pam_kwallet/0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch

From 574d9a78e0b4dc3fe898a109a27bf650e9a80cc3 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Mon, 13 Mar 2023 10:38:36 +0100
Subject: [PATCH 4/4] Don't call pam_sm_open_session within pam_sm_authenticate

It doesn't make sense to open a session before performing authentication.
Don't work around application (or configuration) bugs here.
---
 pam_kwallet.c | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/pam_kwallet.c b/pam_kwallet.c
index 49be6c0..841e766 100644
--- a/pam_kwallet.c
+++ b/pam_kwallet.c
@@ -314,14 +314,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
         return PAM_IGNORE;
     }
 
-    //if sm_open_session has already been called (but we did not have password), call it now
-    const char *session_bit;
-    result = pam_get_data(pamh, "sm_open_session", (const void **)&session_bit);
-    if (result == PAM_SUCCESS) {
-        pam_syslog(pamh, LOG_ERR, "%s: open_session was called before us, calling it now", logPrefix);
-        return pam_sm_open_session(pamh, flags, argc, argv);
-    }
-
     //TODO unlock kwallet that is already executed
     return PAM_IGNORE;
 }
@@ -550,17 +542,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
         return PAM_IGNORE;
     }
 
-    int result;
-    result = pam_set_data(pamh, "sm_open_session", "1", NULL);
-    if (result != PAM_SUCCESS) {
-        pam_syslog(pamh, LOG_ERR, "%s: Impossible to store sm_open_session: %s",
-                   logPrefix, pam_strerror(pamh, result));
-        return PAM_IGNORE;
-    }
-
-     //Fetch the user, needed to get user information
+    //Fetch the user, needed to get user information
     const char *username;
-    result = pam_get_user(pamh, &username, NULL);
+    int result = pam_get_user(pamh, &username, NULL);
     if (result != PAM_SUCCESS) {
         pam_syslog(pamh, LOG_ERR, "%s: Couldn't get username %s",
                    logPrefix, pam_strerror(pamh, result));
@@ -584,7 +568,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
 
     if (result != PAM_SUCCESS) {
         pam_syslog(pamh, LOG_INFO, "%s: open_session called without %s", logPrefix, kwalletPamDataKey);
-        return PAM_SUCCESS;//We will wait for pam_sm_authenticate
+        return PAM_IGNORE;
     }
 
     char *key = malloc(KWALLET_PAM_KEYSIZE);
-- 
2.39.2
Accepting request 1071111 from home:Vogtinator:plasma5.27 - Add patches for handling edge cases and hardening: * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch * 0002-Don-t-do-anything-if-the-password-is-empty.patch * 0003-Exit-early-if-the-target-user-is-root.patch * 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch OBS-URL: https://build.opensuse.org/request/show/1071111 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=264 2023-03-13 17:17:31 +01:00			`From 574d9a78e0b4dc3fe898a109a27bf650e9a80cc3 Mon Sep 17 00:00:00 2001`
			`From: Fabian Vogt <fabian@ritter-vogt.de>`
			`Date: Mon, 13 Mar 2023 10:38:36 +0100`
			`Subject: [PATCH 4/4] Don't call pam_sm_open_session within pam_sm_authenticate`

			`It doesn't make sense to open a session before performing authentication.`
			`Don't work around application (or configuration) bugs here.`
			`---`
			`pam_kwallet.c \| 22 +++-------------------`
			`1 file changed, 3 insertions(+), 19 deletions(-)`

			`diff --git a/pam_kwallet.c b/pam_kwallet.c`
			`index 49be6c0..841e766 100644`
			`--- a/pam_kwallet.c`
			`+++ b/pam_kwallet.c`
			`@@ -314,14 +314,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons`
			`return PAM_IGNORE;`
			`}`

			`- //if sm_open_session has already been called (but we did not have password), call it now`
			`- const char *session_bit;`
			`- result = pam_get_data(pamh, "sm_open_session", (const void **)&session_bit);`
			`- if (result == PAM_SUCCESS) {`
			`- pam_syslog(pamh, LOG_ERR, "%s: open_session was called before us, calling it now", logPrefix);`
			`- return pam_sm_open_session(pamh, flags, argc, argv);`
			`- }`
			`-`
			`//TODO unlock kwallet that is already executed`
			`return PAM_IGNORE;`
			`}`
			`@@ -550,17 +542,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons`
			`return PAM_IGNORE;`
			`}`

			`- int result;`
			`- result = pam_set_data(pamh, "sm_open_session", "1", NULL);`
			`- if (result != PAM_SUCCESS) {`
			`- pam_syslog(pamh, LOG_ERR, "%s: Impossible to store sm_open_session: %s",`
			`- logPrefix, pam_strerror(pamh, result));`
			`- return PAM_IGNORE;`
			`- }`
			`-`
			`- //Fetch the user, needed to get user information`
			`+ //Fetch the user, needed to get user information`
			`const char *username;`
			`- result = pam_get_user(pamh, &username, NULL);`
			`+ int result = pam_get_user(pamh, &username, NULL);`
			`if (result != PAM_SUCCESS) {`
			`pam_syslog(pamh, LOG_ERR, "%s: Couldn't get username %s",`
			`logPrefix, pam_strerror(pamh, result));`
			`@@ -584,7 +568,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons`

			`if (result != PAM_SUCCESS) {`
			`pam_syslog(pamh, LOG_INFO, "%s: open_session called without %s", logPrefix, kwalletPamDataKey);`
			`- return PAM_SUCCESS;//We will wait for pam_sm_authenticate`
			`+ return PAM_IGNORE;`
			`}`

			`char *key = malloc(KWALLET_PAM_KEYSIZE);`
			`--`
			`2.39.2`