forked from pool/pam_kwallet
c3c23f9515
- Add patches for handling edge cases and hardening: * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch * 0002-Don-t-do-anything-if-the-password-is-empty.patch * 0003-Exit-early-if-the-target-user-is-root.patch * 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch OBS-URL: https://build.opensuse.org/request/show/1071111 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=264
63 lines
2.4 KiB
Diff
63 lines
2.4 KiB
Diff
From 574d9a78e0b4dc3fe898a109a27bf650e9a80cc3 Mon Sep 17 00:00:00 2001
|
|
From: Fabian Vogt <fabian@ritter-vogt.de>
|
|
Date: Mon, 13 Mar 2023 10:38:36 +0100
|
|
Subject: [PATCH 4/4] Don't call pam_sm_open_session within pam_sm_authenticate
|
|
|
|
It doesn't make sense to open a session before performing authentication.
|
|
Don't work around application (or configuration) bugs here.
|
|
---
|
|
pam_kwallet.c | 22 +++-------------------
|
|
1 file changed, 3 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/pam_kwallet.c b/pam_kwallet.c
|
|
index 49be6c0..841e766 100644
|
|
--- a/pam_kwallet.c
|
|
+++ b/pam_kwallet.c
|
|
@@ -314,14 +314,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_IGNORE;
|
|
}
|
|
|
|
- //if sm_open_session has already been called (but we did not have password), call it now
|
|
- const char *session_bit;
|
|
- result = pam_get_data(pamh, "sm_open_session", (const void **)&session_bit);
|
|
- if (result == PAM_SUCCESS) {
|
|
- pam_syslog(pamh, LOG_ERR, "%s: open_session was called before us, calling it now", logPrefix);
|
|
- return pam_sm_open_session(pamh, flags, argc, argv);
|
|
- }
|
|
-
|
|
//TODO unlock kwallet that is already executed
|
|
return PAM_IGNORE;
|
|
}
|
|
@@ -550,17 +542,9 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_IGNORE;
|
|
}
|
|
|
|
- int result;
|
|
- result = pam_set_data(pamh, "sm_open_session", "1", NULL);
|
|
- if (result != PAM_SUCCESS) {
|
|
- pam_syslog(pamh, LOG_ERR, "%s: Impossible to store sm_open_session: %s",
|
|
- logPrefix, pam_strerror(pamh, result));
|
|
- return PAM_IGNORE;
|
|
- }
|
|
-
|
|
- //Fetch the user, needed to get user information
|
|
+ //Fetch the user, needed to get user information
|
|
const char *username;
|
|
- result = pam_get_user(pamh, &username, NULL);
|
|
+ int result = pam_get_user(pamh, &username, NULL);
|
|
if (result != PAM_SUCCESS) {
|
|
pam_syslog(pamh, LOG_ERR, "%s: Couldn't get username %s",
|
|
logPrefix, pam_strerror(pamh, result));
|
|
@@ -584,7 +568,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
|
|
|
|
if (result != PAM_SUCCESS) {
|
|
pam_syslog(pamh, LOG_INFO, "%s: open_session called without %s", logPrefix, kwalletPamDataKey);
|
|
- return PAM_SUCCESS;//We will wait for pam_sm_authenticate
|
|
+ return PAM_IGNORE;
|
|
}
|
|
|
|
char *key = malloc(KWALLET_PAM_KEYSIZE);
|
|
--
|
|
2.39.2
|
|
|