X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=driver%2Fpasswd-pam.c;h=a5abb806cef71521c5291cb6c0baded8270e75f4;hb=6a1da724858673ac40aa13a9612340d8bed8c7b9;hp=43f2cbc2cddbaa0ae0d9d6e3815f5ab99a91dc92;hpb=3c58fb6311db49c46f1670922933b27c6ea0c065;p=xscreensaver diff --git a/driver/passwd-pam.c b/driver/passwd-pam.c index 43f2cbc2..a5abb806 100644 --- a/driver/passwd-pam.c +++ b/driver/passwd-pam.c @@ -1,7 +1,7 @@ /* passwd-pam.c --- verifying typed passwords with PAM * (Pluggable Authentication Modules.) * written by Bill Nottingham (and jwz) for - * xscreensaver, Copyright (c) 1993-2001 Jamie Zawinski + * xscreensaver, Copyright (c) 1993-2003 Jamie Zawinski * * Permission to use, copy, modify, distribute, and sell this software and its * documentation for any purpose is hereby granted without fee, provided that @@ -52,10 +52,12 @@ extern char *blurb(void); #include #include #include +#include +#include #include -extern void block_sigchld (void); +extern sigset_t block_sigchld (void); extern void unblock_sigchld (void); /* blargh */ @@ -69,6 +71,13 @@ extern void unblock_sigchld (void); #undef countof #define countof(x) (sizeof((x))/sizeof(*(x))) +/* Some time between Red Hat 4.2 and 7.0, the words were transposed + in the various PAM_x_CRED macro names. Yay! + */ +#ifndef PAM_REFRESH_CRED +# define PAM_REFRESH_CRED PAM_CRED_REFRESH +#endif + static int pam_conversation (int nmsgs, const struct pam_message **msg, struct pam_response **resp, @@ -172,6 +181,8 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) struct pam_conv pc; struct pam_closure c; char *user = 0; + sigset_t set; + struct timespec timeout; struct passwd *p = getpwuid (getuid ()); if (!p) return False; @@ -205,11 +216,12 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) far as PAM is concerned...) */ { - const char *tty = ":0.0"; - status = pam_set_item (pamh, PAM_TTY, strdup(tty)); + char *tty = strdup (":0.0"); + status = pam_set_item (pamh, PAM_TTY, tty); if (verbose_p) fprintf (stderr, "%s: pam_set_item (p, PAM_TTY, \"%s\") ==> %d (%s)\n", blurb(), tty, status, PAM_STRERROR(pamh, status)); + free (tty); } /* Try to authenticate as the current user. @@ -234,8 +246,11 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) PAM_NO_DELAY(pamh); - block_sigchld(); + timeout.tv_sec = 0; + timeout.tv_nsec = 1; + set = block_sigchld(); status = pam_authenticate (pamh, 0); + sigtimedwait (&set, NULL, &timeout); unblock_sigchld(); if (verbose_p) @@ -246,8 +261,13 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) /* Each time we successfully authenticate, refresh credentials, for Kerberos/AFS/DCE/etc. If this fails, just ignore that failure and blunder along; it shouldn't matter. + + Note: this used to be PAM_REFRESH_CRED instead of + PAM_REINITIALIZE_CRED, but Jason Heiss + says that the Linux PAM library ignores that one, and only refreshes + credentials when using PAM_REINITIALIZE_CRED. */ - int status2 = pam_setcred (pamh, PAM_REFRESH_CRED); + int status2 = pam_setcred (pamh, PAM_REINITIALIZE_CRED); if (verbose_p) fprintf (stderr, "%s: pam_setcred (...) ==> %d (%s)\n", blurb(), status2, PAM_STRERROR(pamh, status2)); @@ -256,15 +276,22 @@ pam_passwd_valid_p (const char *typed_passwd, Bool verbose_p) /* If that didn't work, set the user to root, and try to authenticate again. */ - c.user = "root"; - status = pam_set_item (pamh, PAM_USER, strdup(c.user)); + if (user) free (user); + user = strdup ("root"); + c.user = user; + status = pam_set_item (pamh, PAM_USER, c.user); if (verbose_p) fprintf (stderr, "%s: pam_set_item(p, PAM_USER, \"%s\") ==> %d (%s)\n", blurb(), c.user, status, PAM_STRERROR(pamh, status)); if (status != PAM_SUCCESS) goto DONE; PAM_NO_DELAY(pamh); + + set = block_sigchld(); status = pam_authenticate (pamh, 0); + sigtimedwait(&set, NULL, &timeout); + unblock_sigchld(); + if (verbose_p) fprintf (stderr, "%s: pam_authenticate (...) ==> %d (%s)\n", blurb(), status, PAM_STRERROR(pamh, status));