Detect and handle correctly PAM modules that return user accounts that don't exist

7 files changed, 75 insertions, 11 deletions

diff --git a/src/display.c b/src/display.c
index 570d6c15..215611fb 100644
--- a/src/display.c
+++ b/src/display.c
@@ -260,20 +260,28 @@ autologin_authentication_result_cb (PAMSession *authentication, int result, Disp
 
     if (result == PAM_SUCCESS)
     {
+        User *user;
         const gchar *session_name;
-     
-        g_debug ("User %s authorized", pam_session_get_username (authentication));
 
-        session_name = user_get_xsession (pam_session_get_user (authentication));
-        if (session_name)
+        user = pam_session_get_user (authentication);
+
+        if (user)
         {
-            g_debug ("Using session %s", session_name);
-            display_set_user_session (display, session_name);
-        }
+            g_debug ("User %s authorized", pam_session_get_username (authentication));
 
-        started_session = start_user_session (display, authentication);
-        if (!started_session)
-            g_debug ("Failed to start autologin session");
+            session_name = user_get_xsession (user);
+            if (session_name)
+            {
+                g_debug ("Using session %s", session_name);
+                display_set_user_session (display, session_name);
+            }
+
+            started_session = start_user_session (display, authentication);
+            if (!started_session)
+                g_debug ("Failed to start autologin session");
+        }
+        else
+            g_debug ("User %s was authorized, but no account of that name exists", pam_session_get_username (authentication));
     }
     else
         g_debug ("Autologin failed authentication");
diff --git a/src/greeter.c b/src/greeter.c
index 28ff3b7f..10fc31fb 100644
--- a/src/greeter.c
+++ b/src/greeter.c
@@ -261,7 +261,15 @@ authentication_result_cb (PAMSession *authentication, int result, Greeter *greet
     g_debug ("Authenticate result for user %s: %s", pam_session_get_username (authentication), pam_session_strerror (authentication, result));
 
     if (result == PAM_SUCCESS)
-        g_debug ("User %s authorized", pam_session_get_username (authentication));
+    {
+        if (pam_session_get_user (authentication))
+            g_debug ("User %s authorized", pam_session_get_username (authentication));
+        else
+        {
+            g_debug ("User %s authorized, but no account of that name exists", pam_session_get_username (authentication));          
+            result = PAM_USER_UNKNOWN;
+        }
+    }
 
     send_end_authentication (greeter, greeter->priv->authentication_sequence_number, pam_session_get_username (authentication), result);
 }
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 819c60d8..331868cc 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,6 +18,7 @@ TESTS = \
 	test-autologin-guest-fail-setup-script \
 	test-autologin-guest-logout \
 	test-user-renamed \
+	test-user-renamed-invalid \
 	test-keyboard-layout \
 	test-no-keyboard-layout \
 	test-default-keyboard-layout \
@@ -168,6 +169,7 @@ EXTRA_DIST = \
 	scripts/switch-to-user-logout.conf \
 	scripts/switch-to-user-no-password.conf \
 	scripts/user-renamed.conf \
+	scripts/user-renamed-invalid.conf \
 	scripts/vnc-login.conf \
 	scripts/xdmcp-login.conf \
 	scripts/xserver-fail-start.conf
diff --git a/tests/scripts/user-renamed-invalid.conf b/tests/scripts/user-renamed-invalid.conf
new file mode 100644
index 00000000..3f386c28
--- /dev/null
+++ b/tests/scripts/user-renamed-invalid.conf
@@ -0,0 +1,34 @@
+#
+# Check if PAM renames the user to one that doesn't exist lightdm handles this
+#
+
+[LightDM]
+minimum-display-number=50
+
+[SeatDefaults]
+autologin-user=rename-user-invalid
+
+#?RUNNER DAEMON-START
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# (fails to start session for invalid user)
+
+# Greeter starts
+#?GREETER :50 START
+#?XSERVER :50 ACCEPT-CONNECT
+#?GREETER :50 CONNECT-XSERVER
+#?GREETER :50 CONNECT-TO-DAEMON
+#?GREETER :50 CONNECTED-TO-DAEMON
+
+# Cleanup
+#?*STOP-DAEMON
+# Don't know what order they will terminate
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?RUNNER DAEMON-EXIT STATUS=0
diff --git a/tests/src/libsystem.c b/tests/src/libsystem.c
index 63fb467f..31986d01 100644
--- a/tests/src/libsystem.c
+++ b/tests/src/libsystem.c
@@ -350,6 +350,13 @@ pam_authenticate (pam_handle_t *pamh, int flags)
         pamh->user = g_strdup ("user1");
     }
 
+    /* Special user 'rename-user-invalid' changes to an invalid user on authentication */
+    if (password_matches && strcmp (pamh->user, "rename-user-invalid") == 0)
+    {
+        g_free (pamh->user);
+        pamh->user = g_strdup ("invalid-user");
+    }
+
     if (password_matches)
         return PAM_SUCCESS;
     else
diff --git a/tests/src/test-runner.c b/tests/src/test-runner.c
index 6e088dab..2fa1db75 100644
--- a/tests/src/test-runner.c
+++ b/tests/src/test-runner.c
@@ -1217,8 +1217,11 @@ main (int argc, char **argv)
         {"bob",     "",         TRUE,  "Bob User",   NULL,          "us", NULL,          "en_AU.utf8",  1001},
         {"carol",   "",         TRUE,  "Carol User", "alternative", "ru", "fr\toss;ru;", "fr_FR.UTF-8", 1002},
         {"dave",    "",         FALSE, "Dave User",  NULL,          NULL, NULL,          NULL,          1003},
+        /* user0 is switched to user1 when authentication succeeds */
         {"user0",   "",         TRUE,  "User 0",     NULL,          NULL, NULL,          NULL,          1004},
         {"user1",   "",         TRUE,  "User 1",     NULL,          NULL, NULL,          NULL,          1005},
+        /* rename-user-invalid switches to invalid-user when authentication succeeds */
+        {"rename-user-invalid",   "",         TRUE,  "User 1",     NULL,          NULL, NULL,          NULL,          1006},
         {NULL,      NULL,       FALSE, NULL,         NULL,          NULL, NULL,          NULL,             0}
     };
     passwd_data = g_string_new ("");
diff --git a/tests/test-user-renamed-invalid b/tests/test-user-renamed-invalid
new file mode 100755
index 00000000..c1f816ed
--- /dev/null
+++ b/tests/test-user-renamed-invalid
@@ -0,0 +1,2 @@
+#!/bin/sh
+./src/dbus-env ./src/test-runner user-renamed-invalid test-gobject-greeter