Bug#251088: xdm: calling pam_setcred multiple times, redux

Fri, 23 Dec 2005 15:48:10 -0800 

Package: xdm
Followup-For: Bug #251088

As mentioned earlier in this bug report, xdm calls pam_setcred multiple
times, which can cause problems and at the least is useless work.  More
seriously, it discards any changes made in the environment after the
last call, which can result in such problems as someone's ticket cache
location and KRB5CCNAME environment variable being out of sync.

I agree with the original bug reporter that simply removing the call to
pam_setcred in session.c is the right thing to do.  Failing that, at
least the following should be applied to move environment setting until
after the pam_setcred call:

--- xorg-x11-6.8.2.dfsg.1/xc/programs/xdm/session.c.orig        2005-02-28 
09:35:18.000000000 -0800
+++ xorg-x11-6.8.2.dfsg.1/xc/programs/xdm/session.c     2005-12-23 
15:34:35.000000000 -0800
@@ -559,18 +559,6 @@
 
        /* Do system-dependent login setup here */
 
-#ifdef USE_PAM
-       /* pass in environment variables set by libpam and modules it called */
-       if (pamh) {
-           long i;
-           char **pam_env = pam_getenvlist(pamh);
-           for(i = 0; pam_env && pam_env[i]; i++) {
-               verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
-           }
-       }
-#endif
-
-
 #ifndef AIXV3
 #ifndef HAS_SETUSERCONTEXT
        if (setgid(verify->gid) < 0) {
@@ -634,6 +622,17 @@
        }
 #endif /* AIXV3 */
 
+#ifdef USE_PAM
+       /* pass in environment variables set by libpam and modules it called */
+       if (pamh) {
+           long i;
+           char **pam_env = pam_getenvlist(pamh);
+           for(i = 0; pam_env && pam_env[i]; i++) {
+               verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
+           }
+       }
+#endif
+
        /*
         * for user-based authorization schemes,
         * use the password to get the user's credentials.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to