Am 25.10.24 um 13:32 schrieb Jeremy Harris via Exim-users:
> On 25/10/2024 11:22, Frank Richter via Exim-users wrote:
>> Oh well … now how to avoid this? Is this a workaround:
>>
>> server_condition = "${if pam{$auth2:<:${sg{$auth3}{:}{::}}}{yes}{no}}"
>
> Almost. You need
>
> pam{<: $auth2:${sg{$auth3}{:}{::}}
>
> since the list-sep specification has to lead the list content
> (per the documentation. Do not rely on current behaviour,
> where setting it part-way through a list happens to work; the
> implementation could change in a future release.)
>
> Note that this also changes the interpretation of usernames
> that start with a "<". I hope you have none such...
>
> Also, the docs suggest a "listquote" rather than the "sg"
> you have for dealing with colons embedded in the string,
> giving
>
> pam{<: $auth2:${listquote{:}{$auth3}}
>
>
> It could be argued that the "listquote" expansion item should
> itself handle a leading "<" - but that would not work for cases
> like this where we're dealing with a non-first list member.
>
> Maybe we need another way of building lists; eg.
>
> pam{ ${listmake {:}{$auth2}{$auth3}{third_element}{last_element}} }
Thanks.
This works:
server_condition = ${if pam{$auth2:<:${listquote{:}{$auth3}}}}
1:36:53 1940682 ╭considering: ${if pam{$auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682 ╭considering: $auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682 ╭considering: :}{$auth3}}}}
11:36:53 1940682 ├──expanding: :
11:36:53 1940682 ╰─────result: :
11:36:53 1940682 ╭considering: $auth3}}}}
11:36:53 1940682 ├──expanding: $auth3
11:36:53 1940682 ╰─────result: <#My
11:36:53 1940682 ╰──(tainted)
11:36:53 1940682 ├──expanding: $auth2:<:${listquote{:}{$auth3}}
11:36:53 1940682 ╰─────result: fri-test2:<:<#My
11:36:53 1940682 ╰──(tainted)
11:36:53 1940682 Running PAM authentication for user "fri-test2"
11:36:53 1940682 PAM success
But this doesn't work:
server_condition = ${if pam{<: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: ${if pam{<: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: <: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842 ╭considering: :}{$auth3}}}}
11:41:22 1940842 ├──expanding: :
11:41:22 1940842 ╰─────result: :
11:41:22 1940842 ╭considering: $auth3}}}}
11:41:22 1940842 ├──expanding: $auth3
11:41:22 1940842 ╰─────result: <#My
11:41:22 1940842 ╰──(tainted)
11:41:22 1940842 ├──expanding: <: $auth2:${listquote{:}{$auth3}}
11:41:22 1940842 ╰─────result: <: fri-test2:<#My
11:41:22 1940842 ╰──(tainted)
11:41:22 1940842 Running PAM authentication for user "fri-test2"
11:41:22 1940842 PAM error: Authentication failure
I think this is a special thing with pam … IMHO it has to do how the PAM
module gets the password (callback function?). I can send some output from gdb …
Frank
--
Frank Richter, Chemnitz University of Technology, Germany
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
