From f41aff5a6799299f04989c1b9a89c43018aecb1a Mon Sep 17 00:00:00 2001
From: Yu Zhiguo <yuzg@cn.fujitsu.com>
Date: Thu, 6 Sep 2007 14:28:49 +0800
Subject: [PATCH] chsh: should use pam_end function to terminate the PAM
 transaction

chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
used when the PAM transaction be terminated.

This patch also cleanup PAM code in chsh(1).

Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
Co-Author: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 login-utils/chsh.c | 57 +++++++++++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 24 deletions(-)

diff --git a/login-utils/chsh.c b/login-utils/chsh.c
index 15733a2c..430a34b5 100644
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@@ -46,7 +46,17 @@
 #if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H)
 #include <security/pam_appl.h>
 #include <security/pam_misc.h>
-#endif
+
+#define PAM_FAIL_CHECK(_ph, _rc) \
+    do { \
+	if ((_rc) != PAM_SUCCESS) { \
+	    fprintf(stderr, "\n%s\n", pam_strerror((_ph), (_rc))); \
+	    pam_end((_ph), (_rc)); \
+	    exit(1); \
+	} \
+    } while(0)
+
+#endif /* PAM */
 
 #ifdef HAVE_LIBSELINUX
 #include <selinux/selinux.h>
@@ -86,11 +96,6 @@ main (int argc, char *argv[]) {
     uid_t uid;
     struct sinfo info;
     struct passwd *pw;
-#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H)
-    pam_handle_t *pamh = NULL;
-    int retcode;
-    struct pam_conv conv = { misc_conv, NULL };
-#endif
 
     sanitize_env();
     setlocale(LC_ALL, "");
@@ -174,27 +179,31 @@ main (int argc, char *argv[]) {
 #ifdef REQUIRE_PASSWORD
 #ifdef HAVE_SECURITY_PAM_MISC_H
     if(uid != 0) {
-        if (pam_start("chsh", pw->pw_name, &conv, &pamh)) {
-	    puts(_("Password error."));
-	    exit(1);
-	}
-        if (pam_authenticate(pamh, 0)) {
-	    puts(_("Password error."));
+	pam_handle_t *pamh = NULL;
+	struct pam_conv conv = { misc_conv, NULL };
+	int retcode;
+
+	retcode = pam_start("chsh", pw->pw_name, &conv, &pamh);
+	if(retcode != PAM_SUCCESS) {
+	    fprintf(stderr, _("chsh: PAM Failure, aborting: %s\n"),
+			pam_strerror(pamh, retcode));
 	    exit(1);
 	}
-        retcode = pam_acct_mgmt(pamh, 0);
-        if (retcode == PAM_NEW_AUTHTOK_REQD)
+
+	retcode = pam_authenticate(pamh, 0);
+	PAM_FAIL_CHECK(pamh, retcode);
+
+	retcode = pam_acct_mgmt(pamh, 0);
+	if (retcode == PAM_NEW_AUTHTOK_REQD)
 	    retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-        if (retcode) {
-	    puts(_("Password error."));
-	    exit(1);
-	}
-        if (pam_setcred(pamh, 0)) {
-	    puts(_("Password error."));
-	    exit(1);
-	}
-        /* no need to establish a session; this isn't a session-oriented
-         * activity... */
+	PAM_FAIL_CHECK(pamh, retcode);
+
+	retcode = pam_setcred(pamh, 0);
+	PAM_FAIL_CHECK(pamh, retcode);
+
+	pam_end(pamh, 0);
+	/* no need to establish a session; this isn't a session-oriented
+	 * activity... */
     }
 #else /* HAVE_SECURITY_PAM_MISC_H */
     /* require password, unless root */
-- 
2.39.5