Add a flag to struct pam_handle that openpam_dispatch() uses to
detect and prevent indirect recursion. Fail immediately if the requested chain is empty. If a module couldn't be loaded, or doesn't provide the requested service, treat it as a normal failure instead of terminating the chain. (Solaris actually ignores this condition!) Sponsored by: DARPA, NAI Labs git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@20 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
99d01aea5e
commit
46638aa621
|
@ -61,6 +61,14 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
if (pamh == NULL)
|
||||
return (PAM_SYSTEM_ERR);
|
||||
|
||||
/* prevent recursion */
|
||||
if (pamh->dispatching) {
|
||||
openpam_log(PAM_LOG_ERROR, "indirect recursion");
|
||||
return (PAM_SYSTEM_ERR);
|
||||
}
|
||||
pamh->dispatching = 1;
|
||||
|
||||
/* pick a chain */
|
||||
switch (primitive) {
|
||||
case PAM_AUTHENTICATE:
|
||||
case PAM_SETCRED:
|
||||
|
@ -77,19 +85,27 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
module = pamh->chains[PAM_PASSWORD];
|
||||
break;
|
||||
default:
|
||||
pamh->dispatching = 0;
|
||||
return (PAM_SYSTEM_ERR);
|
||||
}
|
||||
|
||||
/* fail if the chain is empty */
|
||||
if (module == NULL)
|
||||
return (PAM_SYSTEM_ERR);
|
||||
|
||||
/* execute */
|
||||
for (err = fail = 0; module != NULL; module = module->next) {
|
||||
if (module->primitive[primitive] == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: no %s()",
|
||||
module->modpath, _pam_sm_func_name[primitive]);
|
||||
return (PAM_SYMBOL_ERR);
|
||||
pamh->dispatching = 0;
|
||||
r = PAM_SYMBOL_ERR;
|
||||
} else {
|
||||
r = (module->primitive[primitive])(pamh, flags);
|
||||
openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
|
||||
module->modpath, _pam_sm_func_name[primitive],
|
||||
pam_strerror(pamh, r));
|
||||
}
|
||||
r = (module->primitive[primitive])(pamh, flags);
|
||||
openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
|
||||
module->modpath, _pam_sm_func_name[primitive],
|
||||
pam_strerror(pamh, r));
|
||||
|
||||
if (r == PAM_IGNORE)
|
||||
continue;
|
||||
|
@ -131,9 +147,8 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
}
|
||||
}
|
||||
|
||||
if (fail)
|
||||
return (err);
|
||||
return (PAM_SUCCESS);
|
||||
pamh->dispatching = 0;
|
||||
return (fail ? err : PAM_SUCCESS);
|
||||
}
|
||||
|
||||
#if !defined(OPENPAM_RELAX_CHECKS)
|
||||
|
|
|
@ -91,6 +91,7 @@ struct pam_data {
|
|||
|
||||
struct pam_handle {
|
||||
char *service;
|
||||
int dispatching;
|
||||
|
||||
/* chains */
|
||||
pam_chain_t *chains[PAM_NUM_CHAINS];
|
||||
|
|
Loading…
Reference in New Issue