Bug#490266: libpam0g: bad interaction between PAM_IGNORE and default=done

Thu, 10 Jul 2008 22:16:28 -0700 

Package: libpam0g
Version: 0.99.7.1-6
Severity: normal

pam_afs_session is purely a session module and doesn't implement
authentication, but it needs to run in pam_setcred.  Currently, it
always returns PAM_SUCCESS for authenticate, which of course is rather
dangerous in the presence of misconfiguration (someone might list it
last or mark it sufficient).

I want to return PAM_IGNORE instead to avoid that problem.  However,
the handling of PAM_IGNORE appears to be broken in the presence of the
more complex [] syntax for status handling.

If I have a PAM configuration of:

auth    [success=ok default=1]  pam_krb5.so
auth    [default=done]          pam_afs_session.so

and pam_afs_session returns PAM_IGNORE, the PAM_IGNORE isn't ignored
and instead makes the whole stack return PAM_IGNORE, resulting in
authentication failures like:

Jul 10 21:48:00 windlord login[8918]: FAILED LOGIN (3) on 'pts/12' FOR 
`thoron', The return value should be ignored by PAM dispatch

The problem appears to be with this section of _pam_dispatch_aux:

            if ( impression == _PAM_UNDEF
                 || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) {
                /* in case of using cached chain
                   we could get here with PAM_IGNORE - don't return it */
                if ( retval != PAM_IGNORE || cached_retval == retval ) {
                    impression = _PAM_POSITIVE;
                    status = retval;
                }
            }

I believe that inner test should instead simply be:

    if ( retval != PAM_IGNORE ) {
        impression = _PAM_POSITIVE;
        status = retval;
    }

Otherwise, PAM_IGNORE becomes the return status if it's the last module
in a group to execute, which defeats the whole point of PAM_IGNORE.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam0g depends on:
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libpam-runtime                0.99.7.1-6 Runtime support for the PAM librar

libpam0g recommends no packages.

-- debconf information:
* libpam0g/restart-services: cron
  libpam0g/xdm-needs-restart:
  libpam0g/restart-failed:



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to