X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=driver%2Fpasswd-pam.c;h=2452bbc63b91322a35675c51ee214eb4edf756db;hb=ccb7f4903325f92555a9722bba74b58346654ba0;hp=7083cfe487f41342c5c26ff1dd10518ceedcbdeb;hpb=cccbddbc4140cf9a06d7d95cc5c0ca36eb5d6e28;p=xscreensaver diff --git a/driver/passwd-pam.c b/driver/passwd-pam.c index 7083cfe4..2452bbc6 100644 --- a/driver/passwd-pam.c +++ b/driver/passwd-pam.c @@ -1,7 +1,7 @@ /* passwd-pam.c --- verifying typed passwords with PAM * (Pluggable Authentication Modules.) * written by Bill Nottingham (and jwz) for - * xscreensaver, Copyright (c) 1993-2002 Jamie Zawinski + * xscreensaver, Copyright (c) 1993-2003 Jamie Zawinski * * Permission to use, copy, modify, distribute, and sell this software and its * documentation for any purpose is hereby granted without fee, provided that @@ -52,10 +52,12 @@ extern char *blurb(void); #include #include #include +#include +#include #include -extern void block_sigchld (void); +extern sigset_t block_sigchld (void); extern void unblock_sigchld (void); /* blargh */ @@ -179,6 +181,8 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) struct pam_conv pc; struct pam_closure c; char *user = 0; + sigset_t set; + struct timespec timeout; struct passwd *p = getpwuid (getuid ()); if (!p) return False; @@ -242,8 +246,11 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) PAM_NO_DELAY(pamh); - block_sigchld(); + timeout.tv_sec = 0; + timeout.tv_nsec = 1; + set = block_sigchld(); status = pam_authenticate (pamh, 0); + sigtimedwait (&set, NULL, &timeout); unblock_sigchld(); if (verbose_p) @@ -251,11 +258,28 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) blurb(), status, PAM_STRERROR(pamh, status)); if (status == PAM_SUCCESS) /* Win! */ { + int status2; + + /* We don't actually care if the account modules fail or succeed, + * but we need to run them anyway because certain pam modules + * depend on side effects of the account modules getting run. + */ + status2 = pam_acct_mgmt (pamh, 0); + + if (verbose_p) + fprintf (stderr, "%s: pam_acct_mgmt (...) ==> %d (%s)\n", + blurb(), status2, PAM_STRERROR(pamh, status2)); + /* Each time we successfully authenticate, refresh credentials, for Kerberos/AFS/DCE/etc. If this fails, just ignore that failure and blunder along; it shouldn't matter. + + Note: this used to be PAM_REFRESH_CRED instead of + PAM_REINITIALIZE_CRED, but Jason Heiss + says that the Linux PAM library ignores that one, and only refreshes + credentials when using PAM_REINITIALIZE_CRED. */ - int status2 = pam_setcred (pamh, PAM_REFRESH_CRED); + status2 = pam_setcred (pamh, PAM_REINITIALIZE_CRED); if (verbose_p) fprintf (stderr, "%s: pam_setcred (...) ==> %d (%s)\n", blurb(), status2, PAM_STRERROR(pamh, status2)); @@ -274,7 +298,12 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) if (status != PAM_SUCCESS) goto DONE; PAM_NO_DELAY(pamh); + + set = block_sigchld(); status = pam_authenticate (pamh, 0); + sigtimedwait(&set, NULL, &timeout); + unblock_sigchld(); + if (verbose_p) fprintf (stderr, "%s: pam_authenticate (...) ==> %d (%s)\n", blurb(), status, PAM_STRERROR(pamh, status)); @@ -310,7 +339,11 @@ pam_priv_init (int argc, char **argv, Bool verbose_p) const char file2[] = "/etc/pam.conf"; struct stat st; - if (stat (dir, &st) == 0 && st.st_mode & S_IFDIR) +# ifndef S_ISDIR +# define S_ISDIR(mode) (((mode) & S_IFMT) == S_IFDIR) +# endif + + if (stat (dir, &st) == 0 && S_ISDIR(st.st_mode)) { if (stat (file, &st) != 0) fprintf (stderr,