Date: Thu, 24 Aug 2000 10:51:41 -0500 (EST) From: ajk@iu.edu To: FreeBSD-gnats-submit@freebsd.org Cc: XFree86@XFree86.org Subject: ports/20822: [PATCH] PAM support broken in XDM Message-ID: <200008241551.KAA42506@kobayashi.uits.iupui.edu>
next in thread | raw e-mail | index | archive | help
>Number: 20822
>Category: ports
>Synopsis: [PATCH] PAM support broken in XDM
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 24 09:00:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Andrew J. Korty
>Release: FreeBSD 4.1-RELEASE i386
>Organization:
Indiana University
>Environment:
XFree86-4 port
>Description:
XDM fails to open and close the PAM session layer. The function
thepamh(), which is intended to save the PAM handle in a static
variable, returns the handle itself rather than the address of that
handle. Therefore, when Verify() calls pam_start() with the address
of the handle, the handle itself is changed. Since thepamh() only
stores the pam handle itself, the change is not saved, so
StartClient() and SessionExit() are given NULL handles.
>How-To-Repeat:
Build XDM with PAM support. Configure a PAM module that uses the
session layer (e.g., pam_ssh). The session layer will not execute.
>Fix:
Make thepamh() return the address of the PAM handle.
--- programs/xdm/dm.h.orig Wed Jun 14 14:43:31 2000
+++ programs/xdm/dm.h Thu Aug 24 09:34:50 2000
@@ -417,7 +417,7 @@
/* in session.c */
#ifdef USE_PAM
-extern pam_handle_t *thepamh(void);
+extern pam_handle_t **thepamh(void);
#endif
extern char **defaultEnv (void);
extern char **systemEnv (struct display *d, char *user, char *home);
--- programs/xdm/greeter/verify.c.orig Wed Jun 14 14:43:33 2000
+++ programs/xdm/greeter/verify.c Thu Aug 24 09:34:50 2000
@@ -163,7 +163,7 @@
{
struct passwd *p;
#ifdef USE_PAM
- pam_handle_t *pamh = thepamh();
+ pam_handle_t **pamh = thepamh();
#else
#ifdef USESHADOW
struct spwd *sp;
@@ -312,19 +312,19 @@
#else /* USE_PAM */
#define PAM_BAIL \
- if (pam_error != PAM_SUCCESS) { pam_end(pamh, 0); return 0; }
+ if (pam_error != PAM_SUCCESS) { pam_end(*pamh, 0); return 0; }
PAM_password = greet->password;
- pam_error = pam_start("xdm", p->pw_name, &PAM_conversation, &pamh);
+ pam_error = pam_start("xdm", p->pw_name, &PAM_conversation, pamh);
PAM_BAIL;
- pam_error = pam_set_item(pamh, PAM_TTY, d->name);
+ pam_error = pam_set_item(*pamh, PAM_TTY, d->name);
PAM_BAIL;
- pam_error = pam_authenticate(pamh, 0);
+ pam_error = pam_authenticate(*pamh, 0);
PAM_BAIL;
- pam_error = pam_acct_mgmt(pamh, 0);
+ pam_error = pam_acct_mgmt(*pamh, 0);
/* really should do password changing, but it doesn't fit well */
PAM_BAIL;
- pam_error = pam_setcred(pamh, 0);
+ pam_error = pam_setcred(*pamh, 0);
PAM_BAIL;
#undef PAM_BAIL
#endif /* USE_PAM */
--- programs/xdm/session.c.orig Sat Jun 17 13:48:23 2000
+++ programs/xdm/session.c Thu Aug 24 10:15:18 2000
@@ -97,10 +97,10 @@
extern char *crypt(CRYPT_ARGS);
#endif
#ifdef USE_PAM
-pam_handle_t *thepamh()
+pam_handle_t **thepamh()
{
static pam_handle_t *pamh = NULL;
- return pamh;
+ return &pamh;
}
#endif
@@ -468,7 +468,7 @@
if (removeAuth)
{
#ifdef USE_PAM
- pam_handle_t *pamh = thepamh();
+ pam_handle_t **pamh = thepamh();
#endif
setgid (verify.gid);
setuid (verify.uid);
@@ -498,11 +498,11 @@
}
#endif /* K5AUTH */
#ifdef USE_PAM
- if (pamh) {
+ if (pamh && *pamh) {
/* shutdown PAM session */
- pam_close_session(pamh, 0);
- pam_end(pamh, PAM_SUCCESS);
- pamh = NULL;
+ pam_close_session(*pamh, 0);
+ pam_end(*pamh, PAM_SUCCESS);
+ *pamh = NULL;
}
#endif
}
@@ -525,7 +525,7 @@
struct passwd* pwd;
#endif
#ifdef USE_PAM
- pam_handle_t *pamh = thepamh();
+ pam_handle_t **pamh = thepamh();
#endif
if (verify->argv) {
@@ -540,7 +540,7 @@
Debug ("\n");
}
#ifdef USE_PAM
- if (pamh) pam_open_session(pamh, 0);
+ if (pamh && *pamh) pam_open_session(*pamh, 0);
#endif
switch (pid = fork ()) {
case 0:
@@ -554,9 +554,9 @@
#ifdef USE_PAM
/* pass in environment variables set by libpam and modules it called */
- if (pamh) {
+ if (pamh && *pamh) {
long i;
- char **pam_env = pam_getenvlist(pamh);
+ char **pam_env = pam_getenvlist(*pamh);
for(i = 0; pam_env && pam_env[i]; i++) {
verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008241551.KAA42506>