Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Sep 2018 10:51:42 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r338453 - head/lib/libpam/modules/pam_exec
Message-ID:  <201809041051.w84ApgC8012476@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: des
Date: Tue Sep  4 10:51:41 2018
New Revision: 338453
URL: https://svnweb.freebsd.org/changeset/base/338453

Log:
  For full Linux-PAM compatibility, add a trailing NUL character when
  passing the authentication token to the external program.
  
  Approved by:	re (kib)
  Submitted by:	Thomas Munro <munro@ip9.org>
  MFC after:	1 week
  Differential Revision:	D16950

Modified:
  head/lib/libpam/modules/pam_exec/pam_exec.8
  head/lib/libpam/modules/pam_exec/pam_exec.c

Modified: head/lib/libpam/modules/pam_exec/pam_exec.8
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.8	Tue Sep  4 09:58:13 2018	(r338452)
+++ head/lib/libpam/modules/pam_exec/pam_exec.8	Tue Sep  4 10:51:41 2018	(r338453)
@@ -74,7 +74,8 @@ Ignored for compatibility reasons.
 Use the program exit status as the return code of the pam_sm_* function.
 It must be a valid return value for this function.
 .It Cm expose_authtok
-Write the authentication token to the program's standard input stream.
+Write the authentication token to the program's standard input stream,
+followed by a NUL character.
 .It Cm --
 Stop options parsing;
 program and its arguments follow.

Modified: head/lib/libpam/modules/pam_exec/pam_exec.c
==============================================================================
--- head/lib/libpam/modules/pam_exec/pam_exec.c	Tue Sep  4 09:58:13 2018	(r338452)
+++ head/lib/libpam/modules/pam_exec/pam_exec.c	Tue Sep  4 10:51:41 2018	(r338453)
@@ -254,7 +254,8 @@ _pam_exec(pam_handle_t *pamh,
 		}
 		rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
 		if (rc == PAM_SUCCESS) {
-			authtok_size = strlen(authtok);
+			/* We include the trailing NUL-terminator. */
+			authtok_size = strlen(authtok) + 1;
 		} else {
 			openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func,
 						pam_strerror(pamh, rc));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809041051.w84ApgC8012476>