diff options
author | George Lebl <jirka@5z.com> | 2003-07-26 00:11:15 +0000 |
---|---|---|
committer | George Lebl <jirka@src.gnome.org> | 2003-07-26 00:11:15 +0000 |
commit | 1a833d5d978f2a82c6cf64283e9cc2823bd8cd00 (patch) | |
tree | 8ee6fd61a54b8196f2fe729d746b3cca37e4c951 | |
parent | f9ccdb5f0535acbd89cb1392fb0629a507b37b03 (diff) | |
download | gdm-1a833d5d978f2a82c6cf64283e9cc2823bd8cd00.tar.gz |
apparently pam can is on crack and so the best and apparently most
Fri Jul 25 17:09:52 2003 George Lebl <jirka@5z.com>
* daemon/verify-pam.c: apparently pam can is on crack and so the
best and apparently most portable way of handling the face browser
is by reseting the pam handle after a user has been selected.
This works just as well and we dump any possibly dangerous
state from the pam handle's previous invocation of
pam_authenticate
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | daemon/verify-pam.c | 69 |
2 files changed, 50 insertions, 28 deletions
@@ -1,3 +1,12 @@ +Fri Jul 25 17:09:52 2003 George Lebl <jirka@5z.com> + + * daemon/verify-pam.c: apparently pam can is on crack and so the + best and apparently most portable way of handling the face browser + is by reseting the pam handle after a user has been selected. + This works just as well and we dump any possibly dangerous + state from the pam handle's previous invocation of + pam_authenticate + Fri Jul 25 16:31:24 2003 George Lebl <jirka@5z.com> * daemon/gdm.c: Fix updating the gdm_main_pid, which fixes gdm_fail diff --git a/daemon/verify-pam.c b/daemon/verify-pam.c index b9107e2a..0c06b5a4 100644 --- a/daemon/verify-pam.c +++ b/daemon/verify-pam.c @@ -388,6 +388,7 @@ create_pamh (GdmDisplay *d, /* Initialize a PAM session for the user */ if ((*pamerr = pam_start (service, login, conv, &pamh)) != PAM_SUCCESS) { + pamh = NULL; /* be anal */ if (gdm_slave_should_complain ()) gdm_error (_("Unable to establish service %s: %s\n"), service, pam_strerror (NULL, *pamerr)); @@ -401,17 +402,6 @@ create_pamh (GdmDisplay *d, return FALSE; } -#if 0 - /* Apparently we should not set RUSER, docs are unclear but the sun - guys are saying don't do it */ - /* gdm is requesting the login */ - if ((*pamerr = pam_set_item (pamh, PAM_RUSER, GdmUser)) != PAM_SUCCESS) { - if (gdm_slave_should_complain ()) - gdm_error (_("Can't set PAM_RUSER=%s"), GdmUser); - return FALSE; - } -#endif - if ( ! d->console) { /* Only set RHOST if host is remote */ /* From the host of the display */ @@ -468,15 +458,6 @@ gdm_verify_user (GdmDisplay *d, cur_gdm_disp = d; - /* Initialize a PAM session for the user */ - if ( ! create_pamh (d, "gdm", username, &pamc, display, &pamerr)) { - if (started_timer) - gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); - goto pamerr; - } - - pam_set_item (pamh, PAM_USER_PROMPT, _("Username:")); - /* A Solaris thing: */ #ifdef HAVE_DEFOPEN if (defopen(DEFLT"/login") == 0) { @@ -495,26 +476,56 @@ gdm_verify_user (GdmDisplay *d, } #endif -#ifdef PAM_FAIL_DELAY - pam_fail_delay (pamh, GdmRetryDelay * 1000); -#endif /* PAM_FAIL_DELAY */ - authenticate_again: + /* hack */ g_free (tmp_PAM_USER); tmp_PAM_USER = NULL; + /* Initialize a PAM session for the user */ + if ( ! create_pamh (d, "gdm", login, &pamc, display, &pamerr)) { + if (started_timer) + gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, ""); + goto pamerr; + } + + pam_set_item (pamh, PAM_USER_PROMPT, _("Username:")); + +#ifdef PAM_FAIL_DELAY + pam_fail_delay (pamh, GdmRetryDelay * 1000); +#endif /* PAM_FAIL_DELAY */ + did_we_ask_for_password = FALSE; gdm_verify_select_user (NULL); /* Start authentication session */ if ((pamerr = pam_authenticate (pamh, null_tok)) != PAM_SUCCESS) { if ( ! ve_string_empty (selected_user)) { + pam_handle_t *tmp_pamh; + + /* Face browser was used to select a user, + just completely rewhack everything since it + seems various PAM implementations are + having goats with just setting PAM_USER + and trying to pam_authenticate again */ + + g_free (login); + login = selected_user; + selected_user = NULL; + + gdm_sigterm_block_push (); + gdm_sigchld_block_push (); + tmp_pamh = pamh; + pamh = NULL; + gdm_sigchld_block_pop (); + gdm_sigterm_block_pop (); + /* FIXME: what about errors */ - pam_set_item (pamh, PAM_USER, selected_user); - /* Note that the GDM_SETUSER will be sent in the - authenticate conversation. This is a more robust - solution. */ + /* really this has been a sucess, not a failure */ + pam_end (tmp_pamh, PAM_SUCCESS); + + gdm_slave_greeter_ctl_no_ret (GDM_SETLOGIN, login); + goto authenticate_again; } if (started_timer) @@ -1013,6 +1024,8 @@ gdm_verify_check (void) pam_handle_t *ph = NULL; if (pam_start ("gdm", NULL, &standalone_pamc, &ph) != PAM_SUCCESS) { + ph = NULL; /* be anal */ + closelog (); openlog ("gdm", LOG_PID, LOG_DAEMON); |