[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 1 17:24:45 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=423





------- Additional Comments From michael_steffens at hp.com  2003-09-01 17:24 -------
> ------- Additional Comments From djm at mindrot.org  2003-09-01 16:51 -------
> (From update of attachment 376)
> 
>>--- auth-pam.c-orig	Tue Aug 26 03:58:16 2003
>>+++ auth-pam.c	Mon Sep  1 08:04:13 2003
>>@@ -199,10 +199,15 @@
>>{
>>	struct pam_ctxt *ctxt = ctxtp;
>>	Buffer buffer;
>>-	struct pam_conv sshpam_conv = { sshpam_thread_conv, ctxt };
>>+	struct pam_conv sshpam_conv;
>>#ifndef USE_POSIX_THREADS
>>	const char *pam_user;
>>+#endif
>>+
>>+	sshpam_conv.conv = sshpam_thread_conv;
>>+	sshpam_conv.appdata_ptr = ctxt;
> 
> 
> I don't understand this part of the patch. Why does break the initialisation
> from the declaration?

To be honest, I don't know. Compiler refused it with

  error 1521: Incorrect initialization.

> 
> 
>>+#ifndef USE_POSIX_THREADS
> 
> 
> I'm not sure which version you are diffing against, but CVS HEAD already has
> this test.

Yes, but I erranously moved initialization inside the #ifndef
block when wanting to get it past the declaration of pam_user.
Correction was to split the #ifndef, and put the initialization
in between.

> 
> 
> 
>>#if defined(USE_PAM)
>>	if (options.use_pam) {
>>-		do_pam_session(s->pw->pw_name, NULL);
>>		do_pam_setcred(1);
>>		if (is_pam_password_change_required())
>>			packet_disconnect("Password change required but no "
>>@@ -561,7 +560,7 @@
>>
>>#if defined(USE_PAM)
>>	if (options.use_pam) {
>>-		do_pam_session(s->pw->pw_name, s->tty);
>>+		do_pam_set_tty(s->tty);
>>		do_pam_setcred(1);
>>	}
>>#endif
>>@@ -1235,6 +1234,7 @@
>>		 */
>>		if (options.use_pam)
>>			do_pam_setcred(0);
>>+			do_pam_session(pw->pw_name,NULL);
> 
> 
> This is missing braces after the "if" statement. I.e
> 
> if (options.use_pam) {
> 	do_pam_setcred(0);
> 	do_pam_session(pw->pw_name,NULL);
> }

Yep, another stupid bug of mine :(. Thanks for catching.
(This also didn't show up when testing, because options.use_pam
was true, of course.)

> 
> I agree that do_pam_session makes more sense is setusercontext, but if we split
> the PAM_TTY setting, then we should remove do_pam_session's second argument
> entirely.

Also agreed. (I used Dan's original modifications as they were, and
these were presumably meant to modify at little as possible.
But there is only one invokation of do_pam_session left, not using
the second argument.)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list