pam/libpam-password-requisite.diff

--- libpam/pam_dispatch.c	3 Dec 2008 14:16:33 -0000	1.13
+++ libpam/pam_dispatch.c	4 Feb 2009 13:48:02 -0000
@@ -132,11 +132,10 @@
 	}
 
 	/*
-	 * use_cached_chain is how we ensure that the setcred/close_session
-	 * and chauthtok(2) modules are called in the same order as they did
-	 * when they were invoked as auth/open_session/chauthtok(1). This
-	 * feature was added in 0.75 to make the behavior of pam_setcred
-	 * sane. It was debugged by release 0.76.
+	 * use_cached_chain is how we ensure that the setcred and
+         * close_session modules are called in the same order as they did
+	 * when they were invoked as auth/open_session. This feature was
+	 * added in 0.75 to make the behavior of pam_setcred sane.
 	 */
 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
 
@@ -358,9 +357,6 @@
 	break;
     case PAM_CHAUTHTOK:
 	h = pamh->handlers.conf.chauthtok;
-	if (flags & PAM_UPDATE_AUTHTOK) {
-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
-	}
 	break;
     default:
 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
--- libpam/pam_password.c	24 Jul 2006 15:47:40 -0000	1.5
+++ libpam/pam_password.c	4 Feb 2009 13:48:02 -0000
@@ -24,6 +24,13 @@
 	return PAM_SYSTEM_ERR;
     }
 
+    /* applications are not allowed to set this flags */
+    if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
+      syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX
+	     "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
+      return PAM_SYSTEM_ERR;
+    }
+
     if (pamh->former.choice == PAM_NOT_STACKED) {
 	_pam_start_timer(pamh);    /* we try to make the time for a failure
 				      independent of the time it takes to
@@ -58,4 +67,3 @@
 
     return retval;
 }
-
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=25 2009-02-06 15:59:38 +00:00			`--- libpam/pam_dispatch.c 3 Dec 2008 14:16:33 -0000 1.13`
			`+++ libpam/pam_dispatch.c 4 Feb 2009 13:48:02 -0000`
			`@@ -132,11 +132,10 @@`
			`}`

			`/*`
			`- * use_cached_chain is how we ensure that the setcred/close_session`
			`- * and chauthtok(2) modules are called in the same order as they did`
			`- * when they were invoked as auth/open_session/chauthtok(1). This`
			`- * feature was added in 0.75 to make the behavior of pam_setcred`
			`- * sane. It was debugged by release 0.76.`
			`+ * use_cached_chain is how we ensure that the setcred and`
			`+ * close_session modules are called in the same order as they did`
			`+ * when they were invoked as auth/open_session. This feature was`
			`+ * added in 0.75 to make the behavior of pam_setcred sane.`
			`*/`
			`if (use_cached_chain != _PAM_PLEASE_FREEZE) {`

			`@@ -358,9 +357,6 @@`
			`break;`
			`case PAM_CHAUTHTOK:`
			`h = pamh->handlers.conf.chauthtok;`
			`- if (flags & PAM_UPDATE_AUTHTOK) {`
			`- use_cached_chain = _PAM_MUST_BE_FROZEN;`
			`- }`
			`break;`
			`default:`
			`pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);`
			`--- libpam/pam_password.c 24 Jul 2006 15:47:40 -0000 1.5`
			`+++ libpam/pam_password.c 4 Feb 2009 13:48:02 -0000`
			`@@ -24,6 +24,13 @@`
			`return PAM_SYSTEM_ERR;`
			`}`

			`+ /* applications are not allowed to set this flags */`
			`+ if (flags & (PAM_PRELIM_CHECK \| PAM_UPDATE_AUTHTOK)) {`
			`+ syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX`
			`+ "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");`
			`+ return PAM_SYSTEM_ERR;`
			`+ }`
			`+`
			`if (pamh->former.choice == PAM_NOT_STACKED) {`
			`_pam_start_timer(pamh); /* we try to make the time for a failure`
			`independent of the time it takes to`
			`@@ -58,4 +67,3 @@`

			`return retval;`
			`}`
			`-`