Re: [Exim] Some problems with PAM

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: J. Nick Koston
CC: exim-users
Subject: Re: [Exim] Some problems with PAM
I can't claim to know very much about PAM at all. But from the Exim end,
all you do is call a couple of functions, so there isn't too much scope
for problems. [There is always *some* scope, of course! - and see below
where I think I managed to blow it.]

On Tue, 7 Dec 1999, J. Nick Koston wrote:

> AUTH PLAIN AHV1Y3AA
> SMTP<< AUTH PLAIN AHV1Y3AA
> Running PAM authentication for user "uucp"
> Segmentation fault
> <<<<<<<<<<<<<<<<<<<<<
> Program received signal SIGSEGV, Segmentation fault.
> 0x807b09f in strcpy () at ../sysdeps/generic/strcpy.c:30
> 30    ../sysdeps/generic/strcpy.c: No such file or directory.
> (gdb) back
> #0  0x807b09f in strcpy () at ../sysdeps/generic/strcpy.c:30
> #1  0x80a49a8 in _IO_stdin_used ()
> #2  0x8090383 in strcpy () at ../sysdeps/generic/strcpy.c:30
> #3  0x401b5564 in _init () from /lib/security/pam_pwdb.so


That certainly looks like it's inside PAM to me.

> ---from call_pam.c----
> if (pam_error == PAM_USER_UNKNOWN ||
>     pam_error == PAM_AUTH_ERR ||
>     pam_error == PAM_ACCT_EXPIRED)
>   return FAIL;
> ---------------------------

>
> It seems that anything > 0 is a fatal error so if(pam_error > 0) makes more
> sense to me unless there is something I am missing.


The code, which you quote more fully below, is trying to distinguish
between "expected" errors, e.g. failed to authenticate, for which it
returns FAIL, and "unexpected" errors, for which it returns ERROR.
It returns OK only if pam_error == PAM_SUCCESS, you'll notice. I don't
see what you gain by this patch.

Oh! I think there is a typo in expand.c line 822, which contains

      if (rc == ERROR) return s;


It should be

      if (rc == ERROR) return NULL; 


I think. This will cause the expansion to fail on any unexpected return
codes.



> --- src/auths/call_pam.c.old    Tue Dec  7 19:15:55 1999
> +++ src/auths/call_pam.c        Tue Dec  7 19:16:09 1999
> @@ -166,9 +166,7 @@
>  *errptr = (char *)pam_strerror(pamh, pam_error);
>  DEBUG(9) debug_printf("PAM error: %s\n", *errptr);

>
> -if (pam_error == PAM_USER_UNKNOWN ||
> -    pam_error == PAM_AUTH_ERR ||
> -    pam_error == PAM_ACCT_EXPIRED)
> +if (pam_error > PAM_SUCCESS)
>    return FAIL;

>
> return ERROR;


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.