[patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR

Tue, 24 Jan 2012 06:27:06 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

If the specified program exits with non-zero, current implementation
of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore,
applications have no idea what went wrong with authentication.

Attached is a patch that changes the behaviour to always return the
program exit code as-is. This lets the program returns meaningful
informations to applications.

I also added a small paragraph explaining this to the man page.

I'm planning to commit this to -CURRENT (maybe in a week or two) and
merge it to 9 and 8 if there're no objections.

Thanks for any comments!

- -- 
Jean-Sébastien Pédron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd
rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY
=JEte
-----END PGP SIGNATURE-----

diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 
b/lib/libpam/modules/pam_exec/pam_exec.8
index 311d64c..c5d2404 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.8
+++ b/lib/libpam/modules/pam_exec/pam_exec.8
@@ -32,7 +32,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 1, 2005
+.Dd January 24, 2012
 .Dt PAM_EXEC 8
 .Os
 .Sh NAME
@@ -59,6 +59,12 @@ variables:
 .Ev PAM_TTY ,
 and
 .Ev PAM_USER .
+.Pp
+The program exit code should be one of the codes defined in
+.Pa /usr/include/security/pam_constants.h
+under section "XSSO 5.2". Authentication is successful if the return code is
+.Er PAM_SUCCESS
+(0), failed otherwise.
 .Sh SEE ALSO
 .Xr pam_get_item 3 ,
 .Xr pam.conf 5 ,
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c 
b/lib/libpam/modules/pam_exec/pam_exec.c
index b7a870f..d497479 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -141,12 +141,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
                openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status);
                return (PAM_SYSTEM_ERR);
        }
-       if (WEXITSTATUS(status) != 0) {
-               openpam_log(PAM_LOG_ERROR, "%s returned code %d",
-                   argv[0], WEXITSTATUS(status));
-               return (PAM_SYSTEM_ERR);
-       }
-       return (PAM_SUCCESS);
+       return (WEXITSTATUS(status));
 }
 
 PAM_EXTERN int

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to