Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/tests/rendered/minimal
Commit message (Collapse)AuthorAgeFilesLines
* Honor pam_unix.so return valueDaniel Harding2023-12-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value of pam_authenticate() for the case when the user enters an incorrect password. Prior to that change pam_authenticate() would return PAM_AUTH_ERR for an incorrect password, while after it would return PAM_PERM_DENIED. The root cause is that after that change, nothing in the stack before the final pam_faillock.so auth entry is setting `impression` in _pam_dispatch_aux(). If the user has not reached the maximum number of tries, pam_faillock.so returns PAM_IGNORE [1] and thus _pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is defined to be PAM_PERM_DENIED [3]. This ends up being the return value for pam_authenticate(). This commit addresses the problem by changing the `default` control action for the pam_unix.so auth entry from `ignore` to `bad` (the same as when its control value was `required`). Thus when processing the pam_unix.so entry, _pam_dispatch_aux() will set `impression` to _PAM_NEGATIVE and `status` to the return value of pam_unix.so, PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE, _pam_dispatch_aux() will not change the value of `status` and the return value of pam_authenticate() is PAM_AUTH_ERR as desired. Also ensure that `new_authtok_reqd` is handled correctly when returned from from pam_unix.so. [1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712 [2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244 [3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17 [4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246 Signed-off-by: Daniel Harding <dharding@living180.net> Closes: https://github.com/gentoo/pambase/pull/10 Signed-off-by: Sam James <sam@gentoo.org>
* Add basic rendering tests with toxAliaksei Urbanski2023-11-139-0/+56
Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com> Signed-off-by: Sam James <sam@gentoo.org>