/login-utils/chsh.c b/login-utils/chsh.c index 15733a2c..430a34b5 100644 --- a/login-utils/chsh.c +++ b/login-utils/chsh.c @@ -46,7 +46,17 @@ #if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H) #include #include -#endif + +#define PAM_FAIL_CHECK(_ph, _rc) \ + do { \ + if ((_rc) != PAM_SUCCESS) { \ + fprintf(stderr, "\n%s\n", pam_strerror((_ph), (_rc))); \ + pam_end((_ph), (_rc)); \ + exit(1); \ + } \ + } while(0) + +#endif /* PAM */ #ifdef HAVE_LIBSELINUX #include @@ -86,11 +96,6 @@ main (int argc, char *argv[]) { uid_t uid; struct sinfo info; struct passwd *pw; -#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H) - pam_handle_t *pamh = NULL; - int retcode; - struct pam_conv conv = { misc_conv, NULL }; -#endif sanitize_env(); setlocale(LC_ALL, ""); @@ -174,27 +179,31 @@ main (int argc, char *argv[]) { #ifdef REQUIRE_PASSWORD #ifdef HAVE_SECURITY_PAM_MISC_H if(uid != 0) { - if (pam_start("chsh", pw->pw_name, &conv, &pamh)) { - puts(_("Password error.")); - exit(1); - } - if (pam_authenticate(pamh, 0)) { - puts(_("Password error.")); + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + int retcode; + + retcode = pam_start("chsh", pw->pw_name, &conv, &pamh); + if(retcode != PAM_SUCCESS) { + fprintf(stderr, _("chsh: PAM Failure, aborting: %s\n"), + pam_strerror(pamh, retcode)); exit(1); } - retcode = pam_acct_mgmt(pamh, 0); - if (retcode == PAM_NEW_AUTHTOK_REQD) + + retcode = pam_authenticate(pamh, 0); + PAM_FAIL_CHECK(pamh, retcode); + + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - if (retcode) { - puts(_("Password error.")); - exit(1); - } - if (pam_setcred(pamh, 0)) { - puts(_("Password error.")); - exit(1); - } - /* no need to establish a session; this isn't a session-oriented - * activity... */ + PAM_FAIL_CHECK(pamh, retcode); + + retcode = pam_setcred(pamh, 0); + PAM_FAIL_CHECK(pamh, retcode); + + pam_end(pamh, 0); + /* no need to establish a session; this isn't a session-oriented + * activity... */ } #else /* HAVE_SECURITY_PAM_MISC_H */ /* require password, unless root */