diff --git a/include/security/pam_constants.h b/include/security/pam_constants.h index e8e3f3b..85bfe57 100644 --- a/include/security/pam_constants.h +++ b/include/security/pam_constants.h @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/include/security/pam_constants.h#15 $ + * $P4: //depot/projects/openpam/include/security/pam_constants.h#16 $ */ #ifndef _PAM_CONSTANTS_H_INCLUDED diff --git a/lib/openpam_configure.c b/lib/openpam_configure.c index 8d9cd34..b0025fe 100644 --- a/lib/openpam_configure.c +++ b/lib/openpam_configure.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_configure.c#4 $ + * $P4: //depot/projects/openpam/lib/openpam_configure.c#5 $ */ #include @@ -150,6 +150,8 @@ openpam_read_policy_file(pam_chain_t *policy[], flag = PAM_SUFFICIENT; } else if (strcmp(p, "optional") == 0) { flag = PAM_OPTIONAL; + } else if (strcmp(p, "binding") == 0) { + flag = PAM_BINDING; } else { openpam_log(PAM_LOG_ERROR, "%s: invalid control flag on line %d: '%s'", diff --git a/lib/openpam_dispatch.c b/lib/openpam_dispatch.c index feef9e9..d65edee 100644 --- a/lib/openpam_dispatch.c +++ b/lib/openpam_dispatch.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#16 $ + * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#17 $ */ #include @@ -109,13 +109,14 @@ openpam_dispatch(pam_handle_t *pamh, if (r == PAM_IGNORE) continue; - if (r == PAM_SUCCESS || r == PAM_NEW_AUTHTOK_REQD) { + if (r == PAM_SUCCESS) { /* * For pam_setcred() and pam_chauthtok() with the * PAM_PRELIM_CHECK flag, treat "sufficient" as * "optional". */ - if (chain->flag == PAM_SUFFICIENT && !fail && + if ((chain->flag == PAM_SUFFICIENT || + chain->flag == PAM_BINDING) && !fail && primitive != PAM_SM_SETCRED && !(primitive == PAM_SM_CHAUTHTOK && (flags & PAM_PRELIM_CHECK))) @@ -132,7 +133,8 @@ openpam_dispatch(pam_handle_t *pamh, */ if (err == 0) err = r; - if (chain->flag == PAM_REQUIRED && !fail) { + if ((chain->flag == PAM_REQUIRED || + chain->flag == PAM_BINDING) && !fail) { openpam_log(PAM_LOG_DEBUG, "required module failed"); fail = 1; err = r; diff --git a/lib/openpam_impl.h b/lib/openpam_impl.h index 00ad618..23bfc90 100644 --- a/lib/openpam_impl.h +++ b/lib/openpam_impl.h @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_impl.h#15 $ + * $P4: //depot/projects/openpam/lib/openpam_impl.h#16 $ */ #ifndef _OPENPAM_IMPL_H_INCLUDED @@ -48,7 +48,8 @@ extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES]; #define PAM_REQUISITE 2 #define PAM_SUFFICIENT 3 #define PAM_OPTIONAL 4 -#define PAM_NUM_CONTROLFLAGS 5 +#define PAM_BINDING 5 +#define PAM_NUM_CONTROLFLAGS 6 /* * Chains