packages: libgnomesu/libgnomesu-pam-handling.patch (NEW) - merged from Open...
hawk
hawk at pld-linux.org
Thu Nov 25 10:40:20 CET 2010
Author: hawk Date: Thu Nov 25 09:40:20 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- merged from OpenSUSE: handle PAM errors during authentication in a more
extensive way, to give better feedback
---- Files affected:
packages/libgnomesu:
libgnomesu-pam-handling.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/libgnomesu/libgnomesu-pam-handling.patch
diff -u /dev/null packages/libgnomesu/libgnomesu-pam-handling.patch:1.1
--- /dev/null Thu Nov 25 10:40:20 2010
+++ packages/libgnomesu/libgnomesu-pam-handling.patch Thu Nov 25 10:40:15 2010
@@ -0,0 +1,163 @@
+Index: libgnomesu-1.0.0/pam-backend/pam.c
+===================================================================
+--- libgnomesu-1.0.0.orig/pam-backend/pam.c
++++ libgnomesu-1.0.0/pam-backend/pam.c
+@@ -42,12 +42,16 @@
+ #define PROTOCOL_INCORRECT_PASSWORD "INCORRECT_PASSWORD\n" /* Entered password is incorrect */
+
+ /* One of the following messages are printed on exit */
+-#define PROTOCOL_PASSWORD_FAIL "PASSWORD_FAIL\n" /* Entered incorrect password too many times */
++#define PROTOCOL_PASSWORD_FAIL "PASSWORD_FAIL\n" /* Entered incorrect password too many times (but not an error from PAM) */
+ #define PROTOCOL_DONE "DONE\n" /* Success */
+ #define PROTOCOL_NO_SUCH_USER "NO_SUCH_USER\n" /* USER doesn't exist */
+ #define PROTOCOL_INIT_ERROR "INIT_ERROR\n" /* Unable to initialize PAM */
+ #define PROTOCOL_ERROR "ERROR\n" /* Unknown error */
+ #define PROTOCOL_AUTH_DENIED "DENIED\n" /* User is not allowed to authenticate itself */
++#define PROTOCOL_AUTHINFO_UNAVAIL "AUTHINFO_UNAVAIL\n" /* Unable to access the authentication information (network or hardware failure) */
++#define PROTOCOL_MAXTRIES "MAXTRIES\n" /* Entered incorrect password too many times (error from PAM) */
++#define PROTOCOL_USER_EXPIRED "USER_EXPIRED\n" /* User account has expired */
++#define PROTOCOL_PASSWORD_EXPIRED "PASSWORD_EXPIRED\n" /* Password has expired */
+
+ #define DEFAULT_USER "root"
+
+@@ -215,7 +219,6 @@ int
+ main (int argc, char *argv[])
+ {
+ struct passwd *pw;
+- gboolean authenticated = FALSE;
+ pam_handle_t *pamh = NULL;
+ int retval, i;
+
+@@ -241,20 +244,74 @@ main (int argc, char *argv[])
+ else
+ fprintf (outf, PROTOCOL_INCORRECT_PASSWORD);
+ }
+- if (i >= 3)
++
++ if (i >= 3) {
++ fprintf (outf, PROTOCOL_PASSWORD_FAIL);
++ close_pam (pamh, retval);
+ return 1;
++ }
+
+- if (retval == PAM_SUCCESS) {
+- /* Is the user permitted to access this account? */
+- retval = pam_acct_mgmt (pamh, 0);
++ if (Abort) {
++ fprintf (outf, PROTOCOL_ERROR);
++ close_pam (pamh, retval);
++ return 1;
++ }
+
+- if (retval == PAM_SUCCESS)
+- authenticated = TRUE;
+- else
++ switch (retval) {
++ case PAM_SUCCESS:
++ break;
++ case PAM_CRED_INSUFFICIENT:
+ fprintf (outf, PROTOCOL_AUTH_DENIED);
+- } else
+- fprintf (outf, PROTOCOL_PASSWORD_FAIL);
++ break;
++ case PAM_AUTHINFO_UNAVAIL:
++ fprintf (outf, PROTOCOL_AUTHINFO_UNAVAIL);
++ break;
++ case PAM_MAXTRIES:
++ fprintf (outf, PROTOCOL_MAXTRIES);
++ break;
++ case PAM_USER_UNKNOWN:
++ fprintf (outf, PROTOCOL_NO_SUCH_USER);
++ break;
++ default:
++ fprintf (outf, PROTOCOL_ERROR);
++ break;
++ }
+
++ switch (retval) {
++ case PAM_SUCCESS:
++ break;
++ default:
++ close_pam (pamh, retval);
++ return 1;
++ }
++
++ /* Is the user permitted to access this account? */
++ retval = pam_acct_mgmt (pamh, 0);
++
++ switch (retval) {
++ case PAM_SUCCESS:
++ break;
++ case PAM_ACCT_EXPIRED:
++ fprintf (outf, PROTOCOL_USER_EXPIRED);
++ break;
++ case PAM_NEW_AUTHTOK_REQD:
++ fprintf (outf, PROTOCOL_PASSWORD_EXPIRED);
++ break;
++ case PAM_USER_UNKNOWN:
++ fprintf (outf, PROTOCOL_NO_SUCH_USER);
++ break;
++ default:
++ fprintf (outf, PROTOCOL_AUTH_DENIED);
++ break;
++ }
++
++ switch (retval) {
++ case PAM_SUCCESS:
++ break;
++ default:
++ close_pam (pamh, retval);
++ return 1;
++ }
+
+ if (Abort) {
+ close_pam (pamh, retval);
+@@ -262,7 +319,7 @@ main (int argc, char *argv[])
+ return 1;
+ }
+
+- if (authenticated) {
++ do {
+ char **command = argv + 4;
+ pid_t pid;
+ int exitCode = 1, status;
+@@ -312,9 +369,5 @@ main (int argc, char *argv[])
+ /* evecvp() failed */
+ return exitCode;
+
+- } else
+- {
+- close_pam (pamh, retval);
+- return 1;
+- }
++ } while (0);
+ }
+Index: libgnomesu-1.0.0/src/services/pam.c
+===================================================================
+--- libgnomesu-1.0.0.orig/src/services/pam.c
++++ libgnomesu-1.0.0/src/services/pam.c
+@@ -233,6 +233,24 @@ spawn_async2 (const gchar *user, const g
+ bomb (gui, _("You do not have permission to authenticate."));
+ break;
+
++ } else if (cmp (buf, "AUTHINFO_UNAVAIL\n")) {
++ bomb (gui, _("Unable to access the authentication information."));
++ break;
++
++ } else if (cmp (buf, "MAXTRIES\n")) {
++ bomb (gui, _("You reached the limit of tries to authenticate."));
++ break;
++
++ } else if (cmp (buf, "USER_EXPIRED\n")) {
++ bomb (gui, _("User account '%s' has expired."),
++ user);
++ break;
++
++ } else if (cmp (buf, "PASSWORD_EXPIRED\n")) {
++ bomb (gui, _("The password of '%s' has expired. Please update the password."),
++ user);
++ break;
++
+ } else if (cmp (buf, "INIT_ERROR\n")) {
+ bomb (gui, _("Unable to initialize the PAM authentication system."));
+ break;
================================================================
More information about the pld-cvs-commit
mailing list