Discussion:
[Thinkfinger-devel] [patch] 0.2.2 - 0.2.3 post debug : Fix wrong return codes on pam_sm_authenticate
Jose Plans
2007-02-24 17:40:10 UTC
Permalink
Hi,

Ok this is a proposal fixing the problem of the return codes from
pam_sm_authenticate(), where in the original code the returns were
sometimes PAM_SERVICE_ERR or PAM_IGNORE, producing a cascade to
pam_deny.so !

We should apply these too. They are tested / verified.
Example on how to find this bug, try to remove the module uinput on
startup (Fedora Core example) and try to use the swipe with 0.2.3, you
will not reach pam_unix/2.so...

Then I checked the code and saw that some illegal calls were used in
pam_sm_authenticate(3) for failure.

Attached are the two patches that fixes the problem and add the correct
returns.

Thanks,

Jose
Jose Plans
2007-02-25 00:13:24 UTC
Permalink
Post by Jose Plans
Hi,
Ok this is a proposal fixing the problem of the return codes from
pam_sm_authenticate(), where in the original code the returns were
sometimes PAM_SERVICE_ERR or PAM_IGNORE, producing a cascade to
pam_deny.so !
We should apply these too. They are tested / verified.
Example on how to find this bug, try to remove the module uinput on
startup (Fedora Core example) and try to use the swipe with 0.2.3, you
will not reach pam_unix/2.so...
Fixed against the previous modified debug patch. So these apply clean
after -debug.patch.

Jose
Jose Plans
2007-02-25 00:52:09 UTC
Permalink
Post by Jose Plans
Hi,
Fixed against the previous modified debug patch. So these apply clean
after -debug.patch.
Same.
Timo Hoenig
2007-02-27 10:21:40 UTC
Permalink
Post by Jose Plans
Ok this is a proposal fixing the problem of the return codes from
pam_sm_authenticate(), where in the original code the returns were
sometimes PAM_SERVICE_ERR or PAM_IGNORE, producing a cascade to
pam_deny.so !
Oh, nice catch. I have not seen that cascade to happen but I probably
just missed it.
Post by Jose Plans
We should apply these too. They are tested / verified.
Example on how to find this bug, try to remove the module uinput on
startup (Fedora Core example) and try to use the swipe with 0.2.3, you
will not reach pam_unix/2.so...
Then I checked the code and saw that some illegal calls were used in
pam_sm_authenticate(3) for failure.
Attached are the two patches that fixes the problem and add the correct
returns.
Before committing this to SVN I'll do some testing though.

Thanks for the patch!

Timo

Loading...