From 3f424c65d31bf2162ce97c41608cdebe9b19ef9b Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Jan 22 2010 17:49:54 +0000 Subject: - fix wrong prompt when pam_get_authtok is used for new password --- diff --git a/pam-1.1.1-authtok-prompt.patch b/pam-1.1.1-authtok-prompt.patch new file mode 100644 index 0000000..84574ac --- /dev/null +++ b/pam-1.1.1-authtok-prompt.patch @@ -0,0 +1,78 @@ +Index: libpam/pam_get_authtok.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/libpam/pam_get_authtok.c,v +retrieving revision 1.3 +diff -u -p -r1.3 pam_get_authtok.c +--- libpam/pam_get_authtok.c 10 Nov 2009 15:52:20 -0000 1.3 ++++ libpam/pam_get_authtok.c 22 Jan 2010 17:31:40 -0000 +@@ -81,7 +81,7 @@ pam_get_authtok_internal (pam_handle_t * + char *resp[2] = {NULL, NULL}; + const void *prevauthtok; + const char *authtok_type = ""; +- int ask_twice = 0; /* Password change, ask twice for it */ ++ int chpass = 0; /* Password change, ask twice for it */ + int retval; + + if (authtok == NULL) +@@ -91,8 +91,9 @@ pam_get_authtok_internal (pam_handle_t * + which needs to be verified. */ + if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) + { ++ chpass = 1; + if (!(flags & PAM_GETAUTHTOK_NOVERIFY)) +- ask_twice = 1; ++ ++chpass; + + authtok_type = get_option (pamh, "authtok_type"); + if (authtok_type == NULL) +@@ -110,11 +111,11 @@ pam_get_authtok_internal (pam_handle_t * + return PAM_SUCCESS; + } + else if (get_option (pamh, "use_first_pass") || +- (ask_twice && get_option (pamh, "use_authtok"))) ++ (chpass && get_option (pamh, "use_authtok"))) + { + if (prevauthtok == NULL) + { +- if (ask_twice) ++ if (chpass) + return PAM_AUTHTOK_ERR; + else + return PAM_AUTH_ERR; +@@ -127,16 +128,16 @@ pam_get_authtok_internal (pam_handle_t * + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + "%s", prompt); +- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) ++ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + _("Retype %s"), prompt); + } +- else if (ask_twice) ++ else if (chpass) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT1, authtok_type, + strlen (authtok_type) > 0?" ":""); +- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) ++ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + PROMPT2, authtok_type, + strlen (authtok_type) > 0?" ":""); +@@ -146,14 +147,14 @@ pam_get_authtok_internal (pam_handle_t * + PROMPT); + + if (retval != PAM_SUCCESS || resp[0] == NULL || +- (ask_twice && resp[1] == NULL)) ++ (chpass > 1 && resp[1] == NULL)) + { + /* We want to abort the password change */ + pam_error (pamh, _("Password change aborted.")); + return PAM_AUTHTOK_ERR; + } + +- if (ask_twice && strcmp (resp[0], resp[1]) != 0) ++ if (chpass > 1 && strcmp (resp[0], resp[1]) != 0) + { + pam_error (pamh, MISTYPED_PASS); + _pam_overwrite (resp[0]); diff --git a/pam.spec b/pam.spec index ea3690b..16acff6 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.1 -Release: 2%{?dist} +Release: 3%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -26,6 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch Patch7: pam-1.1.0-console-fixes.patch +Patch8: pam-1.1.1-authtok-prompt.patch %define _sbindir /sbin %define _moduledir /%{_lib}/security @@ -91,6 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch4 -p1 -b .nochmod %patch5 -p1 -b .notally %patch7 -p1 -b .console-fixes +%patch8 -p0 -b .prompt libtoolize -f autoreconf @@ -331,6 +333,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Jan 22 2010 Tomas Mraz 1.1.1-3 +- fix wrong prompt when pam_get_authtok is used for new password + * Mon Jan 18 2010 Tomas Mraz 1.1.1-2 - fix build with disabled audit and SELinux (#556211, #556212)