diff options
author | Yu Zhiguo | 2007-09-06 08:28:49 +0200 |
---|---|---|
committer | Karel Zak | 2007-10-04 00:09:19 +0200 |
commit | f41aff5a6799299f04989c1b9a89c43018aecb1a (patch) | |
tree | 41b250e9e628c4e88bf41ea6a5bf4a950e475b2f /login-utils | |
parent | cal: avoid -Wformat warnings (diff) | |
download | kernel-qcow2-util-linux-f41aff5a6799299f04989c1b9a89c43018aecb1a.tar.gz kernel-qcow2-util-linux-f41aff5a6799299f04989c1b9a89c43018aecb1a.tar.xz kernel-qcow2-util-linux-f41aff5a6799299f04989c1b9a89c43018aecb1a.zip |
chsh: should use pam_end function to terminate the PAM transaction
chsh will use PAM transaction if macros 'REQUIRE_PASSWORD' and
'HAVE_SECURITY_PAM_MISC_H' are defined, but there is no pam_end function be
used when the PAM transaction be terminated.
This patch also cleanup PAM code in chsh(1).
Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
Co-Author: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils')
-rw-r--r-- | login-utils/chsh.c | 57 |
1 files changed, 33 insertions, 24 deletions
diff --git a/login-utils/chsh.c b/login-utils/chsh.c index 15733a2c1..430a34b5b 100644 --- a/login-utils/chsh.c +++ b/login-utils/chsh.c @@ -46,7 +46,17 @@ #if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H) #include <security/pam_appl.h> #include <security/pam_misc.h> -#endif + +#define PAM_FAIL_CHECK(_ph, _rc) \ + do { \ + if ((_rc) != PAM_SUCCESS) { \ + fprintf(stderr, "\n%s\n", pam_strerror((_ph), (_rc))); \ + pam_end((_ph), (_rc)); \ + exit(1); \ + } \ + } while(0) + +#endif /* PAM */ #ifdef HAVE_LIBSELINUX #include <selinux/selinux.h> @@ -86,11 +96,6 @@ main (int argc, char *argv[]) { uid_t uid; struct sinfo info; struct passwd *pw; -#if defined(REQUIRE_PASSWORD) && defined(HAVE_SECURITY_PAM_MISC_H) - pam_handle_t *pamh = NULL; - int retcode; - struct pam_conv conv = { misc_conv, NULL }; -#endif sanitize_env(); setlocale(LC_ALL, ""); @@ -174,27 +179,31 @@ main (int argc, char *argv[]) { #ifdef REQUIRE_PASSWORD #ifdef HAVE_SECURITY_PAM_MISC_H if(uid != 0) { - if (pam_start("chsh", pw->pw_name, &conv, &pamh)) { - puts(_("Password error.")); - exit(1); - } - if (pam_authenticate(pamh, 0)) { - puts(_("Password error.")); + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + int retcode; + + retcode = pam_start("chsh", pw->pw_name, &conv, &pamh); + if(retcode != PAM_SUCCESS) { + fprintf(stderr, _("chsh: PAM Failure, aborting: %s\n"), + pam_strerror(pamh, retcode)); exit(1); } - retcode = pam_acct_mgmt(pamh, 0); - if (retcode == PAM_NEW_AUTHTOK_REQD) + + retcode = pam_authenticate(pamh, 0); + PAM_FAIL_CHECK(pamh, retcode); + + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - if (retcode) { - puts(_("Password error.")); - exit(1); - } - if (pam_setcred(pamh, 0)) { - puts(_("Password error.")); - exit(1); - } - /* no need to establish a session; this isn't a session-oriented - * activity... */ + PAM_FAIL_CHECK(pamh, retcode); + + retcode = pam_setcred(pamh, 0); + PAM_FAIL_CHECK(pamh, retcode); + + pam_end(pamh, 0); + /* no need to establish a session; this isn't a session-oriented + * activity... */ } #else /* HAVE_SECURITY_PAM_MISC_H */ /* require password, unless root */ |