X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=driver%2Fpasswd-pam.c;h=930c6ca2801ea349ff5e67a6ee22e7b49ab7c112;hb=aa75c7476aeaa84cf3abc192b376a8b03c325213;hp=3b4c64f91bfb584e2c739012c00c72f763275496;hpb=de460e831dc8578acfa8b72251ab9346c99c1f96;p=xscreensaver

diff --git a/driver/passwd-pam.c b/driver/passwd-pam.c
index 3b4c64f9..930c6ca2 100644
--- a/driver/passwd-pam.c
+++ b/driver/passwd-pam.c
@@ -1,7 +1,7 @@
 /* passwd-pam.c --- verifying typed passwords with PAM
  * (Pluggable Authentication Modules.)
  * written by Bill Nottingham <notting@redhat.com> (and jwz) for
- * xscreensaver, Copyright (c) 1993-2008 Jamie Zawinski <jwz@jwz.org>
+ * xscreensaver, Copyright (c) 1993-2016 Jamie Zawinski <jwz@jwz.org>
  *
  * Permission to use, copy, modify, distribute, and sell this software and its
  * documentation for any purpose is hereby granted without fee, provided that
@@ -77,9 +77,12 @@ extern void unblock_sigchld (void);
 /* Some time between Red Hat 4.2 and 7.0, the words were transposed 
    in the various PAM_x_CRED macro names.  Yay!
  */
-#ifndef  PAM_REFRESH_CRED
+#if !defined(PAM_REFRESH_CRED) && defined(PAM_CRED_REFRESH)
 # define PAM_REFRESH_CRED PAM_CRED_REFRESH
 #endif
+#if !defined(PAM_REINITIALIZE_CRED) && defined(PAM_CRED_REINITIALIZE)
+# define PAM_REINITIALIZE_CRED PAM_CRED_REINITIALIZE
+#endif
 
 static int pam_conversation (int nmsgs,
                              const struct pam_message **msg,
@@ -258,9 +261,22 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
     {
       int status2;
 
-      /* We don't actually care if the account modules fail or succeed,
-       * but we need to run them anyway because certain pam modules
-       * depend on side effects of the account modules getting run.
+      /* On most systems, it doesn't matter whether the account modules
+         are run, or whether they fail or succeed.
+
+         On some systems, the account modules fail, because they were
+         never configured properly, but it's necessary to run them anyway
+         because certain PAM modules depend on side effects of the account
+         modules having been run.
+
+         And on still other systems, the account modules are actually
+         used, and failures in them should be considered to be true!
+
+         So:
+         - We run the account modules on all systems.
+         - Whether we ignore them is a configure option.
+
+         It's all kind of a mess.
        */
       status2 = pam_acct_mgmt (pamh, 0);
 
@@ -282,16 +298,28 @@ pam_try_unlock(saver_info *si, Bool verbose_p,
                      blurb(), status2, PAM_STRERROR(pamh, status2));
         }
 
+      /* If 'configure' requested that we believe the results of PAM
+         account module failures, then obey that status code.
+         Otherwise ignore it.
+       */
+#ifdef PAM_CHECK_ACCOUNT_TYPE
+       status = status2;
+#endif
+
       /* Each time we successfully authenticate, refresh credentials,
          for Kerberos/AFS/DCE/etc.  If this fails, just ignore that
          failure and blunder along; it shouldn't matter.
-
-         Note: this used to be PAM_REFRESH_CRED instead of
-         PAM_REINITIALIZE_CRED, but Jason Heiss <jheiss@ee.washington.edu>
-         says that the Linux PAM library ignores that one, and only refreshes
-         credentials when using PAM_REINITIALIZE_CRED.
        */
+
+#if defined(__linux__)
+      /* Apparently the Linux PAM library ignores PAM_REFRESH_CRED and only
+         refreshes credentials when using PAM_REINITIALIZE_CRED. */
       status2 = pam_setcred (pamh, PAM_REINITIALIZE_CRED);
+#else
+      /* But Solaris requires PAM_REFRESH_CRED or extra prompts appear. */
+      status2 = pam_setcred (pamh, PAM_REFRESH_CRED);
+#endif
+
       if (verbose_p)
         fprintf (stderr, "%s:   pam_setcred (...) ==> %d (%s)\n",
                  blurb(), status2, PAM_STRERROR(pamh, status2));