[pam-bwidm] read the password right from the beginning

should garantee that no other tool reads it before we do

1 files changed, 8 insertions, 6 deletions

diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
index ff343d19..e86a5067 100755
--- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
+++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm
@@ -2,14 +2,20 @@
 #
 # This script is to be called by PAM (specifically pam_exec).  
 #
-# some sanity checks
-set -x 
+# fix PATH as PAM clears it
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
 if ! busybox which curl; then
 	echo "'curl' missing. This script won't work without it."
 	exit 1
 fi
 
+# grab the password from stdin asap, since there is no garantee some tool just reads it
+if [ "x$PAM_TYPE" == "xauth" ]; then
+	read USER_PASSWORD
+	readonly USER_PASSWORD
+	[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
+fi
+
 # sanity check on PAM_USER: contains '@'?
 if [ -z "$PAM_USER" ] || [ "x${PAM_USER}" == "x${PAM_USER%@*}" ]; then
 	# no @ contained, invalid username, abort
@@ -81,10 +87,6 @@ readonly SOAP_ENVELOPPE="/opt/openslx/bwidm_soap.xml"
 
 # now the pam-type specific part starts
 if [ "x$PAM_TYPE" == "xauth" ]; then
-	# pam exposes the password through stdin, lets get that
-	read USER_PASSWORD
-	[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
-
 	# now we are ready to actually send the credentials to the IdP
 	# to be sure everything is working as expected
 	# we will first send a wrong password (by repeating the given password) and expect a 401